SSLyze is a handy SSL scanner that can report some of the common SSL related vulnerabilities like weak ciphers or heartbleed related errors. The tool can be obtained from:-
https://github.com/nabla-c0d3/sslyze/releases
In order to run the tool, you can execute as below:-
**************
$ sslyze --regular <www.yoursite.com>:443
AVAILABLE PLUGINS
-----------------
PluginSessionResumption
PluginHeartbleed
PluginCertInfo
PluginChromeSha1Deprecation
PluginCompression
PluginSessionRenegotiation
PluginOpenSSLCipherSuites
PluginHSTS
CHECKING HOST(S) AVAILABILITY
-----------------------------
www.yoursite.com:443 => <ip address>:443
SCAN RESULTS FOR www.yoursite.com:443 - <ip address>:443
--------------------------------------------------------------------------
* Deflate Compression:
OK - Compression disabled
* Session Renegotiation:
Client-initiated Renegotiations: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* Certificate - Content:
SHA1 Fingerprint: d2675f5dd71b9d5c6331f1ab7e687e5122b437b
0
Common Name: www.yoursite.com
Issuer: DigiCert Secure Server CA
Serial Number: 05E67DF64B406133A40A5F810DC7E568
Not Before: Jan 21 00:00:00 2014 GMT
Not After: Jan 25 12:00:00 2016 GMT
Signature Algorithm: sha1WithRSAEncryption
Public Key Algorithm: rsaEncryption
Key Size: 2048 bit
Exponent: 65537 (0x10001)
X509v3 Subject Alternative Name: {'DNS': ['www.yoursite.com']}
* Certificate - Trust:
Hostname Validation: OK - Subject Alternative Name matches
Microsoft CA Store (08/2014): OK - Certificate is trusted
Java 6 CA Store (Update 65): OK - Certificate is trusted
Apple CA Store (OS X 10.9.4): OK - Certificate is trusted
Mozilla NSS CA Store (08/2014): OK - Certificate is trusted
Certificate Chain Received: ['www.yoursite.com', 'DigiCert Secure Server CA']
* Certificate - OCSP Stapling:
NOT SUPPORTED - Server did not send back an OCSP response.
* TLSV1_2 Cipher Suites:
Server rejected all cipher suites.
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* Session Resumption:
With Session IDs: OK - Supported (5 successful, 0 failed,
0 errors, 5 total attempts).
With TLS Session Tickets: OK - Supported
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* TLSV1 Cipher Suites:
Preferred:
AES256-SHA - 256 bits HTTP
200 OK
Accepted:
AES256-SHA - 256 bits HTTP
200 OK
RC4-SHA - 128 bits HTTP
200 OK
RC4-MD5 - 128 bits HTTP
200 OK
AES128-SHA - 128 bits HTTP
200 OK
DES-CBC3-SHA - 112 bits HTTP
200 OK
* SSLV3 Cipher Suites:
Preferred:
AES256-SHA - 256 bits HTTP
200 OK
Accepted:
AES256-SHA - 256 bits HTTP
200 OK
RC4-SHA - 128 bits HTTP
200 OK
RC4-MD5 - 128 bits HTTP
200 OK
AES128-SHA - 128 bits HTTP
200 OK
DES-CBC3-SHA - 112 bits HTTP
200 OK
SCAN COMPLETED IN 16.14 S
-------------------------
**************
https://github.com/nabla-c0d3/sslyze/releases
In order to run the tool, you can execute as below:-
**************
$ sslyze --regular <www.yoursite.com>:443
AVAILABLE PLUGINS
-----------------
PluginSessionResumption
PluginHeartbleed
PluginCertInfo
PluginChromeSha1Deprecation
PluginCompression
PluginSessionRenegotiation
PluginOpenSSLCipherSuites
PluginHSTS
CHECKING HOST(S) AVAILABILITY
-----------------------------
www.yoursite.com:443 => <ip address>:443
SCAN RESULTS FOR www.yoursite.com:443 - <ip address>:443
--------------------------------------------------------------------------
* Deflate Compression:
OK - Compression disabled
* Session Renegotiation:
Client-initiated Renegotiations: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* Certificate - Content:
SHA1 Fingerprint: d2675f5dd71b9d5c6331f1ab7e687e5122b437b
0
Common Name: www.yoursite.com
Issuer: DigiCert Secure Server CA
Serial Number: 05E67DF64B406133A40A5F810DC7E568
Not Before: Jan 21 00:00:00 2014 GMT
Not After: Jan 25 12:00:00 2016 GMT
Signature Algorithm: sha1WithRSAEncryption
Public Key Algorithm: rsaEncryption
Key Size: 2048 bit
Exponent: 65537 (0x10001)
X509v3 Subject Alternative Name: {'DNS': ['www.yoursite.com']}
* Certificate - Trust:
Hostname Validation: OK - Subject Alternative Name matches
Microsoft CA Store (08/2014): OK - Certificate is trusted
Java 6 CA Store (Update 65): OK - Certificate is trusted
Apple CA Store (OS X 10.9.4): OK - Certificate is trusted
Mozilla NSS CA Store (08/2014): OK - Certificate is trusted
Certificate Chain Received: ['www.yoursite.com', 'DigiCert Secure Server CA']
* Certificate - OCSP Stapling:
NOT SUPPORTED - Server did not send back an OCSP response.
* TLSV1_2 Cipher Suites:
Server rejected all cipher suites.
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* Session Resumption:
With Session IDs: OK - Supported (5 successful, 0 failed,
0 errors, 5 total attempts).
With TLS Session Tickets: OK - Supported
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* TLSV1 Cipher Suites:
Preferred:
AES256-SHA - 256 bits HTTP
200 OK
Accepted:
AES256-SHA - 256 bits HTTP
200 OK
RC4-SHA - 128 bits HTTP
200 OK
RC4-MD5 - 128 bits HTTP
200 OK
AES128-SHA - 128 bits HTTP
200 OK
DES-CBC3-SHA - 112 bits HTTP
200 OK
* SSLV3 Cipher Suites:
Preferred:
AES256-SHA - 256 bits HTTP
200 OK
Accepted:
AES256-SHA - 256 bits HTTP
200 OK
RC4-SHA - 128 bits HTTP
200 OK
RC4-MD5 - 128 bits HTTP
200 OK
AES128-SHA - 128 bits HTTP
200 OK
DES-CBC3-SHA - 112 bits HTTP
200 OK
SCAN COMPLETED IN 16.14 S
-------------------------
**************
No comments:
Post a Comment