testssl.sh
提供: セキュリティ
2014年10月24日 (金) 21:58時点におけるDaemon (トーク | 投稿記録)による版 (ページの作成:「testssl.sh とは、TLS/SSL のテストツールです。testssl.shは、TLS/SSL暗号をサポートするサーバのサービス...」)
スポンサーリンク
testssl.sh とは、TLS/SSL のテストツールです。testssl.shは、TLS/SSL暗号をサポートするサーバのサービスのポートをチェックするためのUnix向けコマンドラインツールです。
読み方
- testssl.sh
- てすと えすえすえる えすえいち
概要
testssl.shは、TLS/SSL暗号をサポートするサーバのサービスのポートをチェックするためのUnix向けコマンドラインツールです。
インストール
パッケージングされていないので、ダウンロードして使用します。
使い方
コマンドラインオプション
testssl.sh <options> URI where <options> is *one* of <-h|--help> what you're looking at <-b|--banner> displays banner + version <-v|--version> same as above <-V|--local> pretty print all local ciphers <-V|--local> <hexcode> what cipher is <pattern hexcode>? <-e|--each-cipher> check each local ciphers remotely <-E|-ee|--cipher-per-proto> check those per protocol <-f|--ciphers> check cipher suites <-p|--protocols> check TLS/SSL protocols only <-P|--preference> displays the servers picks: protocol+cipher <-y|--spdy> checks for SPDY/NPN <-B|--heartbleed> tests only for heartbleed vulnerability <-I|--ccs|--ccs_injection> tests only for CCS injection vulnerability <-R|--renegotiation> tests only for renegotiation vulnerability <-C|--compression|--crime> tests only for CRIME vulnerability <-T|--breach> tests only for BREACH vulnerability <-0|--poodle> tests only for POODLE vulnerability <-s|--pfs|--fs|--nsa> checks (perfect) forward secrecy settings <-4|--rc4|--appelbaum> which RC4 ciphers are being offered? <-H|--header|--headers> check for HSTS and server banner string URI is host|host:port|URL|URL:port (port 443 is assumed unless otherwise specified) <-t|--starttls> host:port <ftp|smtp|pop3|imap|xmpp|telnet> <SNI hostname> *) *) for telnet STARTTLS support you need a/my patched openssl version
httpsサーバのテスト
$ ./testssl.sh accounts.google.com ######################################################### testssl.sh v2.1alpha (https://testssl.sh) ($Id: testssl.sh,v 1.129 2014/10/23 13:52:05 dirkw Exp $) This program is free software. Redistribution + modification under GPLv2 is permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Note you can only check the server against what is available (ciphers/protocols) locally on your machine ######################################################### Using "LibreSSL 2.1" [] on "a1.local:/usr/local/bin/openssl" Testing now (2014-10-24 21:28) ---> 74.125.203.84:443 (accounts.google.com) <--- rDNS (74.125.203.84): - No engine or GOST support via engine with your /usr/local/bin/openssl --> Testing Protocols SSLv2 Local problem: /usr/local/bin/openssl doesn't support "s_client -ssl2" SSLv3 offered (NOT ok) TLSv1 offered (OK) TLSv1.1 offered (OK) TLSv1.2 offered (OK) SPDY/NPN spdy/5a1, h2-14, spdy/3.1, spdy/3, http/1.1 (advertised) --> Testing standard cipher lists Null Cipher not offered (OK) Anonymous NULL Cipher not offered (OK) Anonymous DH Cipher not offered (OK) 40 Bit encryption Local problem: No 40 Bit encryption configured in /usr/local/bin/openssl 56 Bit encryption Local problem: No 56 Bit encryption configured in /usr/local/bin/openssl Export Cipher (general) Local problem: No Export Cipher (general) configured in /usr/local/bin/openssl Low (<=64 Bit) not offered (OK) DES Cipher not offered (OK) Triple DES Cipher offered Medium grade encryption offered High grade encryption offered (OK) --> Testing server defaults (Server Hello) Negotiated protocol Protocol:TLSv1.2 Negotiated cipher Cipher:ECDHE-RSA-CHACHA20-POLY1305 Server key size 2048 bit TLS server extensions server name, renegotiation info, EC point formats, session ticket Session Tickets RFC 5077 100800 seconds OCSP stapling not offered --> Testing specific vulnerabilities Heartbleed (CVE-2014-0160), experimental No TLS heartbeat extension (OK) CCS (CVE-2014-0224), experimental not vulnerable (OK) Renegotiation (CVE 2009-3555) not vulnerable (OK) CRIME, TLS (CVE-2012-4929) Seems your /usr/local/bin/openssl hasn't zlib support, so you cannot test for CRIME BREACH =HTTP Compression, experimental uses gzip compression (only "/" tested) POODLE (CVE-2014-3566), experimental VULNERABLE , uses SSLv3 (no TLS_FALLBACK_SCSV tested) --> Testing HTTP Header response HSTS 126 days (<180 is not good enough) Server GSE Application (None) --> Checking RC4 Ciphers RC4 seems generally available. Now testing specific ciphers... Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits ----------------------------------------------------------------------- [0xc011] ECDHE-RSA-RC4-SHA ECDH RC4 128 [0x05] RC4-SHA RSA RC4 128 [0x04] RC4-MD5 RSA RC4 128 RC4 is kind of broken, for e.g. IE6 consider 0x13 or 0x0a --> Testing (Perfect) Forward Secrecy (P)FS) -- omitting 3DES, RC4 and Null Encryption here PFS seems generally available. Now testing specific ciphers ... Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits ----------------------------------------------------------------------- [0xc030] ECDHE-RSA-AES256-GCM-SHA384 ECDH AESGCM 256 [0xcc13] ECDHE-RSA-CHACHA20-POLY1305 ECDH ChaCha20-Poly1305 [0xc028] ECDHE-RSA-AES256-SHA384 ECDH AES 256 [0xc014] ECDHE-RSA-AES256-SHA ECDH AES 256 [0xc02f] ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128 [0xc027] ECDHE-RSA-AES128-SHA256 ECDH AES 128 [0xc011] ECDHE-RSA-RC4-SHA ECDH RC4 128 [0xc013] ECDHE-RSA-AES128-SHA ECDH AES 128 Please note: detected PFS ciphers don't necessarily mean any client/browser will use them Done now (2014-10-24 21:28) ---> 74.125.203.84:443 (accounts.google.com) <---
popサーバのSTARTTLSのテスト
STARTTLSをテストするには、--starttlsオプションを使用します。
$ ./testssl.sh --starttls pop.gmail.com:995 pop3 ######################################################### testssl.sh v2.1alpha (https://testssl.sh) ($Id: testssl.sh,v 1.129 2014/10/23 13:52:05 dirkw Exp $) This program is free software. Redistribution + modification under GPLv2 is permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Note you can only check the server against what is available (ciphers/protocols) locally on your machine ######################################################### Using "LibreSSL 2.1" [] on "a1.local:/usr/local/bin/openssl" Testing now (2014-10-24 21:45) ---> 74.125.31.109:995 (pop.gmail.com) <--- further IP addresses: 74.125.31.108 rDNS (74.125.31.109): tb-in-f109.1e100.net A non standard port or testing no web servers might show lame reponses (then just wait) No engine or GOST support via engine with your /usr/local/bin/openssl Problem: /usr/local/bin/openssl couldn't estabilish STARTTLS via pop3 34378688168:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:122: CONNECTED(00000003) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 308 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Done now (2014-10-24 21:45) ---> 74.125.31.109:995 (pop.gmail.com) <--- [1] 72660 exit 3 ./testssl.sh --starttls pop.gmail.com:995 pop3
以下は、BIOが失敗している例です。
$ ./testssl.sh --starttls pop.mail.yahoo.co.jp:995 pop3 ######################################################### testssl.sh v2.1alpha (https://testssl.sh) ($Id: testssl.sh,v 1.129 2014/10/23 13:52:05 dirkw Exp $) This program is free software. Redistribution + modification under GPLv2 is permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Note you can only check the server against what is available (ciphers/protocols) locally on your machine ######################################################### Using "LibreSSL 2.1" [] on "a1.local:/usr/local/bin/openssl" Testing now (2014-10-24 21:45) ---> 114.111.79.140:995 (pop.mail.yahoo.co.jp) <--- further IP addresses: 114.111.75.150 rDNS (114.111.79.140): pop501.mail.vip.kks.yahoo.co.jp A non standard port or testing no web servers might show lame reponses (then just wait) No engine or GOST support via engine with your /usr/local/bin/openssl Problem: /usr/local/bin/openssl couldn't estabilish STARTTLS via pop3 BIO_read failed CONNECTED(00000003) Done now (2014-10-24 21:45) ---> 114.111.79.140:995 (pop.mail.yahoo.co.jp) <--- [1] 72800 exit 3 ./testssl.sh --starttls pop.mail.yahoo.co.jp:995 pop3
関連項目
ツイート
スポンサーリンク