Install SSLyze
Environment
- Debian 9.7 x64
- Python 2.7.13
pip19.1.1- SSLyze 1.4.3
Excerpt https://github.com/nabla-c0d3/sslyze
Pre-requisite Install pip
Log 2019 / 05
1. Install SSLyze
root@athos:~# apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade
root@athos:~# pip install sslyze
(truncated)
Successfully built sslyze tls-parser pycparser
Installing collected packages: pycparser, cffi, enum34, idna, asn1crypto, ipaddress,
cryptography, typing, nassl, tls-parser, sslyze
Successfully installed asn1crypto-0.24.0 cffi-1.12.3 cryptography-2.2.2 enum34-1.1.6
idna-2.8 ipaddress-1.0.22 nassl-1.1.3 pycparser-2.19 sslyze-1.4.3 tls-parser-1.2.1
typing-3.6.6
root@athos:~# sslyze --version
1.4.3
2. Using SSLyze
2.1. --regular Scan
root@athos:~# sslyze google.com:443 --regular
AVAILABLE PLUGINS
-----------------
CertificateInfoPlugin
FallbackScsvPlugin
OpenSslCcsInjectionPlugin
SessionRenegotiationPlugin
HttpHeadersPlugin
OpenSslCipherSuitesPlugin
SessionResumptionPlugin
CompressionPlugin
HeartbleedPlugin
RobotPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
google.com:443 => 172.217.24.110
SCAN RESULTS FOR GOOGLE.COM:443 - 172.217.24.110
------------------------------------------------
* Deflate Compression:
OK - Compression disabled
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* Session Renegotiation:
Client-initiated Renegotiation: OK - Rejected
Secure Renegotiation: OK - Supported
* TLSV1 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
* TLSV1_3 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_1 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* Resumption Support:
With Session IDs: OK - Supported
(5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Tickets: OK - Supported
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits
Accepted:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits
TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
* Certificate Information:
Content
SHA1 Fingerprint: c30287c724464cb4cc2aa9a5cf4281cca590f9f8
Common Name: *.google.com
Issuer: Google Internet Authority G3
Serial Number: 9424366544188047957227915957897338537
Not Before: 2019-05-07 11:29:56
Not After: 2019-07-30 10:54:00
Signature Algorithm: sha256
Public Key Algorithm: EllipticCurve
Key Size: 256
Curve: secp256r1
DNS Subject Alternative Names: [u'*.google.com', (truncated)]
Trust
Hostname Validation: OK - Certificate matches google.com
Android CA Store (8.1.0_r9): OK - Certificate is trusted
iOS CA Store (11): OK - Certificate is trusted
Java CA Store (jre-10.0.2): OK - Certificate is trusted
macOS CA Store (High Sierra): OK - Certificate is trusted
Mozilla CA Store (2018-04-12): OK - Certificate is trusted
Windows CA Store (2018-06-30): OK - Certificate is trusted
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: *.google.com --> Google Internet Authority G3
Verified Chain: *.google.com --> Google Internet Authority G3
--> GlobalSign
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the
verified certificate chain
Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: NOT SUPPORTED - Extension not found
OCSP Stapling
NOT SUPPORTED - Server did not send
back an OCSP response
* ROBOT Attack:
OK - Not vulnerable
SCAN COMPLETED IN 5.34 S
------------------------
2.2. Custom Scan
root@athos:~# sslyze google.com:443 --tlsv1_2 --http_get --hide_rejected_ciphers
AVAILABLE PLUGINS
-----------------
CertificateInfoPlugin
SessionRenegotiationPlugin
FallbackScsvPlugin
HeartbleedPlugin
SessionResumptionPlugin
CompressionPlugin
OpenSslCcsInjectionPlugin
RobotPlugin
OpenSslCipherSuitesPlugin
HttpHeadersPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
google.com:443 => 74.125.24.113
SCAN RESULTS FOR GOOGLE.COM:443 - 74.125.24.113
-----------------------------------------------
* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits
Accepted:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
SCAN COMPLETED IN 0.18 S
------------------------