openssl can help you test which SSL protocols your server is configured to use.
openssl
If a protocol is enabled, the openssl s_client command will wait for input (or Control-D).
If the protocol is disabled, openssl will report an exception similiar to the one reproduced below:
21112:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
Openssl examples:
openssl s_client -connect ihshostname:443 -ssl2
openssl s_client -connect ihshostname:443 -ssl3
openssl s_client -connect ihshostname:443 -tls1
#openssl s_client -connect www.google.com:443 -ssl3
CONNECTED(00000003)
23569:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:293:
#openssl s_client -connect localhost:1414 -cipher ECDHE-RSA-DES-CBC3-SHA
#openssl s_client -connect localhost:1414 -showcerts
#openssl ciphers ==> 列出openssl可用的cipher名稱, 以:分隔
**** perl one liner 可用在此處, 把原本用:分隔不易查看的資訊, 改以每筆一行的方式列出
#openssl ciphers|perl -ne 's/:/\n/g;print'
2. online website check tool
https://www.ssllabs.com/ssltest/
3. standalone test tool (TestSSLServer)
https://www.bolet.org/TestSSLServer/
4. IHS v8 or above version command:
Windows:
httpd -t -D DUMP_SSL_CONFIG
Linux:
apachectl -t -D DUMP_SSL_CONFIG
http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html#sslprotsupptest
5. use nmap to help to verify which cipherspec is supported by SSL server
nmap --script ssl-enum-ciphers -p port_number ip_address
# nmap --script ssl-enum-ciphers -p 1477 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-03 10:56 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
1477/tcp open ms-sna-server
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
Ref:
SSL 相關的測試工具
https://www.qa-knowhow.com/?p=3888SSL handshake concept:
https://support.f5.com/csp/article/K15292
沒有留言:
張貼留言