Das Tool sslyze kann helfen Schwachstellen und Probleme mit HTTPS-Webseiten zu identifizieren (ähnlich SSLabs).
Es läßt sich einfach per „pip install sslyze“ installieren (oder per git von github). Vorher sollte das Paket „python-dev“ installiert sein (Debian Jessie).
Ein Scan sieht dann z.B. so aus:
# sslyze_cli.py --regular www.magenbrot.net:443
AVAILABLE PLUGINS
-----------------
CompressionPlugin
SessionResumptionPlugin
SessionRenegotiationPlugin
OpenSslCcsInjectionPlugin
HstsPlugin
FallbackScsvPlugin
OpenSslCipherSuitesPlugin
HeartbleedPlugin
CertificateInfoPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
www.magenbrot.net:443 => 31.172.113.114
SCAN RESULTS FOR WWW.MAGENBROT.NET:443 - 31.172.113.114:443
-----------------------------------------------------------
* TLSV1_1 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits HTTP 200 OK
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-2048 bits 112 bits HTTP 200 OK
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK
* TLSV1 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits HTTP 200 OK
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-2048 bits 112 bits HTTP 200 OK
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK
* Session Renegotiation:
Client-initiated Renegotiation: OK - Rejected
Secure Renegotiation: OK - Supported
* Deflate Compression:
OK - Compression disabled
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* TLSV1_2 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-2048 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-2048 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-2048 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-2048 bits 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits HTTP 200 OK
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-2048 bits 112 bits HTTP 200 OK
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* Session Resumption:
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Tickets: OK - Supported
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* Certificate Basic Information:
SHA1 Fingerprint: 10b064a54a29ecb185c67c2516c75e53f4f8b505
Common Name: magenbrot.net
Issuer: Let's Encrypt Authority X1
Serial Number: 01316243ED5002FA8F19AD670F7515DEA2DF
Not Before: Feb 5 08:26:00 2016 GMT
Not After: May 5 08:26:00 2016 GMT
Signature Algorithm: sha256WithRSAEncryption
Public Key Algorithm: rsaEncryption
Key Size: 2048 bit
Exponent: 65537 (0x10001)
X509v3 Subject Alternative Name: {'DNS': ['magenbrot.net', 'www.magenbrot.net']}
* Certificate - Trust:
Hostname Validation: OK - Subject Alternative Name matches www.magenbrot.net
Mozilla NSS CA Store (02/2016): OK - Certificate is trusted
Microsoft CA Store (02/2016): OK - Certificate is trusted
Apple CA Store (OS X 10.11.3): OK - Certificate is trusted
Java 6 CA Store (Update 65): OK - Certificate is trusted
Google CA Store (02/2016): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Weak Signature: OK - No SHA1-signed certificate in the chain
Certificate Chain Received: ['magenbrot.net', "Let's Encrypt Authority X1"]
* Certificate - OCSP Stapling:
NOT SUPPORTED - Server did not send back an OCSP response.
SCAN COMPLETED IN 1.78 S
------------------------
Zur Zeit keine Kommentare