SSLyze SSL Scanner

Ein Pythonwerkzeug um schnell Verschlüsselungskonifgurationen auf einem Webserver zu überprüfen.

SSLyze ist ein wirklich sehr schnelles Pythonwerkzeug um die Konfigurationen eines Webservers auf Fehlkonfigurationen in der Verschlüsselung zu überprüfen.

Die Geschwindigkeit schläft für einen kurzen Überblick auf jeden Fall SSL Server Test von SSlabs. SSLyze lässt sich auch selbst als Pythonmodul für eigene Projekte verwenden.

Es kann entweder über die Paketverwaltung für Python, pip , oder direkt via github installiert werden.

cmg@triton:~/workspace$ sudo apt-get install python-pip -y
cmg@triton:~/workspace$ git clone https://github.com/nabla-c0d3/sslyze.git sslyze.git
cmg@triton:~/workspace$ cd sslyze.git/
cmg@triton:~/workspace/sslyze.git$ pip install -r requirements.txt --target ./lib
python sslyze_cli.py --regular got-tty.org

Leider habe ich nicht direkten Einfluss auf die Konifguration des Webservers mit welchen das Blog läuft, aber die Ausgabe hier soll auch nur als Beispiel dienen:




 AVAILABLE PLUGINS
 -----------------

  FallbackScsvPlugin
  SessionResumptionPlugin
  HeartbleedPlugin
  OpenSslCipherSuitesPlugin
  OpenSslCcsInjectionPlugin
  CompressionPlugin
  CertificateInfoPlugin
  SessionRenegotiationPlugin
  HstsPlugin



 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   got-tty.org:443                       => 85.13.130.103 



 SCAN RESULTS FOR GOT-TTY.ORG:443 - 85.13.130.103:443
 ----------------------------------------------------

  * TLSV1_1 Cipher Suites:
      Preferred:                       
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      HTTP 200 OK                                                 
      Accepted:                        
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * TLSV1_2 Cipher Suites:
      Preferred:                       
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-256 bits  128 bits      HTTP 200 OK                                                 
      Accepted:                        
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_CBC_SHA256                   -              256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_GCM_SHA384                   -              256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_GCM_SHA256                   -              128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_CBC_SHA256                   -              128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * Session Renegotiation:
      Client-initiated Renegotiation:    OK - Rejected
      Secure Renegotiation:              OK - Supported

  * Deflate Compression:
                                         OK - Compression disabled

  * OpenSSL Heartbleed:
                                         OK - Not vulnerable to Heartbleed

  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.

  * Session Resumption:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Tickets:                  OK - Supported

  * OpenSSL CCS Injection:
                                         OK - Not vulnerable to OpenSSL CCS injection

  * Certificate Basic Information:
      SHA1 Fingerprint:                  70878b335ca359b00d77a0ed3556e9821c70b6cf
      Common Name:                       www.got-tty.org
      Issuer:                            StartCom Class 1 Primary Intermediate Server CA
      Serial Number:                     0630DE1E796D7B
      Not Before:                        Aug 27 11:05:45 2015 GMT
      Not After:                         Aug 27 16:05:27 2016 GMT
      Signature Algorithm:               sha256WithRSAEncryption
      Public Key Algorithm:              rsaEncryption
      Key Size:                          2048 bit
      Exponent:                          65537 (0x10001)
      X509v3 Subject Alternative Name:   {'DNS': ['www.got-tty.org', 'got-tty.org']}

  * Certificate - Trust:
      Hostname Validation:               OK - Subject Alternative Name matches got-tty.org
      Mozilla NSS CA Store (02/2016):    OK - Certificate is trusted
      Microsoft CA Store (02/2016):      OK - Certificate is trusted
      Apple CA Store (OS X 10.11.3):     OK - Certificate is trusted
      Java 6 CA Store (Update 65):       OK - Certificate is trusted
      Google CA Store (02/2016):         FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
      Weak Signature:                    OK - No SHA1-signed certificate in the chain
      Certificate Chain Received:        ['www.got-tty.org', 'StartCom Class 1 Primary Intermediate Server CA']

  * Certificate - OCSP Stapling:
                                         NOT SUPPORTED - Server did not send back an OCSP response.

  * Downgrade Attacks:
      TLS_FALLBACK_SCSV:                 OK - Supported

  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

  * TLSV1 Cipher Suites:
      Preferred:                       
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      HTTP 200 OK                                                 
      Accepted:                        
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 



 SCAN COMPLETED IN 6.78 S
 ------------------------

Für weitere Parameter siehe : python sslyze_cli.py -h

Siehe auch: ssl-labs-scanner auf Github

Fröhliches analysieren