Ein Pythonwerkzeug um schnell Verschlüsselungskonifgurationen auf einem Webserver zu überprüfen.
SSLyze ist ein wirklich sehr schnelles Pythonwerkzeug um die Konfigurationen eines Webservers auf Fehlkonfigurationen in der Verschlüsselung zu überprüfen.
Die Geschwindigkeit schläft für einen kurzen Überblick auf jeden Fall SSL Server Test von SSlabs. SSLyze lässt sich auch selbst als Pythonmodul für eigene Projekte verwenden.
Es kann entweder über die Paketverwaltung für Python, pip , oder direkt via github installiert werden.
cmg@triton:~/workspace$ sudo apt-get install python-pip -y cmg@triton:~/workspace$ git clone https://github.com/nabla-c0d3/sslyze.git sslyze.git cmg@triton:~/workspace$ cd sslyze.git/ cmg@triton:~/workspace/sslyze.git$ pip install -r requirements.txt --target ./lib
python sslyze_cli.py --regular got-tty.org
Leider habe ich nicht direkten Einfluss auf die Konifguration des Webservers mit welchen das Blog läuft, aber die Ausgabe hier soll auch nur als Beispiel dienen:
AVAILABLE PLUGINS
-----------------
FallbackScsvPlugin
SessionResumptionPlugin
HeartbleedPlugin
OpenSslCipherSuitesPlugin
OpenSslCcsInjectionPlugin
CompressionPlugin
CertificateInfoPlugin
SessionRenegotiationPlugin
HstsPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
got-tty.org:443 => 85.13.130.103
SCAN RESULTS FOR GOT-TTY.ORG:443 - 85.13.130.103:443
----------------------------------------------------
* TLSV1_1 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK
* TLSV1_2 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-2048 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-2048 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-2048 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-2048 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK
* Session Renegotiation:
Client-initiated Renegotiation: OK - Rejected
Secure Renegotiation: OK - Supported
* Deflate Compression:
OK - Compression disabled
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* Session Resumption:
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Tickets: OK - Supported
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* Certificate Basic Information:
SHA1 Fingerprint: 70878b335ca359b00d77a0ed3556e9821c70b6cf
Common Name: www.got-tty.org
Issuer: StartCom Class 1 Primary Intermediate Server CA
Serial Number: 0630DE1E796D7B
Not Before: Aug 27 11:05:45 2015 GMT
Not After: Aug 27 16:05:27 2016 GMT
Signature Algorithm: sha256WithRSAEncryption
Public Key Algorithm: rsaEncryption
Key Size: 2048 bit
Exponent: 65537 (0x10001)
X509v3 Subject Alternative Name: {'DNS': ['www.got-tty.org', 'got-tty.org']}
* Certificate - Trust:
Hostname Validation: OK - Subject Alternative Name matches got-tty.org
Mozilla NSS CA Store (02/2016): OK - Certificate is trusted
Microsoft CA Store (02/2016): OK - Certificate is trusted
Apple CA Store (OS X 10.11.3): OK - Certificate is trusted
Java 6 CA Store (Update 65): OK - Certificate is trusted
Google CA Store (02/2016): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Weak Signature: OK - No SHA1-signed certificate in the chain
Certificate Chain Received: ['www.got-tty.org', 'StartCom Class 1 Primary Intermediate Server CA']
* Certificate - OCSP Stapling:
NOT SUPPORTED - Server did not send back an OCSP response.
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* TLSV1 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK
SCAN COMPLETED IN 6.78 S
------------------------
Für weitere Parameter siehe : python sslyze_cli.py -h
Siehe auch: ssl-labs-scanner auf Github
Fröhliches analysieren