「testssl.sh」の版間の差分

提供: セキュリティ
移動: 案内検索
(ページの作成:「testssl.sh とは、TLS/SSL のテストツールです。testssl.shは、TLS/SSL暗号をサポートするサーバのサービス...」)
 
(関連項目)
 
行254: 行254:
 
</syntaxhighlight>
 
</syntaxhighlight>
 
== 関連項目 ==
 
== 関連項目 ==
* [[Transport Layer Security|TLS]]/SSL
+
* [[Transport Layer Security]]([[Transport Layer Security|TLS]]/SSL)
 
* [[STARTTLS]]
 
* [[STARTTLS]]
 
* [[OpenSSL]]
 
* [[OpenSSL]]
 
<!-- vim: filetype=mediawiki
 
<!-- vim: filetype=mediawiki
 
-->
 
-->

2014年10月24日 (金) 22:02時点における最新版

testssl.sh とは、TLS/SSL のテストツールです。testssl.shは、TLS/SSL暗号をサポートするサーバのサービスのポートをチェックするためのUnix向けコマンドラインツールです。

読み方

testssl.sh
てすと えすえすえる えすえいち

概要

testssl.shは、TLS/SSL暗号をサポートするサーバのサービスのポートをチェックするためのUnix向けコマンドラインツールです。

インストール

パッケージングされていないので、ダウンロードして使用します。

使い方

コマンドラインオプション

testssl.sh <options> URI
 
where <options> is *one* of
 
        <-h|--help>                 what you're looking at
        <-b|--banner>               displays banner + version
        <-v|--version>              same as above
        <-V|--local>                pretty print all local ciphers
        <-V|--local> <hexcode>      what cipher is <pattern hexcode>?
 
        <-e|--each-cipher>          check each local ciphers remotely
        <-E|-ee|--cipher-per-proto> check those per protocol
        <-f|--ciphers>              check cipher suites
        <-p|--protocols>            check TLS/SSL protocols only
        <-P|--preference>           displays the servers picks: protocol+cipher
        <-y|--spdy>                 checks for SPDY/NPN
        <-B|--heartbleed>           tests only for heartbleed vulnerability
        <-I|--ccs|--ccs_injection>  tests only for CCS injection vulnerability
        <-R|--renegotiation>        tests only for renegotiation vulnerability
        <-C|--compression|--crime>  tests only for CRIME vulnerability
        <-T|--breach>               tests only for BREACH vulnerability
        <-0|--poodle>               tests only for POODLE vulnerability
        <-s|--pfs|--fs|--nsa>       checks (perfect) forward secrecy settings
        <-4|--rc4|--appelbaum>      which RC4 ciphers are being offered?
        <-H|--header|--headers>     check for HSTS and server banner string
 
URI is  host|host:port|URL|URL:port
        (port 443 is assumed unless otherwise specified)
 
        <-t|--starttls> host:port <ftp|smtp|pop3|imap|xmpp|telnet> <SNI hostname> *)
 
 
*) for telnet STARTTLS support you need a/my patched openssl version

httpsサーバのテスト

$ ./testssl.sh accounts.google.com
 
#########################################################
testssl.sh v2.1alpha  (https://testssl.sh)
($Id: testssl.sh,v 1.129 2014/10/23 13:52:05 dirkw Exp $)
 
   This program is free software. Redistribution +
   modification under GPLv2 is permitted.
   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
 
 Note you can only check the server against what is
 available (ciphers/protocols) locally on your machine
#########################################################
 
Using "LibreSSL 2.1" []
      on "a1.local:/usr/local/bin/openssl"
 
Testing now (2014-10-24 21:28) ---> 74.125.203.84:443 (accounts.google.com) <---
 
 rDNS (74.125.203.84):    -
 
 
No engine or GOST support via engine with your /usr/local/bin/openssl
 
--> Testing Protocols
 
 SSLv2      Local problem: /usr/local/bin/openssl doesn't support "s_client -ssl2"
 SSLv3      offered (NOT ok)
 TLSv1      offered (OK)
 TLSv1.1    offered (OK)
 TLSv1.2    offered (OK)
 SPDY/NPN   spdy/5a1, h2-14, spdy/3.1, spdy/3, http/1.1  (advertised)
 
--> Testing standard cipher lists
 
 Null Cipher              not offered (OK)
 Anonymous NULL Cipher    not offered (OK)
 Anonymous DH Cipher      not offered (OK)
 40 Bit encryption        Local problem: No 40 Bit encryption       
 				configured in /usr/local/bin/openssl
 56 Bit encryption        Local problem: No 56 Bit encryption
 				configured in /usr/local/bin/openssl
 Export Cipher (general)  Local problem: No Export Cipher (general)
 				configured in /usr/local/bin/openssl
 Low (<=64 Bit)           not offered (OK)
 DES Cipher               not offered (OK)
 Triple DES Cipher        offered
 Medium grade encryption  offered
 High grade encryption    offered (OK)
 
--> Testing server defaults (Server Hello)
 
 Negotiated protocol       Protocol:TLSv1.2
 Negotiated cipher         Cipher:ECDHE-RSA-CHACHA20-POLY1305
 
 Server key size           2048 bit
 TLS server extensions     server name, renegotiation info, EC point formats, session ticket
 Session Tickets RFC 5077  100800 seconds
 OCSP stapling             not offered
 
--> Testing specific vulnerabilities
 
 Heartbleed (CVE-2014-0160), experimental  No TLS heartbeat extension (OK)
 CCS  (CVE-2014-0224), experimental        not vulnerable (OK)
 Renegotiation (CVE 2009-3555)             not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                Seems your /usr/local/bin/openssl hasn't
 						zlib support, so you cannot test for CRIME
 
 BREACH =HTTP Compression, experimental    uses gzip compression  (only "/" tested)
 POODLE (CVE-2014-3566), experimental      VULNERABLE , uses SSLv3 (no TLS_FALLBACK_SCSV tested)
 
--> Testing HTTP Header response
 
 HSTS        126 days (<180 is not good enough)
 Server      GSE
 Application (None)
 
--> Checking RC4 Ciphers
 
RC4 seems generally available. Now testing specific ciphers...
 
 Hexcode    Cipher Suite Name (OpenSSL)   KeyExch. Encryption Bits
-----------------------------------------------------------------------
 [0xc011]   ECDHE-RSA-RC4-SHA             ECDH       RC4      128
 [0x05]     RC4-SHA                       RSA        RC4      128
 [0x04]     RC4-MD5                       RSA        RC4      128
 
RC4 is kind of broken, for e.g. IE6 consider 0x13 or 0x0a
 
--> Testing (Perfect) Forward Secrecy  (P)FS)  -- omitting 3DES, RC4 and Null Encryption here
 
PFS seems generally available. Now testing specific ciphers ...
 
 Hexcode    Cipher Suite Name (OpenSSL)   KeyExch. Encryption Bits
-----------------------------------------------------------------------
 [0xc030]   ECDHE-RSA-AES256-GCM-SHA384   ECDH       AESGCM   256
 [0xcc13]   ECDHE-RSA-CHACHA20-POLY1305   ECDH       ChaCha20-Poly1305
 [0xc028]   ECDHE-RSA-AES256-SHA384       ECDH       AES      256
 [0xc014]   ECDHE-RSA-AES256-SHA          ECDH       AES      256
 [0xc02f]   ECDHE-RSA-AES128-GCM-SHA256   ECDH       AESGCM   128
 [0xc027]   ECDHE-RSA-AES128-SHA256       ECDH       AES      128
 [0xc011]   ECDHE-RSA-RC4-SHA             ECDH       RC4      128
 [0xc013]   ECDHE-RSA-AES128-SHA          ECDH       AES      128
 
Please note: detected PFS ciphers don't necessarily mean any client/browser will use them
 
 
Done now (2014-10-24 21:28) ---> 74.125.203.84:443 (accounts.google.com) <---

popサーバのSTARTTLSのテスト

STARTTLSをテストするには、--starttlsオプションを使用します。

$ ./testssl.sh --starttls pop.gmail.com:995 pop3
 
#########################################################
testssl.sh v2.1alpha  (https://testssl.sh)
($Id: testssl.sh,v 1.129 2014/10/23 13:52:05 dirkw Exp $)
 
   This program is free software. Redistribution +
   modification under GPLv2 is permitted.
   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
 
 Note you can only check the server against what is
 available (ciphers/protocols) locally on your machine
#########################################################
 
Using "LibreSSL 2.1" []
      on "a1.local:/usr/local/bin/openssl"
 
Testing now (2014-10-24 21:45) ---> 74.125.31.109:995 (pop.gmail.com) <---
 
 further IP addresses:   74.125.31.108
 rDNS (74.125.31.109):   tb-in-f109.1e100.net
 
 
A non standard port or testing no web servers might show lame reponses (then just wait)
No engine or GOST support via engine with your /usr/local/bin/openssl
 
Problem: /usr/local/bin/openssl couldn't estabilish STARTTLS via pop3
34378688168:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:122:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
 
 
Done now (2014-10-24 21:45) ---> 74.125.31.109:995 (pop.gmail.com) <---
 
 
[1]    72660 exit 3     ./testssl.sh --starttls pop.gmail.com:995 pop3

以下は、BIOが失敗している例です。

$ ./testssl.sh --starttls pop.mail.yahoo.co.jp:995 pop3
 
#########################################################
testssl.sh v2.1alpha  (https://testssl.sh)
($Id: testssl.sh,v 1.129 2014/10/23 13:52:05 dirkw Exp $)
 
   This program is free software. Redistribution +
   modification under GPLv2 is permitted.
   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
 
 Note you can only check the server against what is
 available (ciphers/protocols) locally on your machine
#########################################################
 
Using "LibreSSL 2.1" []
      on "a1.local:/usr/local/bin/openssl"
 
Testing now (2014-10-24 21:45) ---> 114.111.79.140:995 (pop.mail.yahoo.co.jp) <---
 
 further IP addresses:   114.111.75.150
 rDNS (114.111.79.140):  pop501.mail.vip.kks.yahoo.co.jp
 
 
A non standard port or testing no web servers might show lame reponses (then just wait)
No engine or GOST support via engine with your /usr/local/bin/openssl
 
Problem: /usr/local/bin/openssl couldn't estabilish STARTTLS via pop3
BIO_read failed
CONNECTED(00000003)
 
 
Done now (2014-10-24 21:45) ---> 114.111.79.140:995 (pop.mail.yahoo.co.jp) <---
 
 
[1]    72800 exit 3     ./testssl.sh --starttls pop.mail.yahoo.co.jp:995 pop3

関連項目