├── .dockerignore ├── .github └── workflows │ └── ci.yml ├── .gitignore ├── Changelog ├── Dockerfile ├── INSTALL ├── LICENSE ├── Makefile ├── Makefile.mingw ├── Makefile.vs ├── README.md ├── docker_test.sh ├── docker_test ├── Dockerfile ├── build_test_apps.sh ├── ca_cert.pem ├── ca_key.pem ├── cert_1024.crt ├── cert_2048.crt ├── cert_3072.crt ├── cert_512.crt ├── cert_ecdsa_prime256v1.crt ├── dhparams_1024.pem ├── dhparams_2048.pem ├── dhparams_3072.pem ├── dhparams_512.pem ├── expected_output │ ├── test_1.txt │ ├── test_10.txt │ ├── test_11.txt │ ├── test_12.txt │ ├── test_13.txt │ ├── test_14.txt │ ├── test_15.txt │ ├── test_16.txt │ ├── test_17.txt │ ├── test_18.txt │ ├── test_19.txt │ ├── test_2.txt │ ├── test_3.txt │ ├── test_4.txt │ ├── test_5.txt │ ├── test_6.txt │ ├── test_7.txt │ ├── test_8.txt │ └── test_9.txt ├── key_1024.pem ├── key_2048.pem ├── key_3072.pem ├── key_512.pem ├── key_ecdsa_prime256v1.pem ├── key_notes.txt ├── nginx_site_client_cert_required └── nginx_test9.conf ├── missing_ciphersuites.h ├── sslscan.1 ├── sslscan.c ├── sslscan.h ├── tags ├── tools ├── iana_tls_ciphersuite_parser.py └── iana_tls_supported_groups_parser.py └── win32bit-compat.h /.dockerignore: -------------------------------------------------------------------------------- 1 | openssl 2 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: ci 2 | 3 | on: push 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | strategy: 9 | fail-fast: false 10 | matrix: 11 | cc: [clang, gcc] 12 | steps: 13 | - uses: actions/checkout@v4 14 | - name: build with ${{ matrix.cc }} 15 | run: | 16 | # Since ubuntu-latest does not ship with OpenSSL >= v3.5, dynamic linking will fail unless we build and install it. 17 | git clone -b openssl-3.5 https://github.com/openssl/openssl 18 | pushd openssl 19 | git fetch --tags 20 | git checkout openssl-3.5.0 21 | ./config --prefix=/opt/openssl35 shared 22 | make -j $(nproc --all) 23 | make install 24 | popd 25 | 26 | make sslscan LDFLAGS=-L/opt/openssl35 CFLAGS=-I/opt/openssl35/include 27 | make static 28 | env: 29 | CC: ${{ matrix.cc }} 30 | build_mingw: 31 | runs-on: ubuntu-latest 32 | steps: 33 | - uses: actions/checkout@v4 34 | - name: install mingw-w64 35 | run: | 36 | sudo apt-get update -qq 37 | sudo apt-get install -qq mingw-w64 38 | - name: build with mingw-w64 39 | run: | 40 | make -f Makefile.mingw 41 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # object files 2 | *.o 3 | *.obj 4 | 5 | # compiled binary 6 | sslscan 7 | sslscan.exe 8 | 9 | # debian build of openssl 10 | openssl-*/ 11 | openssl_* 12 | libcrypto* 13 | libssl* 14 | 15 | # custom openssl build 16 | openssl/ 17 | .openssl.is.fresh 18 | .openssl_mingw.is.fresh 19 | 20 | # custom zlib build for Windows 21 | zlib_mingw/ -------------------------------------------------------------------------------- /Changelog: -------------------------------------------------------------------------------- 1 | Changelog 2 | ========= 3 | 4 | Version: 2.2.0 5 | Date : 15/06/2025 6 | Author : rbsec 7 | Changes: The following are a list of changes 8 | > OpenSSL 3.5 is now the minimum version to build against (credit tetlowgm) 9 | > Various code cleanup dropping support for legacy OpenSSL versions (credit tetlowgm) 10 | > Handle some servers that rejecting large ClientHello messages (credit jtesta) 11 | > Add support for new post-quantum groups (credit jtesta) 12 | > Update the output colouring of various ciphers/groups/etc (#333) 13 | 14 | Version: 2.1.6 15 | Date : 02/12/2024 16 | Author : rbsec 17 | Changes: The following are a list of changes 18 | > Flag CCM8 ciphers as weak and manually override their displayed 19 | bit strength to match newer versions of OpenSSL 20 | See https://github.com/openssl/openssl/pull/16652 21 | 22 | Version: 2.1.5 23 | Date : 21/09/2024 24 | Author : rbsec 25 | Changes: The following are a list of changes 26 | > Various build improvements 27 | > Makefile improvements 28 | 29 | Version: 2.1.4 30 | Date : 16/06/2024 31 | Author : rbsec 32 | Changes: The following are a list of changes 33 | > Display the full cert chain --show-certificates (credit fhtino) 34 | 35 | Version: 2.1.3 36 | Date : 21/01/2024 37 | Author : rbsec 38 | Changes: The following are a list of changes 39 | > Enable quiet shutdown for scanning (credit jarnfast) 40 | > Fix Docker build on non-x64 architectures (credit jtesta) 41 | 42 | Version: 2.1.2 43 | Date : 14/11/2023 44 | Author : rbsec 45 | Changes: The following are a list of changes 46 | > Fix certificate and cipher enumeration when unsafe renegotiation is 47 | required(credit jtesta) 48 | 49 | Version: 2.1.1 50 | Date : 19/09/2023 51 | Author : rbsec 52 | Changes: The following are a list of changes 53 | > Work around several dodgy TLS implementations (credit jtesta) 54 | 55 | Version: 2.1.0 56 | Date : 05/09/2023 57 | Author : rbsec 58 | Changes: The following are a list of changes 59 | > Build against OpenSSL 3.0 instead of 1.1.0 (credit jtesta) 60 | > Improve CPU detection on OSX (tetlowgm) 61 | 62 | Version: 2.0.16 63 | Date : 08/04/2023 64 | Author : rbsec 65 | Changes: The following are a list of changes 66 | > Fix incorret detection of TLSv1.3 on Server 2019 (credit jtesta) 67 | > Fix incorrect XML certificate output 68 | 69 | Version: 2.0.15 70 | Date : 03/07/2022 71 | Author : rbsec 72 | Changes: The following are a list of changes 73 | > Obtain certificate info even if we can't connect properly 74 | 75 | Version: 2.0.14 76 | Date : 23/06/2022 77 | Author : rbsec 78 | Changes: The following are a list of changes 79 | > Strip out https:// from lines in a target file 80 | 81 | Version: 2.0.13 82 | Date : 03/04/2022 83 | Author : rbsec 84 | Changes: The following are a list of changes 85 | > Fix TLSv1.3 detection against Server 2022 (credit jtesta) 86 | 87 | Version: 2.0.12 88 | Date : 23/02/2022 89 | Author : rbsec 90 | Changes: The following are a list of changes 91 | > Add XML element (credit lucacapacci) 92 | 93 | Version: 2.0.11 94 | Date : 16/12/2021 95 | Author : rbsec 96 | Changes: The following are a list of changes 97 | > Add --iana-names option to use IANA/RFC cipher names 98 | > Improve signature algorithm detection 99 | 100 | Version: 2.0.10 101 | Date : 27/04/2021 102 | Author : rbsec 103 | Changes: The following are a list of changes 104 | > Add the --connect-timeout option (credit alkalim) 105 | > Fix a typo in output 106 | 107 | Version: 2.0.9 108 | Date : 24/03/2021 109 | Author : rbsec 110 | Changes: The following are a list of changes 111 | > Warn on TLSv1.1, as it's now deprecated by RFC 8996 112 | 113 | Version: 2.0.8 114 | Date : 12/02/2021 115 | Author : rbsec 116 | Changes: The following are a list of changes 117 | > Fix a bug with LDAP STARTTLS 118 | > Fix certificate detection on some broken servers 119 | > Fix missing SCSV Fallback in XML output 120 | 121 | Version: 2.0.7 122 | Date : 10/02/2021 123 | Author : rbsec 124 | Changes: The following are a list of changes 125 | > Don't show server signature algorithms by default 126 | > Use --show-sigs to display them 127 | 128 | Version: 2.0.6 129 | Date : 31/10/2020 130 | Author : rbsec 131 | Changes: The following are a list of changes 132 | > Flag certificates in red if CN is the same as issuer 133 | 134 | Version: 2.0.5 135 | Date : 24/10/2020 136 | Author : rbsec 137 | Changes: The following are a list of changes 138 | > Fix --targets not working properly 139 | 140 | Version: 2.0.4 141 | Date : 13/10/2020 142 | Author : rbsec 143 | Changes: The following are a list of changes 144 | > Remove the broken HTTP request scanning option (--http) 145 | 146 | Version: 2.0.3 147 | Date : 11/10/2020 148 | Author : rbsec 149 | Changes: The following are a list of changes 150 | > Fix the extraneous padding of HTTP responses in XML 151 | > Update the HTTP request to HTTP/1.1 152 | > More robust checking the HTTP response is valid 153 | > Display "No response" when no HTTP response is returned 154 | 155 | Version: 2.0.2 156 | Date : 04/10/2020 157 | Author : rbsec 158 | Changes: The following are a list of changes 159 | > Add element to XML output 160 | 161 | Version: 2.0.1 162 | Date : 20/09/2020 163 | Author : rbsec 164 | Changes: The following are a list of changes 165 | > Fix SNI name when using --targets 166 | 167 | Version: 2.0.0 168 | Date : 22/07/2020 169 | Author : rbsec 170 | Changes: The following are a list of changes 171 | > Documentation updates 172 | 173 | Version: 2.0.0-beta6 174 | Date : 02/07/2020 175 | Author : rbsec 176 | Changes: The following are a list of changes 177 | > Report servers that accept any signature algorithm in the XML 178 | 179 | Version: 2.0.0-beta5 180 | Date : 30/06/2020 181 | Author : rbsec 182 | Changes: The following are a list of changes 183 | > Remove the "Signature Algorithm:" text and spacing from the XML. 184 | 185 | Version: 2.0.0-beta4 186 | Date : 10/06/2020 187 | Author : rbsec 188 | Changes: The following are a list of changes 189 | > Add a new "" element to the XML output. 190 | 191 | Version: 2.0.0-beta3 192 | Date : 10/06/2020 193 | Author : rbsec 194 | Changes: The following are a list of changes 195 | > Fix a few compiler warnings. 196 | > Fix a regression where the "strength" attribute was missing. 197 | 198 | Version: 2.0.0-beta2 199 | Date : 10/05/2020 200 | Author : rbsec 201 | Changes: The following are a list of changes 202 | > Fix a bug with servers that return incorrect cipher IDs. 203 | > Portability improvements. 204 | > Fix x86 windows build. 205 | 206 | Version: 2.0.0-beta1 207 | Date : 29/02/2020 208 | Author : rbsec 209 | Changes: The following are a list of changes 210 | > Print curve name and key strength for ECC certs 211 | > Various documentation updates 212 | 213 | Version: 2.0.0-alpha2 214 | Date : 29/02/2020 215 | Author : rbsec 216 | Changes: The following are a list of changes 217 | > Fix compilation on old versions of GCC. 218 | > Minor changes to protocol support output. 219 | > Strip a trailing slash from the specified target. 220 | > Various other minor bugfixes. 221 | 222 | Version: 2.0.0-alpha1 223 | Date : 22/02/2020 224 | Author : rbsec 225 | Changes: The following are a list of changes 226 | > Major rewrite of backend scanning code. 227 | > Support for additional cipher suites. 228 | > Support for TLSv1.3 229 | > Support for SSLv2 and SSLv3 protocol detection regardless of 230 | OpenSSL. 231 | > Checks for server key exchange groups. 232 | > Checks for server signature algorithms. 233 | 234 | Version: 1.11.13 235 | Date : 24/03/2019 236 | Author : rbsec 237 | Changes: The following are a list of changes 238 | > Added strength attribute to XML to reflect colouring in stdout 239 | 240 | Version: 1.11.12 241 | Date : 18/10/2018 242 | Author : rbsec 243 | Changes: The following are a list of changes 244 | > Enable colours in Windows console output if supported 245 | > Include SCSV fallback in XML output 246 | > Various bugfixes 247 | 248 | Version: 1.11.11 249 | Date : 31/12/2017 250 | Author : rbsec 251 | Changes: The following are a list of changes 252 | > Added -4 and -6 options to force IPv4 and IPv6. 253 | > Fix build on Solaris and Windows. 254 | > Fix cross-compiling. 255 | 256 | Version: 1.11.10 257 | Date : 04/05/2017 258 | Author : rbsec 259 | Changes: The following are a list of changes 260 | > Build against Peter Mosmans' branch of OpenSSL 261 | > Support for ChaCha ciphers 262 | > NOTE: you will need to run `make clean && make static`. 263 | 264 | Version: 1.11.9 265 | Date : 09/04/2017 266 | Author : rbsec 267 | Changes: The following are a list of changes 268 | > Add support for STARTTLS on mysql (--starttls-mysql) 269 | > Display SNI information in XML output 270 | > Fix some compiler warnings 271 | > Mark SHA-1 certificates as weak 272 | > Fix build on some platforms 273 | 274 | Version: 1.11.8 275 | Date : 06/11/2016 276 | Author : rbsec 277 | Changes: The following are a list of changes 278 | > Support alternate SNI hostnames (--sni=) 279 | > Allow building with no support for TLS SCSV Fallback 280 | 281 | Version: 1.11.7 282 | Date : 13/06/2016 283 | Author : rbsec 284 | Changes: The following are a list of changes 285 | > Check for TLS Fallback SCSV 286 | > Allow xml to be output on stdout (--xml=-) 287 | 288 | Version: 1.11.6 289 | Date : 09/04/2016 290 | Author : rbsec 291 | Changes: The following are a list of changes 292 | > Re-eanble support for weak (<1024) DH keys in OpenSSL 293 | 294 | Version: 1.11.5 295 | Date : 24/03/2016 296 | Author : rbsec 297 | Changes: The following are a list of changes 298 | > Fix bug in heartbleed check (credit nuxi) 299 | > Makefile improvements and fixes for OSX and FreeBSD 300 | > Optimize OpenSSL clone 301 | > Implement --show-times to display handshake times in milliseconds 302 | 303 | Version: 1.11.4 304 | Date : 06/03/2016 305 | Author : rbsec 306 | Changes: The following are a list of changes 307 | > Fix compression detection (credit nuxi) 308 | > Added support for PostgreSQL (credit nuxi) 309 | 310 | Version: 1.11.3 311 | Date : 03/03/2016 312 | Author : rbsec 313 | Changes: The following are a list of changes 314 | > Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL 315 | 316 | Version: 1.11.2 317 | Date : 02/03/2016 318 | Author : rbsec 319 | Changes: The following are a list of changes 320 | > Makefile improvements 321 | > Update OpenSSL from Git when statically building 322 | > Use enable-ssl2 and enable-weak-ciphers when building statically 323 | 324 | Version: 1.11.1 325 | Date : 11/12/2015 326 | Author : rbsec 327 | Changes: The following are a list of changes 328 | > Show cipher IDs with --show-cipher-ids (credit maurice2k) 329 | > Warn when building agsinst system OpenSSL rather than statically 330 | > Allow building statically on OSX (experimental) 331 | 332 | Version: 1.11.0 333 | Date : 24/09/2015 334 | Author : rbsec 335 | Changes: The following are a list of changes 336 | > Rewrote ciphersuite scanning engine to be much faster 337 | > Ciphers are now output in order of server preference 338 | > Most secure protocols are scanned first (TLSv1.2 -> SSLv2) 339 | > All protocols are tried when trying to obtain the certificate 340 | > Obselete --failed and --no-preferred-ciphers options removed 341 | > Flag TLSv1.0 ciphers in output 342 | > Flag 56 bit ciphers as red, not yellow 343 | > Fix building on OpenBSD (credit Stuart Henderson) 344 | > Fix incorrect output when server prefers NULL ciphers 345 | 346 | Version: 1.10.6 347 | Date : 06/08/2015 348 | Author : rbsec 349 | Changes: The following are a list of changes 350 | > Fix --sleep only working for whole seconds (credit dmke) 351 | > Fix compiling against OpenSSL 0.9.8 (credit aclemons) 352 | > Flag expired certificates (credit jacktrice) 353 | 354 | Version: 1.10.5 355 | Date : 07/07/2015 356 | Author : rbsec 357 | Changes: The following are a list of changes 358 | > Added IRC STARTTLS support (--starttls-irc, credit jkent) 359 | > Highlight weak RSA keys in output 360 | > Added option to show OCSP status (--ocsp, credit kelbyludwig) 361 | > Fix a segfault with certificate parsing 362 | 363 | Version: 1.10.4 364 | Date : 21/06/2015 365 | Author : rbsec 366 | Changes: The following are a list of changes 367 | > Display cipher details by default (hide with --no-cipher-details) 368 | > Fix scanning multiple targets if one fails (credit shellster) 369 | > Fix bug with --no-color and --failed (credit yasulib) 370 | > Minor bugfixes to output 371 | 372 | Version: 1.10.3 373 | Date : 22/05/2015 374 | Author : rbsec 375 | Changes: The following are a list of changes 376 | > Flag weak DHE keys in --cipher-details 377 | > Report DHE key bits in XML 378 | > Change ECDHE key bits to "ecdhebits" rather than "dhebits" in XML 379 | 380 | Version: 1.10.2 381 | Date : 12/05/2015 382 | Author : rbsec 383 | Changes: The following are a list of changes 384 | > Wrap TLS extensions in CDATA blocks in XML output. 385 | > Fix incorrect TLS versions in heartbleed checks 386 | 387 | Version: 1.10.1 388 | Date : 06/04/2015 389 | Author : rbsec 390 | Changes: The following are a list of changes 391 | > Fix XML output to use "TLSv1.0" in preferred ciphers, not "TLSv1" 392 | > Added --cipher-details option to display EC curves and EDH keys 393 | Note that this feature requires OpenSSL >= 1.0.2 394 | > Update static build options to compile against OpenSSL 1.0.2 395 | 396 | Version: 1.10.0 397 | Date : 28/02/2015 398 | Author : rbsec 399 | Changes: The following are a list of changes 400 | > Experimental build support (credit jtesta). 401 | > Support XMPP server-to-server connections (--xmpp-server). 402 | 403 | Version: 1.9.11 404 | Date : 03/02/2015 405 | Author : rbsec 406 | Changes: The following are a list of changes 407 | > Makefile updates to assist packaging in Kali. 408 | > Fix missing static build number when compiling from tarball. 409 | 410 | Version: 1.9.10 411 | Date : 24/01/2015 412 | Author : rbsec 413 | Changes: The following are a list of changes 414 | > Display certificate CN, Altnames and Issuer in default output. 415 | > Flag certificates where CN == issuer, or CN = * 416 | > Highlight GCM ciphersuites as good 417 | 418 | Version: 1.9.9 419 | Date : 22/01/2015 420 | Author : kyprizel 421 | Changes: The following are a list of changes 422 | > Added --show-client-cas option to determine trusted CAs 423 | for client authentication 424 | > Added --no-preferred option to disable any output except specified 425 | 426 | Version: 1.9.8 427 | Date : 08/12/2014 428 | Author : rbsec 429 | Changes: The following are a list of changes 430 | > Added --sleep option to pause between request 431 | > Only check for heartbleed against specified TLS version 432 | > Added --sleep option to pause between request 433 | > Fix issues compiling against OpenSSL 0.9.8 434 | > Highlight CBC ciphersuites on SSLv3 (POODLE) 435 | > Experimental build support on OSX (credit MikeSchroll) 436 | 437 | Version: 1.9.7 438 | Date : 26/10/2014 439 | Author : rbsec 440 | Changes: The following are a list of changes 441 | > Added option for static compilation with OpenSSL (credit dmke) 442 | > Added "sslmethod" attribute to Heartbleed XML output (credit dmke) 443 | > Split headers into sslscan.h (credit dmke) 444 | 445 | Version: 1.9.6 446 | Date : 10/10/2014 447 | Author : rbsec 448 | Changes: The following are a list of changes 449 | > Highlight NULL ciphers in output. 450 | > Highlight SSLv3 ciphers. 451 | > Added --rdp option to support RDP servers (credit skettler). 452 | > Added --timeout option to set socket timeout (default 3s). 453 | 454 | Version: 1.9.5 455 | Date : 13/09/2014 456 | Author : rbsec 457 | Changes: The following are a list of changes 458 | > Renamed --get-certificate option to --show-certficate. 459 | > Display certificate signing algorithm highlighting weak algorithms. 460 | > Display certificate key strength highlighting weak keys. 461 | > Bumped XML version to 1.9.5 due to minor changes. 462 | 463 | Version: 1.9.4 464 | Date : 22/05/2014 465 | Author : rbsec 466 | Changes: The following are a list of changes 467 | > Check for SSLv2 and SSLv3 ciphers over STARTTLS. 468 | 469 | Version: 1.9.3 470 | Date : 20/05/2014 471 | Author : rbsec 472 | Changes: The following are a list of changes 473 | > Fixed broken STARTTLS SMTP check. 474 | 475 | Version: 1.9.2 476 | Date : 09/04/2014 477 | Author : rbsec 478 | Changes: The following are a list of changes 479 | > Added check for OpenSSL Heartbleed (CVE-2014-0160). 480 | 481 | Version: 1.9.1 482 | Date : 06/03/2014 483 | Author : rbsec 484 | Changes: The following are a list of changes 485 | > Added --tlsall option to only scan TLS ciphersuites. 486 | > Scan all TLS versions by default for STARTTLS services. 487 | > Added support for IPv6 addresses using square bracket notation [:1]. 488 | > Highlight anonymous (ADH and AECDH) ciphers in output. 489 | > Added option to disable colour in output (--no-colour). 490 | > Removed undocumented -p output option. 491 | > Removed old references to titania.co.uk domain. 492 | 493 | Version: 1.9 494 | Date : 30/12/2013 495 | Author : rbsec 496 | Changes: The following are a list of changes 497 | > Highlight SSLv2 ciphers 498 | > Highlight weak (n <= 40 bit) and medium (40 < n <= 56 bit) ciphers 499 | > Highlight RC4 ciphers 500 | > Highlight anonymous (ADH) ciphers 501 | > Hide certificate information by default 502 | > Hide rejected ciphers by default (display with --failed). 503 | > Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan). 504 | > Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan). 505 | > Supports IPv6 hostnames (can be forced with --ipv6). 506 | > Check for TLS compression (CRIME, disable with --no-compression) 507 | 508 | Version: 1.8.4 509 | Date : xx/xx/2010 510 | Author : Jacob Appelbaum 511 | Changes: The following are a list of changes 512 | > Add demo targets in Makefile 513 | > Refactoring of code by Adam Langley 514 | > Add SNI patch from Tim Brown 515 | > Bug fixes from craSH and Cygwin build improvements 516 | 517 | Version: 1.8.3 518 | Date : 11/08/2010 519 | Author : Jacob Appelbaum 520 | Changes: The following are a list of changes 521 | > Improve new protocol setup support for STARTTLS: 522 | POP3, IMAP, FTP, and XMPP 523 | This modeled after the support found in OpenSSL's s_client 524 | > Add verbose option to print more info 525 | > Add default ports when a STARTTLS setup flag is called without 526 | any port at all 527 | 528 | Version: 1.8.2 529 | Date : 19/06/2009 530 | Author : Ian Ventura-Whiting (Fizz) 531 | Changes: The following are a list of changes 532 | since the previous version: 533 | > Fixed output with HTML disabled 534 | > Fixed XML critical 535 | 536 | Version: 1.8.1 537 | Date : 25/05/2009 538 | Author : Ian Ventura-Whiting (Fizz) 539 | Changes: The following are a list of changes 540 | since the previous version: 541 | > Fixed some compiler warnings. 542 | 543 | Version: 1.8.0 544 | Date : 19/05/2009 545 | Author : Ian Ventura-Whiting (Fizz) 546 | Thanks : John Nichols 547 | Changes: The following are a list of changes 548 | since the previous version: 549 | > Added SSL implementation workaround 550 | option. 551 | > Added HTTP connection testing. 552 | > Fixed Certification validation XML 553 | output. 554 | 555 | Version: 1.7.1 556 | Date : 20/04/2008 557 | Author : Ian Ventura-Whiting (Fizz) 558 | Thanks : Mark Lowe 559 | Changes: The following are a list of changes 560 | since the previous version: 561 | > Added HELO for SMTP checks 562 | > Increased read buffer size 563 | 564 | 565 | Version: 1.7 566 | Date : 18/04/2008 567 | Author : Ian Ventura-Whiting (Fizz) 568 | Changes: The following are a list of changes 569 | since the previous version: 570 | > Added STARTTLS SMTP capability 571 | > Fixed XML output format bug 572 | 573 | Version: 1.6 574 | Date : 30/12/2007 575 | Author : Ian Ventura-Whiting (Fizz) 576 | Changes: The following are a list of changes 577 | since the previous version: 578 | > Added man page. 579 | > Improved certificate checking 580 | > Added Makefile 581 | 582 | Version: 1.5 583 | Date : 25/09/2007 584 | Author : Ian Ventura-Whiting (Fizz) 585 | Changes: The following are a list of changes 586 | since the previous version: 587 | > Update to the license to make it 588 | BINARY compatible with OpenSSL. Its 589 | then easier for the packagers. 590 | 591 | Version: 1.4 592 | Date : 03/09/2007 593 | Author : Ian Ventura-Whiting (Fizz) 594 | Changes: The following are a list of changes 595 | since the previous version: 596 | > Added Server Certificate ouput. 597 | > Added support for client certs. 598 | > Added support for private keys 599 | and password. 600 | > Added support for PKCS#12. 601 | > Fixed xml output. 602 | 603 | Version: 1.3 604 | Date : 06/08/2007 605 | Author : Ian Ventura-Whiting (Fizz) 606 | Changes: The following are a list of changes 607 | since the previous version: 608 | > Added XML file output option. 609 | > Improved help text. 610 | > Added program URL. 611 | 612 | Version: 1.2 613 | Date : 16/07/2007 614 | Author : Ian Ventura-Whiting (Fizz) 615 | Changes: The following are a list of changes 616 | since the previous version: 617 | > Removed unused variable 618 | > Other minor changes. 619 | 620 | Version: 1.1 621 | Date : 13/07/2007 622 | Author : Ian Ventura-Whiting (Fizz) 623 | Changes: The following are a list of changes 624 | since the previous version: 625 | > Correction in banner text 626 | > Host:Port now directly from the 627 | command-line. 628 | 629 | Version: 1.0 630 | Date : 13/07/2007 631 | Author : Ian Ventura-Whiting (Fizz) 632 | Notes : Initial version of sslscan 633 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest as builder 2 | 3 | # Ensure no packages are cached before we try to do an update. 4 | RUN apk cache clean 2> /dev/null || exit 0 5 | 6 | RUN apk update && apk add gcc make ca-certificates git libc-dev linux-headers openssl perl zlib-dev 7 | RUN update-ca-certificates 8 | 9 | ADD . builddir 10 | 11 | # Make a static build of sslscan, then strip it of debugging symbols. 12 | RUN cd builddir && make static 13 | RUN strip --strip-all /builddir/sslscan 14 | 15 | # Print the output of ldd so we can see what dynamic libraries that sslscan is still dependent upon. 16 | RUN echo "ldd output:" && ldd /builddir/sslscan 17 | RUN echo "ls -al output:" && ls -al /builddir/sslscan 18 | 19 | 20 | # Start with an empty container for our final build. 21 | FROM scratch 22 | 23 | # Copy over the sslscan executable from the intermediate build container, along with the dynamic libraries it is dependent upon (see output of ldd, above). 24 | COPY --from=builder /builddir/sslscan /sslscan 25 | COPY --from=builder /usr/lib/libz.so.1 /lib/libz.so.1 26 | COPY --from=builder /lib/ld-musl-*.so.1 /lib/ 27 | 28 | # Drop root privileges. 29 | USER 65535:65535 30 | 31 | ENTRYPOINT ["/sslscan"] 32 | -------------------------------------------------------------------------------- /INSTALL: -------------------------------------------------------------------------------- 1 | Requirements: 2 | OpenSSL 3.5.0 (LTS) or better 3 | 4 | Makefile build: 5 | make static 6 | make install (as root) 7 | 8 | 9 | Manual Build: 10 | sslscan can be built manually using the following commands: 11 | 12 | gcc -lssl -o sslscan sslscan.c 13 | clang -lssl -o sslscan sslscan.c 14 | 15 | ---- 16 | 17 | There are two ways to build a Windows executable: 18 | 19 | 1.) By cross-compiling on a Linux build machine using MinGW or Mingw-w64. 20 | 21 | 2.) By compiling on a Windows build machine using Visual Studio 2013 22 | (other versions may also work, but are untested). 23 | 24 | If you have a Debian-like Linux machine (such as Ubuntu or Kali), option 25 | #1 is BY FAR the easiest. Note that installing Visual Studio and additional 26 | tools requires downloading gigabytes of data! 27 | 28 | In any case, it is necessary to compile OpenSSL to ensure that all 29 | protocols and algorithms are enabled (note that some systems that package 30 | OpenSSL have some deprecated features such as SSLv2 turned off for safety 31 | reasons; we actually need those to test with). 32 | 33 | Please note that building on Windows (especially x86) is not supported, and 34 | you may well encounter issues when trying to do so. Cross-compiling for x86 35 | from Debian Buster (10) is reported to work, but your mileage may vary. 36 | 37 | 38 | I. Cross-compiling from Linux 39 | 40 | A. Building a 64-bit Windows executable 41 | 42 | 0.) Install Mingw-w64. On Debian-like systems, this can be done with: 43 | apt-get install mingw-w64 44 | 45 | 1.) Compile sslscan. It will download the OpenSSL sources from GitHub 46 | automatically: 47 | make -f Makefile.mingw 48 | 49 | 50 | B. Building a 32-bit Windows executable 51 | 52 | 0.) Install MinGW. On Debian-like systems, this can be done with: 53 | apt-get install mingw32 54 | 55 | 1.) Compile sslscan. It will download the OpenSSL sources from GitHub 56 | automatically: 57 | make -f Makefile.mingw BUILD_32BIT=1 58 | 59 | 60 | II. Compiling on Windows using Visual Studio 2013 Express for Windows Desktop 61 | 62 | A. Install Visual Studio 2013 Express for Windows Desktop: 63 | http://go.microsoft.com/?linkid=9832280 64 | 65 | B. Install the Windows Driver Kit 8.1: 66 | http://go.microsoft.com/fwlink/p/?linkid=393659 67 | 68 | C. Install ActivePerl Community Edition: 69 | http://www.activestate.com/activeperl/downloads 70 | 71 | D. In the VS2013 x64 Cross Tools Command Prompt, compile OpenSSL with: 72 | perl Configure VC-WIN64A 73 | ms\do_win64a 74 | nmake -f ms\nt.mak 75 | 76 | E. Inside the sslscan folder, compile sslscan with: 77 | nmake -f Makefile.vs OPENSSL_PATH=path/to/openssl 78 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # set gcc as default if CC is not set 2 | 3 | GIT_VERSION = $(shell git describe --tags --always --dirty=-wip) 4 | 5 | # Ugly hack to get version if git isn't installed 6 | ifeq ($(GIT_VERSION),) 7 | GIT_VERSION = $(shell grep -E -o -m 1 "[0-9]+\.[0-9]+\.[0-9]+" Changelog) 8 | endif 9 | 10 | # Detect OS 11 | OS := $(shell uname) 12 | ARCH := $(shell uname -m) 13 | 14 | # Handle different version of Make 15 | ifeq ($(OS), SunOS) 16 | ifndef $(CC) 17 | CC=gcc 18 | endif 19 | ifndef $(PREFIX) 20 | PREFIX = /usr 21 | endif 22 | else 23 | CC ?= gcc 24 | PREFIX ?= /usr 25 | endif 26 | 27 | SRCS = sslscan.c 28 | BINDIR = $(PREFIX)/bin 29 | MANDIR = $(PREFIX)/share/man 30 | MAN1DIR = $(MANDIR)/man1 31 | 32 | WARNINGS = -Wall -Wformat=2 -Wformat-security -Wno-deprecated-declarations 33 | DEFINES = -DVERSION=\"$(GIT_VERSION)\" 34 | 35 | # for dynamic linking 36 | LIBS = -lssl -lcrypto 37 | ifneq ($(OS), FreeBSD) 38 | ifneq ($(findstring MINGW64,$(OS)),MINGW64) 39 | LIBS += -ldl 40 | else 41 | LIBS += -lwsock32 -lWs2_32 42 | endif 43 | endif 44 | ifeq ($(OS), SunOS) 45 | CFLAGS += -m64 46 | LIBS += -lsocket -lnsl 47 | endif 48 | 49 | # Enable checks for buffer overflows, add stack protectors, generate position 50 | # independent code, mark the relocation table read-only, and mark the global 51 | # offset table read-only. 52 | CFLAGS += -D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIE 53 | 54 | # Don't enable some hardening flags on OS X because it uses an old version of Clang 55 | ifneq ($(OS), Darwin) 56 | ifneq ($(OS), SunOS) 57 | ifneq ($(findstring CYGWIN,$(OS)),CYGWIN) 58 | ifneq ($(findstring MINGW64,$(OS)),MINGW64) 59 | LDFLAGS += -pie -z relro -z now 60 | else 61 | LDFLAGS += -pie 62 | endif 63 | endif 64 | endif 65 | endif 66 | 67 | # Force C11 mode to fix the build on very old version of GCC 68 | CFLAGS += -std=gnu11 69 | 70 | # for static linking 71 | ifeq ($(STATIC_BUILD), TRUE) 72 | PWD = $(shell pwd)/openssl 73 | LDFLAGS += -L${PWD}/ 74 | CFLAGS += -I${PWD}/include/ -I${PWD}/ 75 | ifeq ($(OS), Darwin) 76 | LIBS = ./openssl/libssl.a ./openssl/libcrypto.a -lz -lpthread 77 | else 78 | LIBS = -lssl -lcrypto -lz -lpthread 79 | endif 80 | ifneq ($(OS), FreeBSD) 81 | ifneq ($(findstring CYGWIN,$(OS)),CYGWIN) 82 | LIBS += -ldl 83 | endif 84 | endif 85 | ifeq ($(OS), SunOS) 86 | LIBS += -lsocket -lnsl 87 | endif 88 | GIT_VERSION := $(GIT_VERSION)-static 89 | else 90 | # for dynamic linking 91 | LDFLAGS += -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/opt/openssl/lib -L/opt/local/lib 92 | CFLAGS += -I/usr/local/include -I/usr/local/ssl/include -I/usr/local/ssl/include/openssl -I/usr/local/opt/openssl/include -I/opt/local/include -I/opt/local/include/openssl 93 | endif 94 | 95 | # Find the number of processors on the system (used in -j option in building OpenSSL). 96 | # Uses /usr/bin/nproc if available, otherwise defaults to 1. 97 | NUM_PROCS = 1 98 | ifneq (,$(wildcard /usr/bin/nproc)) 99 | NUM_PROCS = `/usr/bin/nproc --all` 100 | endif 101 | ifeq ($(OS), Darwin) 102 | NUM_PROCS = `sysctl -n hw.ncpu` 103 | endif 104 | 105 | .PHONY: all sslscan clean realclean install uninstall static opensslpull 106 | 107 | all: sslscan 108 | @echo 109 | @echo "===========" 110 | @echo "| WARNING |" 111 | @echo "===========" 112 | @echo 113 | @echo "Building against system OpenSSL. Compression and other checks may not be possible." 114 | @echo "It is recommended that you statically build sslscan with \`make static\`." 115 | @echo 116 | 117 | sslscan: $(SRCS) 118 | $(CC) -o $@ ${WARNINGS} ${LDFLAGS} ${CFLAGS} ${CPPFLAGS} ${DEFINES} ${SRCS} ${LIBS} 119 | 120 | install: 121 | @if [ ! -f sslscan ] ; then \ 122 | echo "\n=========\n| ERROR |\n========="; \ 123 | echo "Before installing you need to build sslscan with either \`make\` or \`make static\`\n"; \ 124 | exit 1; \ 125 | fi 126 | ifeq ($(OS), Darwin) 127 | install -d $(DESTDIR)$(BINDIR)/; 128 | install sslscan $(DESTDIR)$(BINDIR)/sslscan; 129 | install -d $(DESTDIR)$(MAN1DIR)/; 130 | install sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1; 131 | else 132 | install -D sslscan $(DESTDIR)$(BINDIR)/sslscan; 133 | install -D sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1; 134 | endif 135 | 136 | uninstall: 137 | rm -f $(DESTDIR)$(BINDIR)/sslscan 138 | rm -f $(DESTDIR)$(MAN1DIR)/sslscan.1 139 | 140 | .openssl.is.fresh: opensslpull 141 | @true 142 | 143 | opensslpull: 144 | upstream=`git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.5\.[0-9]+)' | sort -V | tail -n 1` ; \ 145 | if [ -d openssl -a -d openssl/.git ]; then \ 146 | if [ "$$upstream" != "`cd ./openssl && git describe --exact-match --tags`" ]; then \ 147 | cd ./openssl && git fetch --depth 1 origin refs/tags/$$upstream:refs/tags/$$upstream && git checkout $$upstream && touch ../.openssl.is.fresh ; \ 148 | fi \ 149 | else \ 150 | git clone --depth 1 -b $$upstream https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \ 151 | fi 152 | 153 | openssl/Makefile: .openssl.is.fresh 154 | cd ./openssl; ./Configure -v -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC no-shared enable-weak-ssl-ciphers zlib 155 | 156 | openssl/libcrypto.a: openssl/Makefile 157 | $(MAKE) -j $(NUM_PROCS) -C openssl depend 158 | $(MAKE) -j $(NUM_PROCS) -C openssl build_libs 159 | # $(MAKE) -j $(NUM_PROCS) -C openssl test # Disabled because this takes 45+ minutes for OpenSSL v1.1.1. 160 | 161 | static: openssl/libcrypto.a 162 | $(MAKE) -j $(NUM_PROCS) sslscan STATIC_BUILD=TRUE 163 | 164 | docker: 165 | docker build -t sslscan:sslscan . 166 | 167 | test: static 168 | ./docker_test.sh 169 | 170 | clean: 171 | rm -f sslscan 172 | 173 | realclean: clean 174 | if [ -d openssl ]; then ( rm -rf openssl ); fi; 175 | rm -f .openssl.is.fresh 176 | -------------------------------------------------------------------------------- /Makefile.mingw: -------------------------------------------------------------------------------- 1 | # 2 | # To build a 64-bit executable: make -f Makefile.mingw 3 | # To build a 32-bit executable: make -f Makefile.mingw BUILD_32BIT=1 4 | # 5 | 6 | 7 | # Enable to echo commands for debugging. 8 | #SHELL = sh -xv 9 | 10 | # If we're in Linux, lets see if we can find the path to Mingw automatically... 11 | ARCHITECTURE= 12 | CC_PREFIX= 13 | OPENSSL_TARGET= 14 | ifneq ($(BUILD_32BIT),) 15 | DEFINES=-DBUILD_32BIT=1 16 | endif 17 | 18 | ifeq ($(shell uname), Linux) 19 | MINGW32=$(shell which i686-w64-mingw32-gcc) 20 | ifneq ($(MINGW32),) 21 | CC=$(MINGW32) 22 | ARCHITECTURE=32-bit 23 | CC_PREFIX=i686-w64-mingw32- 24 | OPENSSL_TARGET=mingw 25 | endif 26 | 27 | MINGW64=$(shell which x86_64-w64-mingw32-gcc) 28 | ifneq ($(MINGW64),) 29 | ifeq ($(BUILD_32BIT),) 30 | CC=$(MINGW64) 31 | ARCHITECTURE=64-bit 32 | CC_PREFIX=x86_64-w64-mingw32- 33 | OPENSSL_TARGET=mingw64 34 | endif 35 | endif 36 | endif 37 | 38 | ifndef CC 39 | $(error "Failed to determine the compiler!") 40 | endif 41 | 42 | .PHONY: clean 43 | 44 | # Enable security options like stack protectors and variable formatting checks. 45 | # Sadly, we can't use -pie, because MinGW produces a broken executable when 46 | # enabled. 47 | SECURITY_OPTIONS=-fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security 48 | 49 | # Turn on linker optimizations, and DEP support (--nxcompat) 50 | LINK_OPTIONS=-Wl,-O1 -Wl,--discard-all -Wl,--no-undefined -Wl,--dynamicbase -Wl,--nxcompat -static 51 | 52 | CFLAGS += -Iopenssl_mingw/include -D__USE_GNU -DOPENSSL_NO_SSL2 -Wno-deprecated-declarations 53 | LDFLAGS += -lws2_32 -lgdi32 -lcrypt32 54 | 55 | # Set the version string for the program. 56 | VERSION = "$(shell grep -E -o -m 1 '[0-9]+\.[0-9]+\.[0-9]+(\-[a-z]+[0-9]+)?' Changelog) Windows $(ARCHITECTURE) (Mingw)" 57 | 58 | 59 | all: sslscan 60 | 61 | .openssl_mingw.is.fresh: opensslpull 62 | true 63 | 64 | zlibpull: 65 | # If the zlib dir already exists, issue a pull, otherwise clone it from GitHub. Either way, check out the latest tag. 66 | if [ -d zlib_mingw -a -d zlib_mingw/.git ]; then \ 67 | cd ./zlib_mingw && git pull && git checkout tags/`git describe --abbrev=0 --tags` ; \ 68 | else \ 69 | git clone -b master --depth 1 https://github.com/madler/zlib ./zlib_mingw && cd ./zlib_mingw && git checkout tags/`git describe --abbrev=0` ; \ 70 | fi 71 | 72 | opensslpull: 73 | upstream=`git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.5\.[0-9]+)' | sort -V | tail -n 1` ; \ 74 | if [ -d openssl_mingw -a -d openssl_mingw/.git ]; then \ 75 | if [ "$$upstream" != "`cd ./openssl_mingw && git describe --exact-match --tags`" ]; then \ 76 | cd ./openssl_mingw && git fetch --depth 1 origin refs/tags/$$upstream:refs/tags/$$upstream && git checkout $$upstream && touch ../.openssl_mingw.is.fresh ; \ 77 | fi \ 78 | else \ 79 | git clone --depth 1 -b $$upstream https://github.com/openssl/openssl ./openssl_mingw && cd ./openssl_mingw && touch ../.openssl_mingw.is.fresh ; \ 80 | fi 81 | 82 | zlib_mingw/libz.a: zlibpull 83 | cd ./zlib_mingw; make -f win32/Makefile.gcc PREFIX=$(CC_PREFIX) 84 | 85 | openssl_mingw/Makefile: .openssl_mingw.is.fresh zlib_mingw/libz.a 86 | cd ./openssl_mingw; ./Configure --cross-compile-prefix=$(CC_PREFIX) --with-zlib-include=`pwd`/../zlib_mingw --with-zlib-lib=`pwd`/../zlib_mingw -fstack-protector-all -D_FORTIFY_SOURCE=2 $(OPENSSL_TARGET) no-shared enable-weak-ssl-ciphers enable-ssl2 zlib 87 | 88 | openssl_mingw/libcrypto.a: openssl_mingw/Makefile 89 | $(MAKE) -C openssl_mingw depend CC=$(CC) 90 | $(MAKE) -j 10 -C openssl_mingw all CC=$(CC) 91 | 92 | sslscan: openssl_mingw/libcrypto.a sslscan.c 93 | $(CC) $(CFLAGS) -DVERSION=\"$(VERSION)\" $(DEFINES) $(SECURITY_OPTIONS) $(LINK_OPTIONS) -o sslscan.exe sslscan.c openssl_mingw/libssl.a openssl_mingw/libcrypto.a zlib_mingw/libz.a $(LDFLAGS) 94 | $(CC_PREFIX)strip sslscan.exe 95 | 96 | clean: 97 | rm -f *.o sslscan.exe .openssl_mingw.is.fresh 98 | if [ -f openssl_mingw/Makefile ]; then $(MAKE) -C openssl_mingw clean; fi 99 | if [ -f zlib_mingw/win32/Makefile.gcc ]; then $(MAKE) -C zlib_mingw -f win32/Makefile.gcc clean; fi 100 | -------------------------------------------------------------------------------- /Makefile.vs: -------------------------------------------------------------------------------- 1 | LFLAGS=/nologo /dynamicbase /highentropyva /nxcompat /opt:ref /subsystem:console /ltcg 2 | CFLAGS=/nologo /GL /GS /Gs0 /Gw /MT /Ox -DVERSION="\"1.9.8 Windows 64-bit (VS)\"" 3 | 4 | all: sslscan.exe 5 | 6 | sslscan.obj: sslscan.c 7 | cl.exe $(CFLAGS) /I $(OPENSSL_PATH)/include /c sslscan.c 8 | 9 | sslscan.exe: sslscan.obj 10 | link.exe $(LFLAGS) /out:sslscan.exe sslscan.obj $(OPENSSL_PATH)/out32/libeay32.lib $(OPENSSL_PATH)/out32/ssleay32.lib advapi32.lib gdi32.lib user32.lib ws2_32.lib 11 | 12 | clean: 13 | del sslscan.obj sslscan.exe 14 | 15 | rebuild: clean all 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sslscan2 2 | 3 | sslscan version 2 has now been released. This includes a major rewrite of the backend scanning code, which means that it is no longer reliant on the version of OpenSSL for many checks. This means that it is possible to support legacy protocols (SSLv2 and SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL that it has been compiled against. 4 | 5 | This has been made possible largely by the work of [jtesta](https://github.com/jtesta), who has been responsible for most of the backend rewrite. 6 | 7 | Other key changes include: 8 | 9 | * Enumeration of server key exchange groups. 10 | * Enumeration of server signature algorithms. 11 | * SSLv2 and SSLv3 protocol support is scanned, but individual ciphers are not. 12 | * A test suite is included using Docker, to verify that sslscan is functionality correctly. 13 | * Removed the `--http` option, as it was broken and had very little use in the first place. 14 | * Support for new post-quantum groups. 15 | 16 | ## XML Output Changes 17 | A potentially breaking change has been made to the XML output in version **2.0.0-beta4**. Previously, multiple `` elements could be returned (one by default, and a second one if `--show-certificate` was used). 18 | 19 | The key changes are: 20 | 21 | * A new parent `` element that will contain the `` elements. 22 | * `` elements have a new `type` attribute, which can either be: 23 | * `short` for the default output. 24 | * `full` for when `--show-certificate` is used. 25 | * There will potentially be more than one certificate of each type returned on servers that have multiple certificates with different signature algorithms (see discussion in issue [#208](https://github.com/rbsec/sslscan/issues/208)). 26 | * The `` element in a `` no longer contains the "Signature Algorithm:" prefix, or the spacing and newline. 27 | 28 | If you are using the XML output, then you may need to make changes to your parser. 29 | 30 | # README 31 | 32 | [![ci](https://github.com/rbsec/sslscan/actions/workflows/ci.yml/badge.svg)](https://github.com/rbsec/sslscan/actions/workflows/ci.yml) 33 | 34 | This is a fork of ioerror's version of sslscan (the original readme of which is included below) by rbsec (robin@rbsec.net). 35 | 36 | Key changes are as follows: 37 | 38 | * Highlight SSLv2 and SSLv3 ciphers in output. 39 | * Highlight CBC ciphers on SSLv3 (POODLE). 40 | * Highlight 3DES and RC4 ciphers in output. 41 | * Highlight PFS+GCM ciphers as good in output. 42 | * Highlight NULL (0 bit), weak (<40 bit) and medium (40 < n <= 56) ciphers in output. 43 | * Highlight anonymous (ADH and AECDH) ciphers in output (purple). 44 | * Hide certificate information by default (display with `--show-certificate`). 45 | * Hide rejected ciphers by default (display with `--failed`). 46 | * Added TLSv1.1, TLSv1.2 and TLSv1.3 support. 47 | * Supports IPv6 (can be forced with `--ipv6`). 48 | * Check for TLS compression (CRIME, disable with `--no-compression`). 49 | * Disable cipher suite checking `--no-ciphersuites`. 50 | * Disable coloured output `--no-colour`. 51 | * Removed undocumented -p output option. 52 | * Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with `--no-heartbleed`). 53 | * Flag certificates signed with MD5 or SHA-1, or with short (<2048 bit) RSA keys. 54 | * Support scanning RDP servers with `--rdp` (credit skettler). 55 | * Added option to specify socket timeout. 56 | * Added option for static compilation (credit dmke). 57 | * Added `--sleep` option to pause between requests. 58 | * Disable output for anything than specified checks `--no-preferred`. 59 | * Determine the list of CAs acceptable for client certificates `--show-client-cas`. 60 | * Experimental build support on OS X (credit MikeSchroll). 61 | * Flag some self-signed SSL certificates. 62 | * Experimental Windows support (credit jtesta). 63 | * Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 `--no-cipher-details`. 64 | * Flag weak DHE keys with OpenSSL >= 1.0.2 `--cipher-details`. 65 | * Flag expired certificates. 66 | * Flag TLSv1.0 and TLSv1.1 protocols in output as weak. 67 | * Experimental OS X support (static building only). 68 | * Support for scanning PostgreSQL servers (credit nuxi). 69 | * Check for TLS Fallback SCSV support. 70 | * Added StartTLS support for LDAP `--starttls-ldap`. 71 | * Added SNI support `--sni-name` (credit Ken). 72 | * Support STARTTLS for MySQL (credit bk2017). 73 | * Check for supported key exchange groups. 74 | * Check for supported server signature algorithms. 75 | * Display IANA/RFC cipher names `--iana-names` 76 | * Display the full certifiate chain `--show-certificates` 77 | 78 | ### Building on Linux 79 | 80 | It is recommended to ignore the OpenSSL system installation and statically build against your own version. Although this results in a more resource-heavy `sslscan` binary (file size, memory consumption, etc.), this allows some additional checks such as TLS compression. Note that as of sslscan version 2.2.0, the minimum OpenSSL version required by sslscan is 3.5.0 (LTS), so if your distro ships an older version then building against it will not work, and you will have to do a static build. 81 | 82 | To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies. The commands below can be used to do this on Debian. 83 | 84 | apt install git zlib1g-dev make gcc 85 | 86 | Then run 87 | 88 | make static 89 | 90 | This will clone the [OpenSSL repository](https://github.com/openssl/openssl), and configure/compile/test OpenSSL prior to compiling `sslscan`. 91 | 92 | **Please note:** By default, OpenSSL is compiled with `gcc` without further customization. To compile with `clang`, install build dependencies using the commands below. 93 | 94 | apt install git zlib1g-dev make clang 95 | 96 | Then run 97 | 98 | make static CC=clang 99 | 100 | You can verify whether you have a statically linked OpenSSL version, by checking whether the version listed by `sslscan --version` has the `-static` suffix. 101 | 102 | ### Building with Docker 103 | 104 | Ensure that you local Docker installation is functional, and the build the container with: 105 | 106 | make docker 107 | 108 | Or manually with: 109 | 110 | docker build -t sslscan:sslscan . 111 | 112 | You can then run sslscan with: 113 | 114 | docker run --rm -ti sslscan:sslscan --help 115 | 116 | ### Building on Windows 117 | 118 | Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions. 119 | 120 | Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental. 121 | 122 | Pre-build cross-compiled Windows binaries are available on the [GitHub Releases Page](https://github.com/rbsec/sslscan/releases). 123 | 124 | ### Building on macOS (formerly named OS X) 125 | There is experimental support for statically building on macOS (formerly named OS X), however this should be considered unsupported. You may need to install any dependencies required to compile OpenSSL from source on macOS (formerly named OS X). Once you have, just run: 126 | 127 | make static 128 | 129 | # Original (ioerror) README 130 | This is a fork of sslscan.c to better support STARTTLS. 131 | 132 | The original home page of sslscan is: 133 | 134 | http://www.titania.co.uk 135 | 136 | sslscan was originally written by: 137 | 138 | Ian Ventura-Whiting 139 | 140 | The current home page of this fork (until upstream merges a finished patch) is: 141 | 142 | http://www.github.com/ioerror/sslscan 143 | 144 | Most of the pre-TLS protocol setup was inspired by the OpenSSL s_client.c 145 | program. The goal of this fork is to eventually merge with the original 146 | project after the STARTTLS setup is polished. 147 | 148 | Some of the OpenSSL setup code was borrowed from The Tor Project's Tor program. 149 | Thus it is likely proper to comply with the BSD license by saying: 150 | Copyright (c) 2007-2010, The Tor Project, Inc. 151 | -------------------------------------------------------------------------------- /docker_test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Copyright (C) 2019-2025 Joe Testa 5 | # 6 | # This script (adapted from the ssh-audit project) will set up a docker image with multiple SSL/TLS servers. They are each executed one at a time, and sslscan is run against them. The output of sslscan is compared against the expected output. If they match, the test passes; otherwise the test fails. 7 | # 8 | # Running this script with no arguments causes it to build the docker image (if it doesn't yet exist), then run all tests. 9 | # 10 | # Running the script with a test number argument (i.e.: './docker_test.sh 2') will run the docker image for test #2 only (in the background) and do nothing else. This allows the test itself to be debugged. 11 | # 12 | 13 | 14 | # This is the docker tag for the image. If this tag doesn't exist, then we assume the image is out of date, and generate a new one with this tag. 15 | IMAGE_VERSION=4 16 | 17 | # This is the name of our test image. 18 | IMAGE_NAME=sslscan-test 19 | 20 | 21 | # Terminal colors. 22 | CLR="\033[0m" 23 | RED="\033[0;31m" 24 | GREEN="\033[0;32m" 25 | REDB="\033[1;31m" # Red + bold 26 | YELLOWB="\033[1;33m" # Yellow + bold 27 | GREENB="\033[1;32m" # Green + bold 28 | 29 | # Set to 0 if any test fails. 30 | all_passed=1 31 | 32 | 33 | # Returns 0 if current docker image exists. 34 | function check_if_docker_image_exists { 35 | images=`docker image ls | grep -E "$IMAGE_NAME[[:space:]]+$IMAGE_VERSION"` 36 | } 37 | 38 | 39 | # Creates a new docker image. 40 | function create_docker_image { 41 | # Create a new temporary directory. 42 | TMP_DIR=`mktemp -d /tmp/sslscan-docker-XXXXXXXXXX` 43 | 44 | # Copy the Dockerfile and all files in the test/docker/ dir to our new temp directory. 45 | find docker_test -maxdepth 1 -type f | xargs cp -t $TMP_DIR 46 | 47 | # Make the temp directory our working directory for the duration of the build 48 | # process. 49 | pushd $TMP_DIR > /dev/null 50 | 51 | # Now build the docker image! 52 | echo -e "${YELLOWB}Creating docker image...$IMAGE_NAME:$IMAGE_VERSION ${CLR}" 53 | docker build --tag $IMAGE_NAME:$IMAGE_VERSION . 54 | echo -e "${YELLOWB}Docker image creation complete.${CLR}" 55 | 56 | popd > /dev/null 57 | rm -rf $TMP_DIR 58 | } 59 | 60 | 61 | # Runs all tests with the debug flag disabled. 62 | function run_tests { 63 | run_test_1 "0" 64 | run_test_2 "0" 65 | run_test_3 "0" 66 | run_test_4 "0" 67 | run_test_5 "0" 68 | run_test_6 "0" 69 | run_test_7 "0" 70 | run_test_8 "0" 71 | run_test_9 "0" 72 | run_test_10 "0" 73 | run_test_11 "0" 74 | run_test_12 "0" 75 | run_test_13 "0" 76 | run_test_14 "0" 77 | run_test_15 "0" 78 | run_test_16 "0" 79 | run_test_17 "0" 80 | run_test_18 "0" 81 | run_test_19 "0" 82 | #run_test_20 "0" # Unique GnuTLS algorithms that sslscan does not currently detect. Disabled until they are implemented. 83 | } 84 | 85 | 86 | # Mostly default v1.0.2 (SSLv3, TLSv1.0, TLSv1.1, TLSv1.2) 87 | function run_test_1 { 88 | run_test $1 '1' "/openssl_v1.0.2/openssl s_server -accept 443 -dhparam /etc/ssl/dhparams_2048.pem -key /etc/ssl/key_2048.pem -cert /etc/ssl/cert_2048.crt" "" 89 | } 90 | 91 | 92 | # SSLv2 with 1024-bit certificate & DH parameters. 93 | function run_test_2 { 94 | run_test $1 '2' "/openssl_v1.0.2/openssl s_server -ssl2 -accept 443 -dhparam /etc/ssl/dhparams_1024.pem -key /etc/ssl/key_1024.pem -cert /etc/ssl/cert_1024.crt" "" 95 | } 96 | 97 | 98 | # SSLv3 with 1024-bit certificate & DH parameters. 99 | function run_test_3 { 100 | run_test $1 '3' "/openssl_v1.0.2/openssl s_server -ssl3 -accept 443 -dhparam /etc/ssl/dhparams_1024.pem -key /etc/ssl/key_1024.pem -cert /etc/ssl/cert_1024.crt" "" 101 | } 102 | 103 | 104 | # Mostly default v1.1.1. 105 | function run_test_4 { 106 | run_test $1 '4' "/openssl_v1.1.1/openssl s_server -accept 443 -dhparam /etc/ssl/dhparams_3072.pem -key /etc/ssl/key_3072.pem -cert /etc/ssl/cert_3072.crt" "" 107 | } 108 | 109 | 110 | # All ciphers with SSLv2 through TLSv1.2 with 1024-bit certificate & DH parameters. 111 | function run_test_5 { 112 | run_test $1 '5' "/openssl_v1.0.2/openssl s_server -cipher ALL -accept 443 -dhparam /etc/ssl/dhparams_1024.pem -key /etc/ssl/key_1024.pem -cert /etc/ssl/cert_1024.crt" "" 113 | } 114 | 115 | 116 | # TLSv1.3 with all ciphers. 117 | function run_test_6 { 118 | run_test $1 '6' "/openssl_v1.1.1/openssl s_server -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256 -accept 443 -dhparam /etc/ssl/dhparams_3072.pem -key /etc/ssl/key_3072.pem -cert /etc/ssl/cert_3072.crt" "" 119 | } 120 | 121 | 122 | # Default v1.0.0. 123 | function run_test_7 { 124 | run_test $1 '7' "/openssl_v1.0.0/openssl s_server -accept 443 -key /etc/ssl/key_3072.pem -cert /etc/ssl/cert_3072.crt" "" 125 | } 126 | 127 | 128 | # v1.0.0 with 'ALL:eNULL' ciphers. 129 | function run_test_8 { 130 | run_test $1 '8' "/openssl_v1.0.0/openssl s_server -accept 443 -cipher ALL:eNULL -key /etc/ssl/key_3072.pem -cert /etc/ssl/cert_3072.crt" "" 131 | } 132 | 133 | 134 | # OpenSSL v3.5.0, TLSv1.3 only, with all supported groups. 135 | function run_test_9 { 136 | run_test $1 '9' "/openssl_v3.5.0/openssl s_server -accept 443 -key /etc/ssl/key_3072.pem -cert /etc/ssl/cert_3072.crt -tls1_3 -groups secp256r1:secp384r1:secp521r1:x25519:x448:brainpoolP256r1tls13:brainpoolP384r1tls13:brainpoolP512r1tls13:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192:MLKEM512:MLKEM768:MLKEM1024:SecP256r1MLKEM768:X25519MLKEM768:SecP384r1MLKEM1024" "" 137 | } 138 | 139 | 140 | # GnuTLS v3.8.9, TLSv1.3 only, with all supported groups. 141 | function run_test_10 { 142 | run_test $1 '10' "/gnutls-3.8.9/gnutls-serv -p 443 --x509certfile=/etc/ssl/cert_3072.crt --x509keyfile=/etc/ssl/key_3072.pem --priority=NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+GROUP-SECP192R1:+GROUP-SECP224R1:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-X25519:+GROUP-GC256B:+GROUP-GC512A:+GROUP-X448:+GROUP-FFDHE2048:+GROUP-FFDHE3072:+GROUP-FFDHE4096:+GROUP-FFDHE6144:+GROUP-FFDHE8192" "" 143 | } 144 | 145 | 146 | # Makes an OCSP request to www.amazon.com. The horrible Perl command that comes after it will filter out the timestamps and other variable data from the response, otherwise the diff would fail. 147 | function run_test_11 { 148 | run_test_internet '11' "./sslscan --ocsp --no-ciphersuites --no-fallback --no-renegotiation --no-compression --no-heartbleed --no-check-certificate --no-groups --no-sigs www.amazon.com | perl -pe 'BEGIN{undef $/;} s/Connected to .+?$/Connected to\033[0m/smg; s/Responder Id: .+?$/Responder Id:/smg; s/Produced At: .+?$/Produced At:/smg; s/Hash Algorithm: .+?$/Hash Algorithm:/smg; s/Issuer Name Hash: .+?$/Issuer Name Hash:/smg; s/Issuer Key Hash: .+?$/Issuer Key Hash:/smg; s/Serial Number: .+?$/Serial Number:/smg; s/This Update: .+?$/This Update:/smg; s/Next Update: .+?$/Next Update:/smg; s/Response Single Extensions:.+?\n\n/\n\n/smg;'" 149 | } 150 | 151 | 152 | # 512-bit DH, 512-bit RSA key with MD5 signature. 153 | function run_test_12 { 154 | run_test $1 '12' "/openssl_v1.0.0/openssl s_server -accept 443 -dhparam /etc/ssl/dhparams_512.pem -key /etc/ssl/key_512.pem -cert /etc/ssl/cert_512.crt" "" 155 | } 156 | 157 | 158 | # GnuTLS 3.6.11.1, default options. 159 | function run_test_13 { 160 | run_test $1 '13' "/gnutls-3.6.11.1/gnutls-serv -p 443 --x509certfile=/etc/ssl/cert_3072.crt --x509keyfile=/etc/ssl/key_3072.pem" "" 161 | } 162 | 163 | 164 | # GnuTLS with only TLSv1.2 and TLSv1.3, and secp521r1 and ffdhe8192 groups. 165 | function run_test_14 { 166 | run_test $1 '14' "/gnutls-3.6.11.1/gnutls-serv -p 443 --priority=NORMAL:-VERS-TLS1.1:-VERS-TLS1.0:-GROUP-X25519:-GROUP-SECP256R1:-GROUP-SECP384R1:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-GROUP-FFDHE4096:-GROUP-FFDHE6144 --x509certfile=/etc/ssl/cert_3072.crt --x509keyfile=/etc/ssl/key_3072.pem" "" 167 | } 168 | 169 | 170 | # GnuTLS with an ECDSA certificate (secp256r1 / NIST P-256). 171 | function run_test_15 { 172 | run_test $1 '15' "/gnutls-3.6.11.1/gnutls-serv -p 443 --x509certfile=/etc/ssl/cert_ecdsa_prime256v1.crt --x509keyfile=/etc/ssl/key_ecdsa_prime256v1.pem" "" 173 | } 174 | 175 | 176 | # OpenSSL v1.0.2, TLSv1.2 with sect163k1 curve only. 177 | function run_test_16 { 178 | run_test $1 '16' "/openssl_v1.0.2/openssl s_server -accept 443 -tls1_2 -named_curve sect163k1 -cert /etc/ssl/cert_1024.crt -key /etc/ssl/key_1024.pem" "" 179 | } 180 | 181 | 182 | # OpenSSL v1.1.1, TLSv1.2 with brainpoolP512r1 curve only. 183 | function run_test_17 { 184 | run_test $1 '17' "/openssl_v1.1.1/openssl s_server -accept 443 -tls1_2 -named_curve brainpoolP512r1 -cert /etc/ssl/cert_1024.crt -key /etc/ssl/key_1024.pem" "" 185 | } 186 | 187 | 188 | # TLSv1.2 with ECDSA-SHA1 signature only. 189 | function run_test_18 { 190 | run_test $1 '18' "/gnutls-3.6.11.1/gnutls-serv -p 443 --x509certfile=/etc/ssl/cert_ecdsa_prime256v1.crt --x509keyfile=/etc/ssl/key_ecdsa_prime256v1.pem --priority=NONE:-VERS-TLS1.0:-VERS-TLS1.1:+VERS-TLS1.2:-VERS-TLS1.3:+MAC-ALL:+GROUP-ALL:+SIGN-ECDSA-SHA1:+COMP-NULL:+CTYPE-SRV-ALL:+KX-ALL:+CHACHA20-POLY1305:+CAMELLIA-128-GCM:+AES-128-GCM" "" 191 | } 192 | 193 | 194 | # Mbed TLS, default settings. 195 | function run_test_19 { 196 | run_test $1 '19' "/mbedtls_v3.6.3.1/ssl_server2 server_port=443 crt_file=/etc/ssl/cert_3072.crt key_file=/etc/ssl/key_3072.pem" "" 197 | } 198 | 199 | 200 | # Many unique algorithms only present in GnuTLS. 201 | function run_test_20 { 202 | run_test $1 '20' "/gnutls-3.8.9/gnutls-serv -p 443 --x509certfile=/etc/ssl/cert_ecdsa_prime256v1.crt --x509keyfile=/etc/ssl/key_ecdsa_prime256v1.pem --priority=NORMAL:+GOST28147-TC26Z-CFB:+GOST28147-CPA-CFB:+GOST28147-CPB-CFB:+GOST28147-CPC-CFB:+GOST28147-CPD-CFB:+AES-128-XTS:+AES-256-XTS:+AES-128-SIV:+AES-256-SIV:+AES-128-SIV-GCM:+AES-256-SIV-GCM:+GOST28147-TC26Z-CNT:+MAGMA-CTR-ACPKM:+KUZNYECHIK-CTR-ACPKM:+GOSTR341194:+STREEBOG-256:+STREEBOG-512:+VKO-GOST-12:+RSA-EXPORT:+GROUP-GC256B:+GROUP-GC512A:+SIGN-ECDSA-SHA3-224:+SIGN-ECDSA-SHA3-256:+SIGN-ECDSA-SHA3-384:+SIGN-ECDSA-SHA3-512:+SIGN-RSA-SHA3-224:+SIGN-RSA-SHA3-256:+SIGN-RSA-SHA3-384:+SIGN-RSA-SHA3-512:+SIGN-DSA-SHA3-224:+SIGN-DSA-SHA3-256:+SIGN-DSA-SHA3-384:+SIGN-DSA-SHA3-512:+SIGN-RSA-RAW:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:+SIGN-DSA-SHA384:+SIGN-DSA-SHA512" "" 203 | } 204 | 205 | 206 | # Run a test. Set the first argument to '1' to enable test debugging. Second argument is the test number to run. Third argument is the executable and its args to be run inside the container. 207 | function run_test { 208 | debug=$1 209 | test_number=$2 210 | server_exec=$3 211 | sslscan_additional_args=$4 212 | 213 | test_result_stdout="${TEST_RESULT_DIR}/test_${test_number}.txt" 214 | expected_result_stdout="docker_test/expected_output/test_${test_number}.txt" 215 | 216 | # Run the container in the background. Route port 4443 on the outside to port 443 on the inside. 217 | cid=`docker run -d -p 4443:443 -t ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}` 218 | if [[ $? != 0 ]]; then 219 | echo -e "${REDB}Failed to run docker image! (exit code: $?)${CLR}" 220 | exit 1 221 | fi 222 | 223 | # If debugging is enabled, just run the container. Don't do any output comparison. 224 | if [[ $debug == 1 ]]; then 225 | echo -e "\nExecuted in container: ${server_exec}\n\nTerminate container with: docker container stop -t 0 ${cid}\n\nHint: run sslscan against localhost on port 4443, not 443.\n" 226 | return 227 | fi 228 | 229 | # Wait 250ms to ensure that the services in the container are fully initialized. 230 | sleep 0.25 231 | 232 | # Run sslscan and cut out the first two lines. Those contain the version number and local version of OpenSSL, which can change over time (and when they do, this would break the test if they were left in). 233 | ./sslscan $sslscan_additional_args 127.0.0.1:4443 | tail -n +3 > $test_result_stdout 234 | if [[ $? != 0 ]]; then 235 | echo -e "${REDB}Failed to run sslscan! (exit code: $?)${CLR}" 236 | docker container stop -t 0 $cid > /dev/null 237 | exit 1 238 | fi 239 | 240 | # Stop the container now that we captured the sslscan output. 241 | docker container stop -t 0 $cid > /dev/null 242 | if [[ $? != 0 ]]; then 243 | echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}" 244 | exit 1 245 | fi 246 | 247 | # If the expected output file doesn't exist, give the user all the info we have so they can fix this. 248 | if [[ ! -f ${expected_result_stdout} ]]; then 249 | test_result_stdout_actual=`cat ${test_result_stdout}` 250 | echo -e "\n${REDB}Error:${CLR} expected output file for test #${test_number} not found (${expected_result_stdout}). Actual test result is below. Manually verify that this output is correct; if so, then copy it to the expected test file path with:\n\n $ cp ${test_result_stdout} ${expected_result_stdout}\n\n------\n${test_result_stdout_actual}\n" 251 | all_passed=0 252 | return 253 | fi 254 | 255 | # Compare the actual output to the expected output. Any discrepency results in test failure. 256 | diff=`diff -u ${expected_result_stdout} ${test_result_stdout}` 257 | if [[ $? != 0 ]]; then 258 | echo -e "Test #${test_number} ${REDB}FAILED${CLR}.\n\n${diff}\n" 259 | all_passed=0 260 | return 261 | fi 262 | 263 | echo -e "Test #${test_number} ${GREEN}passed${CLR}." 264 | } 265 | 266 | 267 | # Instead of spinning up a docker instance, this will run a test using a host on the public Internet. 268 | function run_test_internet { 269 | test_number=$1 270 | command=$2 271 | 272 | test_result_stdout="${TEST_RESULT_DIR}/test_${test_number}.txt" 273 | expected_result_stdout="docker_test/expected_output/test_${test_number}.txt" 274 | 275 | `/bin/bash -c "${command} | tail -n +3 > ${test_result_stdout}"` 276 | if [[ $? != 0 ]]; then 277 | echo -e "${REDB}Failed to run sslscan! (exit code: $?)${CLR}" 278 | docker container stop -t 0 $cid > /dev/null 279 | exit 1 280 | fi 281 | 282 | # If the expected output file doesn't exist, give the user all the info we have so they can fix this. 283 | if [[ ! -f ${expected_result_stdout} ]]; then 284 | test_result_stdout_actual=`cat ${test_result_stdout}` 285 | echo -e "\n${REDB}Error:${CLR} expected output file for test #${test_number} not found (${expected_result_stdout}). Actual test result is below. Manually verify that this output is correct; if so, then copy it to the expected test file path with:\n\n $ cp ${test_result_stdout} ${expected_result_stdout}\n\n------\n${test_result_stdout_actual}\n" 286 | exit 1 287 | fi 288 | 289 | # Compare the actual output to the expected output. Any discrepency results in test failure. 290 | diff=`diff -u ${expected_result_stdout} ${test_result_stdout}` 291 | if [[ $? != 0 ]]; then 292 | echo -e "Test #${test_number} ${REDB}FAILED${CLR}.\n\n${diff}\n" 293 | exit 1 294 | fi 295 | 296 | echo -e "Test #${test_number} ${GREEN}passed${CLR}." 297 | } 298 | 299 | 300 | # First check if docker is functional. 301 | docker version > /dev/null 302 | if [[ $? != 0 ]]; then 303 | echo -e "${REDB}Error: 'docker version' command failed (error code: $?). Is docker installed and functioning?${CLR}" 304 | exit 1 305 | fi 306 | 307 | is_debian=0 308 | is_arch=0 309 | 310 | # If dpkg exists, assume this is a Debian-based system. 311 | dpkg --version > /dev/null 2>&1 312 | if [[ $? == 0 ]]; then 313 | is_debian=1 314 | fi 315 | 316 | # If pacman exists, assume this is an Arch system. 317 | pacman --version > /dev/null 2>&1 318 | if [[ ($is_debian == 0) && ($? == 0) ]]; then 319 | is_arch=1 320 | fi 321 | 322 | # Ensure that the libgmp-dev, m4, and wget packages are installed. Use dpkg on Debian, or pacman on Arch. 323 | if [[ $is_debian == 1 ]]; then 324 | dpkg -l libgmp-dev m4 perl wget > /dev/null 2>&1 325 | if [[ $? != 0 ]]; then 326 | echo -e "${REDB}Error: libgmp-dev, m4, perl and/or wget packages not installed. Fix with: apt install libgmp-dev m4 perl wget${CLR}" 327 | exit 1 328 | fi 329 | elif [[ $is_arch == 1 ]]; then 330 | pacman -Qi gmp m4 perl wget > /dev/null 2>&1 331 | if [[ $? != 0 ]]; then 332 | echo -e "${REDB}Error: gmp, m4, perl and/or wget packages not installed. Fix with: pacman -S gmp m4 perl wget${CLR}" 333 | exit 1 334 | fi 335 | fi 336 | 337 | # Make sure sslscan has been built. 338 | if [[ ! -f sslscan ]]; then 339 | echo -e "${REDB}Error: sslscan executable not found. Build it first!${CLR}" 340 | exit 1 341 | fi 342 | 343 | # If the user specified a test number to debug... 344 | debug_test_number=0 345 | if [[ $# == 1 ]]; then 346 | debug_test_number=$1 347 | debug_test_number=$((debug_test_number + 0)) # Effectively, convert this to a number. 348 | fi 349 | 350 | # Check if the docker image is the most up-to-date version. If not, create it. 351 | check_if_docker_image_exists 352 | if [[ $? == 0 ]]; then 353 | echo -e "\n${GREEN}Docker image $IMAGE_NAME:$IMAGE_VERSION already exists.${CLR}" 354 | else 355 | echo -e "\nCreating docker image $IMAGE_NAME:$IMAGE_VERSION..." 356 | create_docker_image 357 | echo -e "\n${GREEN}Done creating docker image!${CLR}" 358 | fi 359 | 360 | # Create a temporary directory to write test results to. 361 | TEST_RESULT_DIR=`mktemp -d /tmp/sslscan_test-results_XXXXXXXXXX` 362 | 363 | # If the user wants to run a specific test with debugging enabled, do that then exit. 364 | if [[ $debug_test_number > 0 ]]; then 365 | eval "run_test_${debug_test_number} 1" 366 | exit 0 367 | fi 368 | 369 | # Now run all the tests. 370 | echo -e "\nRunning all tests..." 371 | run_tests 372 | 373 | if [[ $all_passed == 1 ]]; then 374 | echo -e "\n${GREENB}ALL TESTS PASS!${CLR}\n" 375 | rm -rf $TEST_RESULT_DIR 376 | exit 0 377 | else 378 | echo -e "\n\n${YELLOWB}!! SOME TESTS FAILED !!${CLR}\n\n" 379 | exit 1 380 | fi 381 | -------------------------------------------------------------------------------- /docker_test/Dockerfile: -------------------------------------------------------------------------------- 1 | # This is the Dockerfile to build the test image (which contains target servers to check sslscan's output against). 2 | 3 | FROM ubuntu:24.04 AS builder 4 | 5 | COPY build_test_apps.sh /build/build_test_apps.sh 6 | 7 | # Update base image and install prerequisites for building. 8 | RUN apt update; apt install -y build-essential zlib1g zlib1g-dev nettle-dev git wget m4 pkg-config python3 python3-pip python3-virtualenv python3-venv 9 | 10 | # Build all applications. 11 | RUN /bin/bash /build/build_test_apps.sh 12 | 13 | 14 | # Starting from a fresh image, copy over the built applications from the prior stage. 15 | FROM ubuntu:24.04 16 | 17 | COPY --from=builder /build/libhogweed.so.5 /usr/lib/libhogweed.so.5 18 | COPY --from=builder /build/libnettle.so.7 /usr/lib/libnettle.so.7 19 | 20 | COPY --from=builder /build/gnutls-cli-v3.6.11.1 /gnutls-3.6.11.1/gnutls-cli 21 | COPY --from=builder /build/gnutls-serv-v3.6.11.1 /gnutls-3.6.11.1/gnutls-serv 22 | 23 | COPY --from=builder /build/gnutls-cli-v3.8.9 /gnutls-3.8.9/gnutls-cli 24 | COPY --from=builder /build/gnutls-serv-v3.8.9 /gnutls-3.8.9/gnutls-serv 25 | 26 | COPY --from=builder /build/openssl_prog_v1.0.0 /openssl_v1.0.0/openssl 27 | COPY --from=builder /build/openssl_prog_v1.0.2 /openssl_v1.0.2/openssl 28 | COPY --from=builder /build/openssl_prog_v1.1.1 /openssl_v1.1.1/openssl 29 | COPY --from=builder /build/openssl_prog_v3.5.0 /openssl_v3.5.0/openssl 30 | 31 | COPY --from=builder /build/mbedtls_ssl_server2_v3.6.3.1 /mbedtls_v3.6.3.1/ssl_server2 32 | 33 | # Copy certificates, keys, and DH parameters. 34 | COPY *.pem /etc/ssl/ 35 | COPY *.crt /etc/ssl/ 36 | 37 | # This config file seems to tell GnuTLS to not allow TLSv1.0 or TLSv1.1, which we need for testing. 38 | RUN rm -f /etc/gnutls/config 39 | 40 | EXPOSE 443 41 | -------------------------------------------------------------------------------- /docker_test/build_test_apps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Copyright (C) 2019-2025 Joe Testa 5 | # 6 | # This script, designed to run inside a container, will build several versions of OpenSSL and GnuTLS so that testing can be done against them. 7 | # 8 | 9 | 10 | # Terminal colors. 11 | CLR="\033[0m" 12 | RED="\033[0;31m" 13 | GREEN="\033[0;32m" 14 | REDB="\033[1;31m" # Red + bold 15 | YELLOWB="\033[1;33m" # Yellow + bold 16 | GREENB="\033[1;32m" # Green + bold 17 | 18 | 19 | # Number of processors on this system (used to compile parallel builds). 20 | NUM_PROCS=$(/usr/bin/nproc --all) 21 | if [[ "${NUM_PROCS}" == "" ]]; then 22 | NUM_PROCS=4 23 | fi 24 | 25 | 26 | # Compile all version of GnuTLS. 27 | function compile_gnutls_all { 28 | compile_gnutls '3.6.11.1' 29 | compile_gnutls '3.8.9' 30 | } 31 | 32 | 33 | # Compile all versions of Mbed TLS. 34 | function compile_mbedtls_all { 35 | compile_mbedtls '3.6.3.1' 36 | } 37 | 38 | 39 | # Compile all versions of OpenSSL. 40 | function compile_openssl_all { 41 | compile_openssl '1.0.0' 42 | compile_openssl '1.0.2' 43 | compile_openssl '1.1.1' 44 | compile_openssl '3.5.0' 45 | } 46 | 47 | 48 | # Compile a specific version of Mbed TLS (https://github.com/Mbed-TLS/mbedtls). 49 | function compile_mbedtls { 50 | version=$1 51 | 52 | git_tag= 53 | output_dir= 54 | if [[ $version == '3.6.3.1' ]]; then 55 | git_tag="v3.6.3.1" 56 | output_dir="mbedtls_v3.6.3.1_dir" 57 | else 58 | echo -e "${REDB}Error: Mbed TLS v${version} is unknown!${CLR}" 59 | exit 1 60 | fi 61 | 62 | echo -e "\n${YELLOWB}Downloading Mbed TLS v${version}...${CLR}\n" 63 | git clone --depth 1 -b ${git_tag} https://github.com/Mbed-TLS/mbedtls ${output_dir} 64 | 65 | echo -e "\n${YELLOWB}Compiling Mbed TLS v${version}...${CLR}\n" 66 | pushd ${output_dir} 67 | 68 | # Install Python module dependencies for build system. 69 | python3 -m venv venv 70 | source venv/bin/activate # Required, otherwise pip fails to install anything. 71 | python3 -m pip install -r scripts/basic.requirements.txt 72 | 73 | # Now compile it. 74 | make -j ${NUM_PROCS} 75 | 76 | if [[ ! -f programs/ssl/ssl_server2 ]]; then 77 | echo -e "${REDB}Error: compilation failed! ssl_server2 not found.${CLR}" 78 | exit 1 79 | fi 80 | 81 | # Copy the ssl_server2 program to the build directory. 82 | cp "programs/ssl/ssl_server2" "/build/mbedtls_ssl_server2_v${version}" 83 | 84 | popd 85 | 86 | # Delete the source code directory now that we built the 'openssl' tool and moved it out. 87 | rm -rf ${output_dir} 88 | echo -e "\n\n${YELLOWB}Compilation of Mbed TLS v${version} finished.${CLR}\n\n" 89 | } 90 | 91 | 92 | # Compile a specific version of OpenSSL. 93 | function compile_openssl { 94 | version=$1 95 | 96 | git_tag= 97 | compile_args= 98 | precompile_command= 99 | output_dir= 100 | compile_num_procs=${NUM_PROCS} 101 | if [[ $version == '1.0.0' ]]; then 102 | git_tag="OpenSSL_1_0_0-stable" 103 | compile_args="enable-weak-ssl-ciphers enable-ssl2 zlib no-shared" 104 | precompile_command="make depend" 105 | output_dir="openssl_v1.0.0_dir" 106 | compile_num_procs=1 # Compilation randomly fails when done in parallel. 107 | elif [[ $version == '1.0.2' ]]; then 108 | git_tag="OpenSSL_1_0_2-stable" 109 | compile_args="enable-weak-ssl-ciphers enable-ssl2 zlib" 110 | precompile_command="make depend" 111 | output_dir="openssl_v1.0.2_dir" 112 | elif [[ $version == '1.1.1' ]]; then 113 | git_tag="OpenSSL_1_1_1-stable" 114 | compile_args="enable-weak-ssl-ciphers no-shared zlib" 115 | output_dir="openssl_v1.1.1_dir" 116 | elif [[ $version == '3.5.0' ]]; then 117 | git_tag="openssl-3.5.0" 118 | compile_args="enable-weak-ssl-ciphers no-shared zlib" 119 | output_dir="openssl_v3.5.0_dir" 120 | else 121 | echo -e "${REDB}Error: OpenSSL v${version} is unknown!${CLR}" 122 | exit 1 123 | fi 124 | 125 | # Download OpenSSL from github. 126 | echo -e "\n${YELLOWB}Downloading OpenSSL v${version}...${CLR}\n" 127 | git clone --depth 1 -b ${git_tag} https://github.com/openssl/openssl/ ${output_dir} 128 | 129 | # Configure and compile it. 130 | echo -e "\n\n${YELLOWB}Compiling OpenSSL v${version} with \"-j ${compile_num_procs}\"...${CLR}" 131 | pushd ${output_dir} 132 | ./config ${compile_args} 133 | if [[ ${precompile_command} != '' ]]; then ${precompile_command}; fi 134 | make -j ${compile_num_procs} 135 | 136 | # Ensure that the 'openssl' command-line tool was built. 137 | if [[ ! -f "apps/openssl" ]]; then 138 | echo -e "${REDB}Error: compilation failed! apps/openssl not found.${CLR}\n\nStrangely, sometimes OpenSSL v1.0.0 fails for no reason; simply running this script again and changing nothing fixes the problem.\n\n" 139 | exit 1 140 | fi 141 | 142 | # Copy the 'openssl' app to the top-level docker building dir as, e.g. 'openssl_prog_v1.0.0'. Then we can delete the source code directory and move on. 143 | cp "apps/openssl" "/build/openssl_prog_v${version}" 144 | popd 145 | 146 | # Delete the source code directory now that we built the 'openssl' tool and moved it out. 147 | rm -rf ${output_dir} 148 | echo -e "\n\n${YELLOWB}Compilation of v${version} finished.${CLR}\n\n" 149 | } 150 | 151 | # Compile a specific version of GnuTLS. 152 | function compile_gnutls { 153 | gnutls_version=$1 154 | 155 | gnutls_url= 156 | nettle_url= 157 | gnutls_expected_sha256= 158 | nettle_expected_sha256= 159 | gnutls_filename= 160 | nettle_filename= 161 | gnutls_source_dir= 162 | nettle_source_dir= 163 | nettle_version= 164 | compile_num_procs=${NUM_PROCS} 165 | compile_nettle=0 166 | if [[ "${gnutls_version}" == "3.6.11.1" ]]; then 167 | gnutls_url=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.11.1.tar.xz 168 | gnutls_expected_sha256=fbba12f3db9a55dbf027e14111755817ec44b57eabec3e8089aac8ac6f533cf8 169 | gnutls_filename=gnutls-3.6.11.1.tar.xz 170 | gnutls_source_dir=gnutls-3.6.11.1 171 | nettle_version=3.5.1 172 | nettle_url=https://ftp.gnu.org/gnu/nettle/nettle-3.5.1.tar.gz 173 | nettle_expected_sha256=75cca1998761b02e16f2db56da52992aef622bf55a3b45ec538bc2eedadc9419 174 | nettle_filename=nettle-3.5.1.tar.gz 175 | nettle_source_dir=nettle-3.5.1 176 | compile_nettle=1 177 | elif [[ "${gnutls_version}" == "3.8.9" ]]; then 178 | echo "Using platform's nettle library." 179 | gnutls_url=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.9.tar.xz 180 | gnutls_expected_sha256=69e113d802d1670c4d5ac1b99040b1f2d5c7c05daec5003813c049b5184820ed 181 | gnutls_filename=gnutls-3.8.9.tar.xz 182 | gnutls_source_dir=gnutls-3.8.9 183 | else 184 | echo -e "${REDB}Error: GnuTLS v${gnutls_version} is unknown!${CLR}" 185 | exit 1 186 | fi 187 | 188 | # Download GnuTLS. 189 | echo -e "\n${YELLOWB}Downloading GnuTLS v${gnutls_version}...${CLR}\n" 190 | wget ${gnutls_url} 191 | 192 | # Check the SHA256 hash. 193 | gnutls_actual_sha256=$(sha256sum ${gnutls_filename} | cut -f1 -d" ") 194 | 195 | if [[ "${gnutls_actual_sha256}" != "${gnutls_expected_sha256}" ]]; then 196 | echo -e "${REDB}GnuTLS/nettle actual hashes differ from expected hashes! ${CLR}\n" 197 | echo -e "\tGnuTLS expected hash: ${gnutls_expected_sha256}\n" 198 | echo -e "\tGnuTLS actual hash: ${gnutls_actual_sha256}\n" 199 | 200 | exit 1 201 | fi 202 | 203 | echo -e "${GREEN}GnuTLS hash verified.${CLR}\n" 204 | 205 | # Uncompress the archive. 206 | tar xJf ${gnutls_filename} 207 | 208 | # Some versions require us to compile a version of nettle ourselves. For others, the system package version works perfectly. 209 | if [[ "${compile_nettle}" == 1 ]]; then 210 | 211 | # Download nettle. 212 | echo -e "\n${YELLOWB}Downloading nettle library v${nettle_version}...${CLR}\n" 213 | wget ${nettle_url} 214 | 215 | # Ensure the hash of the package is what we expect. 216 | nettle_actual_sha256=$(sha256sum ${nettle_filename} | cut -f1 -d" ") 217 | if [[ "${nettle_actual_sha256}" != "${nettle_expected_sha256}" ]]; then 218 | echo -e "${REDB}nettle actual hashes differ from expected hashes! ${CLR}\n" 219 | echo -e "\tnettle expected hash: ${nettle_expected_sha256}\n" 220 | echo -e "\tnettle actual hash: ${nettle_actual_sha256}\n\n" 221 | exit 1 222 | fi 223 | 224 | echo -e "${GREEN}Nettle hash verified.${CLR}\n" 225 | 226 | tar xzf ${nettle_filename} 227 | mv ${nettle_source_dir} nettle 228 | 229 | # Configure and compile nettle. 230 | echo -e "\n\n${YELLOWB}Compiling nettle v${nettle_version} with \"-j ${compile_num_procs}\"...${CLR}" 231 | pushd nettle 232 | ./configure && make -j ${compile_num_procs} CFLAGS="-fPIC" 233 | 234 | if [[ ! -f libnettle.so || ! -f libhogweed.so ]]; then 235 | echo -e "${REDB}Error: compilation failed! libnettle.so and/or libhogweed.so not found.${CLR}" 236 | exit 1 237 | fi 238 | popd 239 | fi 240 | 241 | # Configure and compile GnuTLS. 242 | echo -e "\n\n${YELLOWB}Compiling GnuTLS v${gnutls_version} with \"-j ${compile_num_procs}\"...${CLR}" 243 | pushd ${gnutls_source_dir} 244 | 245 | # This seems to be an existing system file which disables support for TLSv1.0 and v1.1! 246 | rm -f /etc/gnutls/config 247 | 248 | if [[ "${compile_nettle}" == 1 ]]; then 249 | nettle_source_dir_abs=$(readlink -f ../nettle) 250 | nettle_parent_dir=$(readlink -f ..) 251 | NETTLE_CFLAGS=-I${nettle_parent_dir} NETTLE_LIBS="-L${nettle_source_dir_abs} -lnettle" HOGWEED_CFLAGS=-I${nettle_parent_dir} HOGWEED_LIBS="-L${nettle_source_dir_abs} -lhogweed" ./configure --with-included-libtasn1 --with-included-unistring --without-p11-kit --disable-guile 252 | 253 | make CFLAGS="-static -fPIC -I${nettle_parent_dir}" LDFLAGS="-L${nettle_source_dir_abs} -lhogweed -lnettle" -j ${compile_num_procs} 254 | else 255 | ./configure --with-included-libtasn1 --with-included-unistring --without-p11-kit 256 | make CFLAGS="-static -fPIC" -j ${compile_num_procs} 257 | fi 258 | 259 | # Ensure that the gnutls-serv and gnutls-cli tools were built 260 | if [ ! -f "src/gnutls-cli" ] || [ ! -f "src/gnutls-serv" ]; then 261 | echo -e "${REDB}Error: compilation failed! gnutls-cli and/or gnutls-serv not found.${CLR}\n" 262 | exit 1 263 | fi 264 | 265 | # Copy the gnutls-cli and gnutls-serv apps to the top-level docker building dir as, e.g. 'gnutls-cli-v3.6.11.1'. Then we can delete the source code directory and move on. 266 | cp "src/gnutls-cli" "/build/gnutls-cli-v${gnutls_version}" 267 | cp "src/gnutls-serv" "/build/gnutls-serv-v${gnutls_version}" 268 | 269 | if [[ "${compile_nettle}" == 1 ]]; then 270 | cp "${nettle_source_dir_abs}/libhogweed.so" "/build/libhogweed.so.5" 271 | cp "${nettle_source_dir_abs}/libnettle.so" "/build/libnettle.so.7" 272 | fi 273 | popd 274 | 275 | # Delete the source code directory now that we built the tools and moved them out. 276 | rm -rf ${gnutls_source_dir} 277 | echo -e "\n\n${YELLOWB}Compilation of GnuTLS v${gnutls_version} finished.${CLR}\n\n" 278 | } 279 | 280 | 281 | echo -e "\n\nBuilding with ${GREENB}${NUM_PROCS}${CLR} threads.\n" 282 | 283 | cd /build 284 | compile_openssl_all 285 | compile_gnutls_all 286 | compile_mbedtls_all 287 | 288 | # Strip all the programs of debugging symbols in order to cut down on storage space. 289 | strip /build/openssl_prog* 290 | strip /build/gnutls-cli* 291 | strip /build/gnutls-serv* 292 | strip /build/lib* 293 | strip /build/mbedtls* 294 | 295 | echo -e "\n\n${GREENB}Done compiling applications!${CLR}\n" 296 | -------------------------------------------------------------------------------- /docker_test/ca_cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFUTCCAzmgAwIBAgIJAI+xjVeRdKcWMA0GCSqGSIb3DQEBCwUAMD8xCzAJBgNV 3 | BAYTAlhYMR4wHAYDVQQIDBVOb3doZXJlIGluIHBhcnRpY3VsYXIxEDAOBgNVBAcM 4 | B05vd2hlcmUwHhcNMTkxMjAzMDIxNjUzWhcNMjkxMjAzMDIxNjUzWjA/MQswCQYD 5 | VQQGEwJYWDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQH 6 | DAdOb3doZXJlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAze8SR6JK 7 | HTftNJrZdnvzE5LlpU6hCVGr1aIhx1nWae7crLRRB7xAc9T+YIMUhMazKwbMJBIx 8 | 7I6rYeU+FWJBkcc5AREk0C1sM6vlM001kpcYs3amib1DTJkORdQTJlh5+bPlnupa 9 | YJQIqAVKqnEYUJuOblpeUqz2LteVLlV1hycznrvkmywU72AtzaOTx1hrgH7FjpVz 10 | 2M2KJ3zDFO8NfDtqx67fbM8Z/QL+/67tfSFwRKdPU4u38IlushoYbQ/8Y81Hw1tQ 11 | 2px08q2awgtFljHl2cDLsDB8bAsQ+AiU9/3trbTid1U48Q8Uk0BBJ+TXio5qDg+n 12 | bPw0gcXlq+Rj8CBADPzWaBZdAtH1kVlSwJ2PZ5xwi0LKNsJN2wbfJIc6WjA/pL5p 13 | VjS+Yx5X8rhGqWAJDrbLoVoTg/bEy8RPPorxBspFe8jPRoSIWsmDZn+SL0SbgnxV 14 | eZG0tVn6nbWepSUOq23Gc9E6sfMsMR3WxBBIchoWCkPB8Y/X0YeT0V3kGql2fVsT 15 | 6mMTTDvcc4RORikH+wg0EOmzn+WA0I5BzR2zYANfga+cPuowO+U6qf85wzeO6eDp 16 | x49GAyTCGMYlhZd/hWEXD+Q2bZRy2j8osTRe270MKyYiMuP0eB7VZx7pr1zb8fTE 17 | BAh4JI6xUqCG8isoTyEKDdLrX4ilW+ZN2tkCAwEAAaNQME4wHQYDVR0OBBYEFDTe 18 | OueTIjWF4f771PS5kGNY28BLMB8GA1UdIwQYMBaAFDTeOueTIjWF4f771PS5kGNY 19 | 28BLMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBALnZCFWzH3n0GFpO 20 | fYxALeoyrwYia4HrGGQ9JOwQJEHH1sUL3TwvGVoLtSB8962loGakvhtwvtr6XDyk 21 | wqsAF9J1j7PKzXvlVt3MAGDupDMTgOvX9D7GY/MYhteB2ExckmDXGyq/Ustm877S 22 | XaEkwiwCs2Jrm9T6ksZIcFd0OwpzfY+sEBjmKKTKo6n0xOmUEvlIsJ8AHZg0cOsj 23 | LD0hdcdwQ6gtvX+LrjrCWk1OzjHlGWLpDuPhDlhYFidBoRH65SWjUzqH6jmaUjEi 24 | pwO3wmPfaXAkSqVw1O+Pkc0BThpSbPCwnn5J6VuAJQN65pLD1vRh0UfpLI8TeOQe 25 | dDDIoiRjRCrBfSmrzZ5uj18fC/MB/6x5jfyPzMMlJCSmpWcuz65imP8VVn8V8M9b 26 | vGM+hgP66xEO4UwBGbKiIWh8Hb0Jqo+vV6AObdpncOmWxnFU891NbyLjgkRfmTMq 27 | dH3q71sarOmvv2aHcZTWwj46mzPoJHViS0lT3XYURTKar16RgMihUmKcMyPdVj75 28 | JDZyvJwpis3zSPTERmYjeuqY3Lb/hXIWHMg3v6+xWrHunj7aFuugCtyl2qm6uHGh 29 | 5uBjZfocr+ZrT4YItUZGsSw4zfkJMIWVuHuX30Q2Gtrkt25IlYCKHZGpb49KyWub 30 | wS03DVRaHGOd/8zksngsXzReZeor 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /docker_test/ca_key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDN7xJHokodN+00 3 | mtl2e/MTkuWlTqEJUavVoiHHWdZp7tystFEHvEBz1P5ggxSExrMrBswkEjHsjqth 4 | 5T4VYkGRxzkBESTQLWwzq+UzTTWSlxizdqaJvUNMmQ5F1BMmWHn5s+We6lpglAio 5 | BUqqcRhQm45uWl5SrPYu15UuVXWHJzOeu+SbLBTvYC3No5PHWGuAfsWOlXPYzYon 6 | fMMU7w18O2rHrt9szxn9Av7/ru19IXBEp09Ti7fwiW6yGhhtD/xjzUfDW1DanHTy 7 | rZrCC0WWMeXZwMuwMHxsCxD4CJT3/e2ttOJ3VTjxDxSTQEEn5NeKjmoOD6ds/DSB 8 | xeWr5GPwIEAM/NZoFl0C0fWRWVLAnY9nnHCLQso2wk3bBt8khzpaMD+kvmlWNL5j 9 | HlfyuEapYAkOtsuhWhOD9sTLxE8+ivEGykV7yM9GhIhayYNmf5IvRJuCfFV5kbS1 10 | WfqdtZ6lJQ6rbcZz0Tqx8ywxHdbEEEhyGhYKQ8Hxj9fRh5PRXeQaqXZ9WxPqYxNM 11 | O9xzhE5GKQf7CDQQ6bOf5YDQjkHNHbNgA1+Br5w+6jA75Tqp/znDN47p4OnHj0YD 12 | JMIYxiWFl3+FYRcP5DZtlHLaPyixNF7bvQwrJiIy4/R4HtVnHumvXNvx9MQECHgk 13 | jrFSoIbyKyhPIQoN0utfiKVb5k3a2QIDAQABAoICAGMM1HwEASXgmoUs3d/xak9F 14 | 3pMOKMK0t7O/kgOyoEC/lQC0kizoTQ/pqJh/M8VRVSgi0tmersibLq+ddakPY35c 15 | lnx+5HgFAQAxc8KjJltltYnMTfn+QHp9O7I2eSd+cty5vH4dNm8xhKBcOzeTwiAz 16 | UeSeLrQRYS/SnXx1ulvRbTCyKxi/sSoZ1q4MOa4uRza8wwT7uYbUBdlMVwCgopnY 17 | clmtMOXDDzr0z/XnC2+eP8Olva/vif91+vpLNuhuQfU27Yd3SoJ7snxvJ/qhNU0y 18 | nt2Hr/EEwTOudvD2H8DQMBvW3v6KzSKVIE5bH3uyxEFuknBE80CmZhLtPrTY23/s 19 | 97/ncS+tY3mxr8hOBRyiz7o2zDvPcbSq56jt2JkUUS4mwk2uVzpO9uKhrDY9CkkS 20 | Iq5UjV0gtjQ8092Mp83Bazy0q7fTKdwgvsoorbdKMZP4GZ0EPIGJC9r8IH9UD7Cl 21 | 1YVGj1qBXUFznbJmFtNGofvc/8PzZ6TMNscEVOcjy8vrqmhKGcdXMoMl1LxDl/4g 22 | mN26n9uKfatCeRN9qyxOsts3+QEqJq+rKn2odQlCNfpezxNh8uauAx8ZxQ4HXirW 23 | O+CZS5JAlNWK5qp27pGq7JNKy5xyaU8PkC5G/A8Fi35iF1o0j2ICSWkCY3cTd73W 24 | /TvzsGNsbrJLTIFfo1ghAoIBAQDqOp7LfXLZct17TdpBSwq+2IzSN/H6ozKcyXSf 25 | Nnx56Avy1OZkU3ELMN+/zZp9X91dhR+PpXJfcbufiuJIUq0L34ow8X+cnw66hUur 26 | ig9rzs7o1Ak6PZcrVINOjZ5Sn6gzuDMZgH5PzFNjXxZto1KjDLCnf5adoYEUfjJZ 27 | r85ZN9/NlUW/PhZzuyRUW0ouRDsjjnLQouomCrFbva2tvpPggCcRlizHg6ReyX1S 28 | LfozmQbfvI4e60cbRj5MuouJbbvMicecRT5R00HhTfHTj5MMqf5DRToS2ir/QYw6 29 | kZQWHdFih+eDQcZFiPILUxq89OSBJy2UtrfgaFxGiPBdgm5lAoIBAQDhEy5NBB0X 30 | udTc9BJlL/ROp84/ER/OTd4eG57FVXhv/kuC+v2gv/M+PHc7RVSZCh+sEvqs2Dzd 31 | qRms57zQGJ2zbSzhgcCzghpNx+mNXe5UScAUM4sDONOGeeQc15HkAMCz4/umcInc 32 | IcM1zsbxa+AG8YGv9JHuknYBZ2bbaUlsoltQ57sa2h7Wht3ql3IRYSu2hwsWiGlb 33 | MZlozaEXpqH4+LvBfs0gCXNmqMOV72MnEFWFVooSzISi5KakPysH5TNypJpE6FWn 34 | 1ccUMTFFkNRFgn64qUXHyaKQlaMl0UPb3XVcyxB4Wamde8yXoo4trdFRGY1kRLl9 35 | 31zFeZDoT8llAoIBAQDGV61wE2LVz/bNGzfeYnVO9oEI4mb+HoQVUGJ5D+KIOH8l 36 | ujL+ccof99sAyFIyKKODNd9r/GXFfMGscCb9p0Tx8PFMULQHJImMWKOjNt2oJRAB 37 | CMxnjRAdmQs30aRnwtrkMO7UgYJ0gEl8tGCBpvOrLmvI6rnX8ZMkj1iDqePKmQ3j 38 | QKw3LZRFnAs/g65lT1Hk4hNHqS0t2ZAmZ5BSuDbwvJRYyBpTOJ5Pxb9hf52HY+X2 39 | P+z5MbKc3faTcsQGM+37XhCxu9Dx6Tq4VxCYXdPfvXOZ810h6azPSeo9DlmgAM/1 40 | 56+b7m6/IyAThuP1bkqxM0Pd0nwSg0zgTcV86Z4hAoIBAELgYSSPMVnIZMBWYVTh 41 | n9TzNWw12V6Ccpo9mLqHv+Z/B87eZxgpkMwQSVk6K33hrTGC3isXgVZXlYJzxP2M 42 | Iueaa/iBhlGQOeKcoP/ZRiSTWVhnTEnjy64sb6RGRVobAycweailzcCz434Md75q 43 | UEGf5unyYJ4jtJ6MK9rL+P4na7ypbkX3Q6x4nF3FLCaP2d49WAUU+UEYhr3GQ7R0 44 | VbJVrew7khWP2VNKl/roC20jBFY/NX2KeWqxR/aLsmyBJP1OfWw2IKVi9ulACKTj 45 | +L7CnIaf/VT0y7HsVHK7ME+XCPVOfRFVivl5PHxd16Mo/4X6crG1XexRvw4KJg1x 46 | D6UCggEAT+eKtfA0EkA4zQKAC15KZSTxrpYK0phQX6dBTgwXlwoczInlX7HjtQb9 47 | 7G9OzRFZvenzXsBfT+av1ilSjEPo6l/bL664qJY4hzG+5Tq1NC0YA+2Ihb9/wQP/ 48 | yXp/tnn27XZChm/wxdGG+s7wpWaZ9LQj/80pbMbH/DoMGlaFyHF+8RPXbDF6ycJF 49 | kAV9E0PKeVBGaQbvEx1NW093F1Lf2yPhPeEA89qjmOigyZQ7r4tIhJxYgzUo3gqD 50 | b8PbWwbrGPGD5AUu6V4Fv2E86mIgoRlcZFayHGDvGSqM5CZ7VSLLc9pc33WPV55T 51 | IvfsnBvVJ9M2TPyXcd9tejBOzLjOkQ== 52 | -----END PRIVATE KEY----- 53 | -------------------------------------------------------------------------------- /docker_test/cert_1024.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDpDCCAYwCCQCaM8BbiyPRSTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIwMzAzNTY1MloXDTI5MTIwMzAzNTY1MlowbTELMAkGA1UEBhMC 5 | VVMxCzAJBgNVBAgMAk5ZMRIwEAYDVQQHDAlSb2NoZXN0ZXIxGTAXBgNVBAoMEEJh 6 | bWJvb3psZWQsIEluYy4xIjAgBgNVBAMMGWhvd2Z1Y2tlZGlzbXlkYXRhYmFzZS5j 7 | b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOak+uYE1LeCoKAIH2Uq8fhm 8 | lf0W8fPDc/iQ1vI3jn7zKruAFSl/0lgVA7SuqbSFJ5slJBQOSGsV87qidl2wzI3f 9 | aU+VU8WYEgswE+BrElNVQ5r5NbGDJW4+Bp+2sxAyvRa+Fu/7deG3mGo9MQp78YTD 10 | Fcko9KbYXUCACSTCVBHNAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAEh3v+b8P6/g 11 | 3OkAzkNpLJ2yQK1AJ35yd9KtmnTWzAYfWqkowWOZPVQv41VG0LEy8DF/DuBlXLyp 12 | H1HfY7hpJYMmZfs1Mdcr1D7pir1nobG7CFJSiS4/R1Irqb4KQhFaYPEvdy6vEh5s 13 | T+DrF6/rWlE1QnoiAoDxgUn7gYv5LThux/aX2L9ne6YY8mxBZm6AXCjsXGSFZdFY 14 | vAFeQTAVs6/lJ5AXrV9IIO5L9MGozeKVKTwz5MqNlQjr2XkGeCJ/+L40NL91/mTK 15 | xuSIZXP3gCyfL+szN7qQ8NWmrqdFoUkzVyV+SUbXfpuVLf+yC7dZGZx8AktqQERr 16 | esKgd54fIJTpZGRtx/y9UW9OAHugAoAd/6Sd1Pk3B2YH4cJPFQTUkod4OKotWs0f 17 | R4DA+aAf0tqFwKRTGDsny/6+nnGenn75zRunmae0R51vS4vbHgEoMVsGLu/QbSdC 18 | +f9DYXpeH96u/0lKl5ueW/Acoa20ngJFS6IzJiWMTJPxWJYq+gOnSMS2OEakoUKU 19 | UYjZ1VFYJrnXB+cKBksY38c6ryskUP1dfaWICwX9DH2MnD1RuuaKcdmhu+k45ujC 20 | LefUCIQ+2K4jMe/Irvk9yAbKfSBZ7xfRfgNPTdr0jjLfSZHhI5QDUOUsP8SEt1yV 21 | CQx1WMxnRCNtwJVsAhisGWFTA0sDImOX 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /docker_test/cert_2048.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEKTCCAhECCQCaM8BbiyPRSDANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIwMzAzMDEyM1oXDTI5MTIwMzAzMDEyM1owbjELMAkGA1UEBhMC 5 | VVMxCzAJBgNVBAgMAk5ZMRIwEAYDVQQHDAlSb2NoZXN0ZXIxGTAXBgNVBAoMEEJh 6 | bWJvb3psZWQsIEluYy4xIzAhBgNVBAMMGndoeXRoZWZ1Y2t3YXNpYnJlYWNoZWQu 7 | Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywGmJp/AoA4TCs6z 8 | bXuiBOkho35IeVvpsy7RqM3y3KxkEFnk/LM6U/ayL+j2vo4/15WPM0PaAGRRbvnQ 9 | EuI1xvhn/0/T4xP+TBe91pTMo/nKrK/ycvBLBqLPZQK9SJbHk6mwfgpQs5S/+VHl 10 | U9jl7+eQWcR+o3NXtv4XFlQyqx1dcokAJrL4wr2vGPkigUNU2iI6FwRB4f7Wo1rB 11 | NzI49uE97IWuh+VBMPYMp+Zn2Om4ptCyjdvSI7DEYc6jyKlPzH2UOgd0RkcwivaS 12 | pxfXJEBOC8PtOxyLg/KPjUTwUh0nHSpeOIbT3HKnOErEbbiHQmlYbbcOyinv3hIl 13 | Rj+PyQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCYTQPx8JIdeNfov2cSsM/8ByDo 14 | M6DDhW+kAgGdhKdGglDXtrtX4ffPYvG1EjQg7TIZJoXWcwng4XWGFI7lGqyAOQn9 15 | KjDqfFj00udNJq8B57JJK3vq71rppcggt5mJnzTrrMlTZ4z8ZMFLnj6drCEsjZLM 16 | 3oRRcBvtfC4j9xT4ZICt8R3eXw18Ne43PT1wRhFpQAud0Y9zPO/0veyAlf/D0suR 17 | 8Ix8XXRr3PU+c5XZeY2uT50FcHNKLgcSmck+25CPnwSdQtdhhfcXGpBKzczjHHTU 18 | yqIBVf9xwM4sCtg50aWrdYTYgFivMqPy4ieLe/NlhrlmjSJPFR/hw7605mTiu4zG 19 | 9Dlr310eCjL8jiASWpfj27u6QYaxFL5yg1mMfl/mvDr9dLV4LnffdkeE8hk+PVkz 20 | IvHKeLhAu39t1JAs841NwW0WhdxOQkSB+VqDmixy9lmJhM0c8I45S9qERvnKrd9S 21 | kMiVxO0d4Aza1eEt1Kep2tfK2CkAzQD30Tl/v4njPZXR7lU5p4g6pr4EukxBwMrs 22 | t2Hs1Czb9x59HV7FDB0Z8DgrNkysi40lRMMNzNoQ2HaoaLKuotwXZFCs5O5HRnze 23 | iMDS3Jy0gDs53TanmxXC2gE/ODeYOqzkOjvGgPruZOMEZ7bKkLkC/lcUxIYy4xoE 24 | PgE/onpOVIay+K/3dQ== 25 | -----END CERTIFICATE----- 26 | -------------------------------------------------------------------------------- /docker_test/cert_3072.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEmTCCAoECCQCaM8BbiyPRSjANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIwMzA0MDc0M1oXDTI5MTIwMzA0MDc0M1owXjELMAkGA1UEBhMC 5 | VVMxCzAJBgNVBAgMAk5ZMRIwEAYDVQQHDAlSb2NoZXN0ZXIxGTAXBgNVBAoMEEJh 6 | bWJvb3psZWQsIEluYy4xEzARBgNVBAMMCmxtZ3RmeS5jb20wggGiMA0GCSqGSIb3 7 | DQEBAQUAA4IBjwAwggGKAoIBgQDEDVOhDYctVgOYpKM9KUKmixtQxgDfQGVFczN0 8 | l7U5UGD+rASuFRGUUC8YX2WOBcWcxnqhMrXriwlexyM1dL8BupY72sF4xtTEPzn8 9 | 9Gjh6aYFWKh7kD8DjFsC8+3WyfCCNu1k1OzFmiF5SjHbXr81MnbhzdIYQE6UBIEe 10 | 1PpUEk9qbHVoAuVKVLiOq0sCWTHPoz9dQ95ERHoMphdSLfvDRcJlFGTVTa54zad+ 11 | TPjtr8bGh4Baa9Y9VbUG75Vslv0eyH/ai3KEdkBVf39+wpnAd/2pxKu60uTkzSLH 12 | 01QWeryplW5ktNlrv+sLDpieaU6/WYBknyw0m23XDKEwYt5uR9UcoREKqTfstGlL 13 | OWhO73n64+7+r7f3VcwpM6YwerCG9kGkCg683tuzijw3UkXyE+74wEaxlSzw/571 14 | ZMlTb3O85FZ3tn/wrXNqSKEkP0VdwLfw4Y7zyH/slXFhwzJVRlbfNkrEhOUlaXwn 15 | Xw6pClProrhx4s5bVKNEh4cZf1MCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAikFI 16 | 8LMptJKl9L5WmXW3OFS/stc0dxBQ/0/qzPiDWrhINrFkIYeNZ2fi+Cv6mLXil+C1 17 | 72Mu9YsTJ6L6VjHUnIXAhwQC4gjnhjPoZIQ3sdaQl0I5vwPr5xS6wDLoWtUSjcem 18 | x8x+axPEsqw/EIGv55NsY7YezpqFU48rkRrGbJL9jOVbKcIwzbg5ZxqRZ2kmSUD9 19 | Ze56RqXhwZPbdMmcrIk2632RoAh9HXgndL9QCIvypDnK50KpP/b2C/1Amaux//Rs 20 | ro8C55J/x2FWl0iDwHc4gAtsZvn8aznfGnavj4JHq8+3cZBZQ3zfv6ojFvWCBniT 21 | YGb57CJA+s1MW2urF6ldExgsb/adQN7oXW6I0Y9A+zFOdd3epoa+GJZu2FI7kVs3 22 | VViioCRPDCCxgDJ8CnhBvr5ALd+dWDGOpU7+POWqmtscF56tnPgiCK9J8TsT2GkN 23 | S5h/NbTbxEZvFAJS5x4GnwQBW0o0tmnybLzkRUeUucDg3k/jsMsnQIft2kPtcxD8 24 | vEZWKl/jwfX6EMLIXgAHIDK2HiG9301GlksvDTFaZhMNRcH9RYhTwYYsdLjvs5Bj 25 | aY+evRF2E6MQnaLQ7m1Hg8YZZY5O3Z/n6fPUESd3zMSsXtmcyRZ4KP5LSwTy6HuE 26 | +qEu3vdeFaOd+Ii8k8sD/4SuKf7RcXC3OG5Ne0M= 27 | -----END CERTIFICATE----- 28 | -------------------------------------------------------------------------------- /docker_test/cert_512.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDSjCCATICCQC6PCarUG/VGDANBgkqhkiG9w0BAQQFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIxMzAzNTYyMloXDTI5MTIxMzAzNTYyMlowVzELMAkGA1UEBhMC 5 | WFgxHjAcBgNVBAgMFU5vd2hlcmUgaW4gcGFydGljdWxhcjEQMA4GA1UEBwwHTm93 6 | aGVyZTEWMBQGA1UEAwwNZ2VvY2l0aWVzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA 7 | MEgCQQDL3c8fl0i1RqSy1ctDSAWVbOpOy8b4ruQspvuZ9M28LGCrYq2pSL3NBz3p 8 | CYpNaP0C4KnDvN/N+8DkvIT1NJPVAgMBAAEwDQYJKoZIhvcNAQEEBQADggIBADgl 9 | k3V0s2HTPreUrn37fNwj9jYlATJGiQEy8tOoU42j6hK1nhVDq947JCtRXN3ykQkp 10 | bGWcK8TioA+IgPopW8as7rPPzbG330LYUqTub4v3r7b8NqMQBJeRp5EbDj7cvppW 11 | L8Op/pKNJBdFCL+qp4vw+k31ZALcDLfU2evGLD5cq7S/FmzQs7es0c13RICPK3nI 12 | X4AC19isu52zzMXXECPL51nbWbVH7MRQt/UPzfgyDfe+UIAUpR/cvGqree/fWL2D 13 | UQrIOD/k789XzrynRfjlJjxeSWlIyrSYD+zedjxUyn+L6YfcEwUfaqvfYn1YOeKZ 14 | BXNNTxWWZQtdlXif1L/Tk0xHrXlpMNJOmXUnKu9Wb/7ovTfjxiXHnwrhmOHZAn6O 15 | e1Oev5tnMmVWEtp0c1uowX4BTKtl5v/a827cTSJDVm5Va+cfIGL0MkjFcPz4zq04 16 | Ke/22SM4XdEiUvSiiYj/NrTI4txLid0d+gRZZIzoTnybUobBZUFWYvIFqyi990OF 17 | Mnjercyzb5uEpCiq2xZVwAKSUNMzFqzv+zerN3otOwi3lIY1evNkRdGngmmItEUD 18 | wvNgfpQApqAUH81zFKpnCmOIMZ3XDed+xO7JCJKr1zZ6+qyEhtrew8RL2hMHIok0 19 | jQQ3dyi39Ekmfr+CyKvPBQ+F4qtMHgv7VFd73RBf 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /docker_test/cert_ecdsa_prime256v1.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDVjCCAT4CCQDe1MM22vqmNTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIyMjE5MDE1NloXDTI5MTIyMjE5MDE1NlowZjELMAkGA1UEBhMC 5 | WFgxHjAcBgNVBAgMFU5vd2hlcmUgaW4gcGFydGljdWxhcjEQMA4GA1UEBwwHTm93 6 | aGVyZTElMCMGA1UEAwwcaXRzcGVhbnV0YnV0dGVyamVsbHl0aW1lLmNvbTBZMBMG 7 | ByqGSM49AgEGCCqGSM49AwEHA0IABEJG/H34ca87RR7tz4meDGqz8sV+nSSl2+VB 8 | JFW3M3W85C84Tlx5WG5Z16+GtpsK0hBT84wjkUo0KpPfY7/dCFYwDQYJKoZIhvcN 9 | AQELBQADggIBAEATuWgTLHRq3+EDfJj8l5kGhvg8jjAGc/9J1i8oEwJl1Gy8Dv02 10 | jFu67camK09vprZ25EHzyVHUn+1PtZUi1kl/dpnBfFYADHZTOyokhIZ/QWLd1yr4 11 | Oc7ZHcVwODt+S/npfZsga2R66oI+wUQbkF7+/xpFU/DcjevMQkE3Ql5cMaFa5NZf 12 | Z7adpYct7RPTW1aqPVckZbB3FfN85YpTyRVOt3u93/qG73dzIVjVg6YsjZYgtvxD 13 | QhIQotKyAL6lIzA51KtIY0WhE2QmBB4YnIHlK1VkvvTaWk5tcBuY8Se2mBHfAyL5 14 | TESNfxBi884xBoHAJXkV6tZszhEJFgJi7zZS+fpP3kxst+CQBvhSa7gh6hWcqZyL 15 | JGCUTjSUxfZEo97cKqOt8kYMls1eBYuIOUQdmcFbY8ML3O90KpLxosT9cUwsceZc 16 | nBnF1qJwtG0o1RsnAYOLVCuZaimqor7rBGgBwBjkauR58PgQQBvMLtwj59edkkW+ 17 | fAQ/xcI7ofETEKzoxHc1ea6LTE4ELWP58tds5URx0/aGYyMVazKZyhPDk2rh7/r3 18 | uo7rhOrCJBO89u7wRcbSnzxtWxYI3V8+5a/70Eh7ztIUJwOd+XehexJJvqZdeA7p 19 | LBMjnUSNaR1BA4oNXP3vaFUgRFDf8dosmVAstzVDHQlE6l08bFZ0ovpj 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /docker_test/dhparams_1024.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIGHAoGBAOA34y/7fH82VEhOGbr50PFlSTZcVG5+YtJmVsWH+r6Y72UAIyhBbF2D 3 | ll4gK+uYmXam6Uk8Nwf1U4QiLf7H6ZWlk3ynTa0XUWAGDf8Fce/Y9bWaJV+M7Klr 4 | c+WGk/Rt8CySRfB58fzsoGuDEW85tq5rqlkJcIKBr2bgSTtE8kIrAgEC 5 | -----END DH PARAMETERS----- 6 | -------------------------------------------------------------------------------- /docker_test/dhparams_2048.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBCAKCAQEAhmyrz3SekFJY9nkmUt7tKXi/fNfxw3/UZA9+g0SOsvYxMI+vw8XJ 3 | ILm+8HJR5+kvcz6vkxgbxV9IACEdRzf33zBHcRXzA7OifsAy8CN217d8HNHqurGk 4 | ueCLTn2w1SfMy2Do3NB50AOru32xPBQL9hqLLhqEs8IKdAVuNL/OKmuLCovaAck4 5 | YYCT0Phe6VSmOmMP46dFJYuAIoup6J/TsDLqGIG/G8bZPaAn1XtgjJ23Ptoielu1 6 | z7CcvO2Bxv5gDGUnd/oW+rWU1gJ2Aav62564Fy6tNSVnNWzWy3WGuqMjkzJsEy8L 7 | 3sklLhryd4vf1E2vvFRaupMUY9g0oVWB4wIBAg== 8 | -----END DH PARAMETERS----- 9 | -------------------------------------------------------------------------------- /docker_test/dhparams_3072.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBiAKCAYEAjoI7ICm70zsvw1DgmheGKxrpFz31cR2F+b4P5HwFPJ77EZDDNZQ2 3 | rmfJ6B1F4fFZZcGeEzuRvnujzy3grie33zRDvPLAFSzoTWjarh/bEiMcDFz/X2AY 4 | 7TAlC1snEmdcrnar8H7Twg2pWCbUKrwF/wsBsqjzXtokGqhseUTDgTUjP4JW94li 5 | 3SnqBPLGypFPGmwt5rq6IUARilOXHhwDfodV2JHvbdRvbIUivShYT9YpzLwA512s 6 | sz4clyLNjFDpVdX9HtcQoJL7etStC8Jo7qJvpjkQUGxUrbZR7QM12YfHiT7+dOIi 7 | PyLPGrEm11FWLntxyX+RuR8v5wVaXIiRziwRiz/xy4YM5giYXPQFSWNcSp7YlZO2 8 | 8LyTreyWKp9hHPFN0B2PX1G5XU8bEsIeS/gUVorjd/k6/KsQGHhFpUTMAv43CgYI 9 | UVXqw8DPGQKHejfmA5sX3rKTXZlxQjKofxsZUuymuH+Bn9tQKCLzFVWPMScM0Abb 10 | xNG5W9qEvHGDAgEC 11 | -----END DH PARAMETERS----- 12 | -------------------------------------------------------------------------------- /docker_test/dhparams_512.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MEYCQQDGepU1BSbkViIkFsK+7q68p2ISObhxXRf9uZAqi1jfEhuFrE9IXrhs1CFe 3 | QFW4cLx60bJttVU6acun8aaySWSjAgEC 4 | -----END DH PARAMETERS----- 5 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_1.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | TLSv1.1 not vulnerable to heartbleed 26 | TLSv1.0 not vulnerable to heartbleed 27 | 28 | Supported Server Cipher(s): 29 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve P-256 DHE 256 30 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 2048 bits 31 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve P-256 DHE 256 32 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 2048 bits 33 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 34 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits 35 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 36 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits 37 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA  Curve P-256 DHE 256 38 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA  DHE 2048 bits 39 | Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 2048 bits 40 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA  Curve P-256 DHE 256 41 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA  DHE 2048 bits 42 | Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 2048 bits 43 | Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 44 | Accepted TLSv1.2 112 bits DHE-RSA-DES-CBC3-SHA  DHE 2048 bits 45 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 46 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 47 | Accepted TLSv1.2 256 bits AES256-SHA256 48 | Accepted TLSv1.2 128 bits AES128-SHA256 49 | Accepted TLSv1.2 256 bits AES256-SHA  50 | Accepted TLSv1.2 256 bits CAMELLIA256-SHA  51 | Accepted TLSv1.2 128 bits AES128-SHA  52 | Accepted TLSv1.2 128 bits CAMELLIA128-SHA  53 | Accepted TLSv1.2 112 bits DES-CBC3-SHA  54 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_MD5  55 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_SHA  56 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  57 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_SEED_CBC_SHA  58 | Accepted TLSv1.2 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 59 | Accepted TLSv1.2 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 60 | Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA  Curve P-256 DHE 256 61 | Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA  DHE 2048 bits 62 | Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 2048 bits 63 | Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA  Curve P-256 DHE 256 64 | Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA  DHE 2048 bits 65 | Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 2048 bits 66 | Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 67 | Accepted TLSv1.1 112 bits DHE-RSA-DES-CBC3-SHA  DHE 2048 bits 68 | Accepted TLSv1.1 256 bits AES256-SHA  69 | Accepted TLSv1.1 256 bits CAMELLIA256-SHA  70 | Accepted TLSv1.1 128 bits AES128-SHA  71 | Accepted TLSv1.1 128 bits CAMELLIA128-SHA  72 | Accepted TLSv1.1 112 bits DES-CBC3-SHA  73 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_RC4_128_MD5  74 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_RC4_128_SHA  75 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  76 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_SEED_CBC_SHA  77 | Accepted TLSv1.1 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 78 | Accepted TLSv1.1 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 79 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA  Curve P-256 DHE 256 80 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA  DHE 2048 bits 81 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 2048 bits 82 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA  Curve P-256 DHE 256 83 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA  DHE 2048 bits 84 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 2048 bits 85 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 86 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 2048 bits 87 | Accepted TLSv1.0 256 bits AES256-SHA  88 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA  89 | Accepted TLSv1.0 128 bits AES128-SHA  90 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA  91 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  92 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  93 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  94 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  95 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA  96 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 97 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 98 | 99 | Server Key Exchange Group(s): 100 | TLSv1.2 128 bits secp256r1 (NIST P-256) 101 | 102 | SSL Certificate: 103 | Signature Algorithm: sha256WithRSAEncryption 104 | RSA Key Strength: 2048 105 | 106 | Subject: whythefuckwasibreached.com 107 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 108 | Not valid before: Dec 3 03:01:23 2019 GMT 109 | Not valid after: Dec 3 03:01:23 2029 GMT 110 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_10.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 28 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 29 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 30 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 31 | 32 | Server Key Exchange Group(s): 33 | TLSv1.3 96 bits secp192r1 34 | TLSv1.3 112 bits secp224r1 35 | TLSv1.3 128 bits secp256r1 (NIST P-256) 36 | TLSv1.3 192 bits secp384r1 (NIST P-384) 37 | TLSv1.3 260 bits secp521r1 (NIST P-521) 38 | TLSv1.3 128 bits x25519 39 | TLSv1.3 224 bits x448 40 | TLSv1.3 112 bits ffdhe2048 41 | TLSv1.3 128 bits ffdhe3072 42 | TLSv1.3 150 bits ffdhe4096 43 | TLSv1.3 175 bits ffdhe6144 44 | TLSv1.3 192 bits ffdhe8192 45 | 46 | SSL Certificate: 47 | Signature Algorithm: sha256WithRSAEncryption 48 | RSA Key Strength: 3072 49 | 50 | Subject: lmgtfy.com 51 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 52 | Not valid before: Dec 3 04:07:43 2019 GMT 53 | Not valid after: Dec 3 04:07:43 2029 GMT 54 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_11.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 3 | 4 | Testing SSL server www.amazon.com on port 443 using SNI name www.amazon.com 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | OCSP Stapling Request: 15 | OCSP Response Status: successful (0x0) 16 | Response Type: Basic OCSP Response 17 | Version: 1 (0x0) 18 | Responder Id: 19 | Produced At: 20 | Responses: 21 | Certificate ID: 22 | Hash Algorithm: 23 | Issuer Name Hash: 24 | Issuer Key Hash: 25 | Serial Number: 26 | Cert Status: good 27 | This Update: 28 | Next Update: 29 | 30 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_12.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 enabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server does not support TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.0 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA  Curve P-256 DHE 256 28 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA  DHE 512 bits 29 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 512 bits 30 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA  Curve P-256 DHE 256 31 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA  DHE 512 bits 32 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 512 bits 33 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 34 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 512 bits 35 | Accepted TLSv1.0 256 bits AES256-SHA  36 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA  37 | Accepted TLSv1.0 128 bits AES128-SHA  38 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA  39 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  40 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  41 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  42 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  43 | Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA  44 | Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  45 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA  46 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 47 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 48 | 49 | Server Key Exchange Group(s): 50 | TLSv1.0 128 bits secp256r1 (NIST P-256) 51 | 52 | SSL Certificate: 53 | Signature Algorithm: md5WithRSAEncryption 54 | RSA Key Strength: 512 55 | 56 | Subject: geocities.com 57 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 58 | Not valid before: Dec 13 03:56:22 2019 GMT 59 | Not valid after: Dec 13 03:56:22 2029 GMT 60 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_13.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | TLSv1.2 not vulnerable to heartbleed 26 | TLSv1.1 not vulnerable to heartbleed 27 | TLSv1.0 not vulnerable to heartbleed 28 | 29 | Supported Server Cipher(s): 30 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 31 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 32 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 33 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 34 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve 25519 DHE 253 35 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 2048 bits 36 | Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305  Curve 25519 DHE 253 37 | Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305  DHE 2048 bits 38 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM DHE 2048 bits 39 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve 25519 DHE 253 40 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 2048 bits 41 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM DHE 2048 bits 42 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA  Curve 25519 DHE 253 43 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA  DHE 2048 bits 44 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA  Curve 25519 DHE 253 45 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA  DHE 2048 bits 46 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 47 | Accepted TLSv1.2 256 bits AES256-CCM 48 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 49 | Accepted TLSv1.2 128 bits AES128-CCM 50 | Accepted TLSv1.2 256 bits AES256-SHA  51 | Accepted TLSv1.2 128 bits AES128-SHA  52 | Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA  Curve 25519 DHE 253 53 | Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA  DHE 2048 bits 54 | Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA  Curve 25519 DHE 253 55 | Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA  DHE 2048 bits 56 | Accepted TLSv1.1 256 bits AES256-SHA  57 | Accepted TLSv1.1 128 bits AES128-SHA  58 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA  Curve 25519 DHE 253 59 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA  DHE 2048 bits 60 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA  Curve 25519 DHE 253 61 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA  DHE 2048 bits 62 | Accepted TLSv1.0 256 bits AES256-SHA  63 | Accepted TLSv1.0 128 bits AES128-SHA  64 | 65 | Server Key Exchange Group(s): 66 | TLSv1.3 128 bits secp256r1 (NIST P-256) 67 | TLSv1.3 192 bits secp384r1 (NIST P-384) 68 | TLSv1.3 260 bits secp521r1 (NIST P-521) 69 | TLSv1.3 128 bits x25519 70 | TLSv1.3 112 bits ffdhe2048 71 | TLSv1.3 128 bits ffdhe3072 72 | TLSv1.3 150 bits ffdhe4096 73 | TLSv1.3 175 bits ffdhe6144 74 | TLSv1.3 192 bits ffdhe8192 75 | TLSv1.2 128 bits secp256r1 (NIST P-256) 76 | TLSv1.2 192 bits secp384r1 (NIST P-384) 77 | TLSv1.2 260 bits secp521r1 (NIST P-521) 78 | TLSv1.2 128 bits x25519 79 | 80 | SSL Certificate: 81 | Signature Algorithm: sha256WithRSAEncryption 82 | RSA Key Strength: 3072 83 | 84 | Subject: lmgtfy.com 85 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 86 | Not valid before: Dec 3 04:07:43 2019 GMT 87 | Not valid after: Dec 3 04:07:43 2029 GMT 88 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_14.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | TLSv1.2 not vulnerable to heartbleed 26 | 27 | Supported Server Cipher(s): 28 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve P-521 DHE 521 29 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve P-521 DHE 521 30 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve P-521 DHE 521 31 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve P-521 DHE 521 32 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve P-521 DHE 521 33 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 8192 bits 34 | Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305  Curve P-521 DHE 521 35 | Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305  DHE 8192 bits 36 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM DHE 8192 bits 37 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve P-521 DHE 521 38 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 8192 bits 39 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM DHE 8192 bits 40 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA  Curve P-521 DHE 521 41 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA  DHE 8192 bits 42 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA  Curve P-521 DHE 521 43 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA  DHE 8192 bits 44 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 45 | Accepted TLSv1.2 256 bits AES256-CCM 46 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 47 | Accepted TLSv1.2 128 bits AES128-CCM 48 | Accepted TLSv1.2 256 bits AES256-SHA  49 | Accepted TLSv1.2 128 bits AES128-SHA  50 | 51 | Server Key Exchange Group(s): 52 | TLSv1.3 260 bits secp521r1 (NIST P-521) 53 | TLSv1.3 192 bits ffdhe8192 54 | TLSv1.2 260 bits secp521r1 (NIST P-521) 55 | 56 | SSL Certificate: 57 | Signature Algorithm: sha256WithRSAEncryption 58 | RSA Key Strength: 3072 59 | 60 | Subject: lmgtfy.com 61 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 62 | Not valid before: Dec 3 04:07:43 2019 GMT 63 | Not valid after: Dec 3 04:07:43 2029 GMT 64 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_15.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | TLSv1.2 not vulnerable to heartbleed 26 | TLSv1.1 not vulnerable to heartbleed 27 | TLSv1.0 not vulnerable to heartbleed 28 | 29 | Supported Server Cipher(s): 30 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 31 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 32 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 33 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 34 | Preferred TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253 35 | Accepted TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253 36 | Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-CCM Curve 25519 DHE 253 37 | Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253 38 | Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-CCM Curve 25519 DHE 253 39 | Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA  Curve 25519 DHE 253 40 | Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA  Curve 25519 DHE 253 41 | Preferred TLSv1.1 256 bits ECDHE-ECDSA-AES256-SHA  Curve 25519 DHE 253 42 | Accepted TLSv1.1 128 bits ECDHE-ECDSA-AES128-SHA  Curve 25519 DHE 253 43 | Preferred TLSv1.0 256 bits ECDHE-ECDSA-AES256-SHA  Curve 25519 DHE 253 44 | Accepted TLSv1.0 128 bits ECDHE-ECDSA-AES128-SHA  Curve 25519 DHE 253 45 | 46 | Server Key Exchange Group(s): 47 | TLSv1.3 128 bits secp256r1 (NIST P-256) 48 | TLSv1.3 192 bits secp384r1 (NIST P-384) 49 | TLSv1.3 260 bits secp521r1 (NIST P-521) 50 | TLSv1.3 128 bits x25519 51 | TLSv1.3 112 bits ffdhe2048 52 | TLSv1.3 128 bits ffdhe3072 53 | TLSv1.3 150 bits ffdhe4096 54 | TLSv1.3 175 bits ffdhe6144 55 | TLSv1.3 192 bits ffdhe8192 56 | TLSv1.2 128 bits secp256r1 (NIST P-256) 57 | TLSv1.2 192 bits secp384r1 (NIST P-384) 58 | TLSv1.2 260 bits secp521r1 (NIST P-521) 59 | TLSv1.2 128 bits x25519 60 | 61 | SSL Certificate: 62 | Signature Algorithm: sha256WithRSAEncryption 63 | ECC Curve Name: prime256v1 64 | ECC Key Strength: 128 65 | 66 | Subject: itspeanutbutterjellytime.com 67 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 68 | Not valid before: Dec 22 19:01:56 2019 GMT 69 | Not valid after: Dec 22 19:01:56 2029 GMT 70 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_16.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 2048 bits 28 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 2048 bits 29 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits 30 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits 31 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA  DHE 2048 bits 32 | Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 2048 bits 33 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA  DHE 2048 bits 34 | Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 2048 bits 35 | Accepted TLSv1.2 112 bits DHE-RSA-DES-CBC3-SHA  DHE 2048 bits 36 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 37 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 38 | Accepted TLSv1.2 256 bits AES256-SHA256 39 | Accepted TLSv1.2 128 bits AES128-SHA256 40 | Accepted TLSv1.2 256 bits AES256-SHA  41 | Accepted TLSv1.2 256 bits CAMELLIA256-SHA  42 | Accepted TLSv1.2 128 bits AES128-SHA  43 | Accepted TLSv1.2 128 bits CAMELLIA128-SHA  44 | Accepted TLSv1.2 112 bits DES-CBC3-SHA  45 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_MD5  46 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_SHA  47 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  48 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_SEED_CBC_SHA  49 | Accepted TLSv1.2 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 50 | 51 | Server Key Exchange Group(s): 52 | TLSv1.2 81 bits sect163k1 53 | 54 | SSL Certificate: 55 | Signature Algorithm: sha256WithRSAEncryption 56 | RSA Key Strength: 1024 57 | 58 | Subject: howfuckedismydatabase.com 59 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 60 | Not valid before: Dec 3 03:56:52 2019 GMT 61 | Not valid after: Dec 3 03:56:52 2029 GMT 62 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_17.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 1024 bits 28 | Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305  DHE 1024 bits 29 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 1024 bits 30 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits 31 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits 32 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA  DHE 1024 bits 33 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA  DHE 1024 bits 34 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 35 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 36 | Accepted TLSv1.2 256 bits AES256-SHA256 37 | Accepted TLSv1.2 128 bits AES128-SHA256 38 | Accepted TLSv1.2 256 bits AES256-SHA  39 | Accepted TLSv1.2 128 bits AES128-SHA  40 | 41 | Server Key Exchange Group(s): 42 | TLSv1.2 256 bits brainpoolP512r1 43 | 44 | SSL Certificate: 45 | Signature Algorithm: sha256WithRSAEncryption 46 | RSA Key Strength: 1024 47 | 48 | Subject: howfuckedismydatabase.com 49 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 50 | Not valid before: Dec 3 03:56:52 2019 GMT 51 | Not valid after: Dec 3 03:56:52 2029 GMT 52 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_18.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253 28 | Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253 29 | Accepted TLSv1.2 128 bits TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 30 | 31 | Server Key Exchange Group(s): 32 | TLSv1.2 128 bits secp256r1 (NIST P-256) 33 | TLSv1.2 192 bits secp384r1 (NIST P-384) 34 | TLSv1.2 260 bits secp521r1 (NIST P-521) 35 | TLSv1.2 128 bits x25519 36 | 37 | SSL Certificate: 38 | Signature Algorithm: sha256WithRSAEncryption 39 | ECC Curve Name: prime256v1 40 | ECC Key Strength: 128 41 | 42 | Subject: itspeanutbutterjellytime.com 43 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 44 | Not valid before: Dec 22 19:01:56 2019 GMT 45 | Not valid after: Dec 22 19:01:56 2029 GMT 46 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_19.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server does not support TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | TLSv1.2 not vulnerable to heartbleed 26 | 27 | Supported Server Cipher(s): 28 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 29 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 30 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 31 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 32 | Accepted TLSv1.3 64 bits TLS_AES_128_CCM_8_SHA256  Curve 25519 DHE 253 33 | Preferred TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305  Curve 25519 DHE 253 34 | Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305  DHE 2048 bits 35 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve 25519 DHE 253 36 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 2048 bits 37 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM DHE 2048 bits 38 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253 39 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits 40 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA  Curve 25519 DHE 253 41 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA  DHE 2048 bits 42 | Accepted TLSv1.2 64 bits DHE-RSA-AES256-CCM8  DHE 2048 bits 43 | Accepted TLSv1.2 256 bits ECDHE-RSA-CAMELLIA256-SHA384 Curve 25519 DHE 253 44 | Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA256 DHE 2048 bits 45 | Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 2048 bits 46 | Accepted TLSv1.2 256 bits ECDHE-ARIA256-GCM-SHA384  Curve 25519 DHE 253 47 | Accepted TLSv1.2 256 bits DHE-RSA-ARIA256-GCM-SHA384  DHE 2048 bits 48 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve 25519 DHE 253 49 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 2048 bits 50 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM DHE 2048 bits 51 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253 52 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits 53 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA  Curve 25519 DHE 253 54 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA  DHE 2048 bits 55 | Accepted TLSv1.2 64 bits DHE-RSA-AES128-CCM8  DHE 2048 bits 56 | Accepted TLSv1.2 128 bits ECDHE-RSA-CAMELLIA128-SHA256 Curve 25519 DHE 253 57 | Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA256 DHE 2048 bits 58 | Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 2048 bits 59 | Accepted TLSv1.2 128 bits ECDHE-ARIA128-GCM-SHA256  Curve 25519 DHE 253 60 | Accepted TLSv1.2 128 bits DHE-RSA-ARIA128-GCM-SHA256  DHE 2048 bits 61 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 62 | Accepted TLSv1.2 256 bits AES256-CCM 63 | Accepted TLSv1.2 256 bits AES256-SHA256 64 | Accepted TLSv1.2 256 bits AES256-SHA  65 | Accepted TLSv1.2 64 bits AES256-CCM8  66 | Accepted TLSv1.2 256 bits CAMELLIA256-SHA256 67 | Accepted TLSv1.2 256 bits CAMELLIA256-SHA  68 | Accepted TLSv1.2 256 bits ARIA256-GCM-SHA384 69 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 70 | Accepted TLSv1.2 128 bits AES128-CCM 71 | Accepted TLSv1.2 128 bits AES128-SHA256 72 | Accepted TLSv1.2 128 bits AES128-SHA  73 | Accepted TLSv1.2 64 bits AES128-CCM8  74 | Accepted TLSv1.2 128 bits CAMELLIA128-SHA256 75 | Accepted TLSv1.2 128 bits CAMELLIA128-SHA  76 | Accepted TLSv1.2 128 bits ARIA128-GCM-SHA256 77 | Accepted TLSv1.2 256 bits TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 78 | Accepted TLSv1.2 256 bits TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 79 | Accepted TLSv1.2 256 bits TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 80 | Accepted TLSv1.2 256 bits TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 81 | Accepted TLSv1.2 128 bits TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 82 | Accepted TLSv1.2 128 bits TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 83 | Accepted TLSv1.2 128 bits TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 84 | Accepted TLSv1.2 128 bits TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 85 | Accepted TLSv1.2 256 bits TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 86 | Accepted TLSv1.2 256 bits TLS_RSA_WITH_ARIA_256_CBC_SHA384 87 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 88 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_ARIA_128_CBC_SHA256 89 | 90 | Server Key Exchange Group(s): 91 | TLSv1.3 128 bits secp256r1 (NIST P-256) 92 | TLSv1.3 192 bits secp384r1 (NIST P-384) 93 | TLSv1.3 260 bits secp521r1 (NIST P-521) 94 | TLSv1.3 128 bits x25519 95 | TLSv1.3 224 bits x448 96 | TLSv1.3 112 bits ffdhe2048 97 | TLSv1.3 128 bits ffdhe3072 98 | TLSv1.3 150 bits ffdhe4096 99 | TLSv1.3 175 bits ffdhe6144 100 | TLSv1.3 192 bits ffdhe8192 101 | TLSv1.2 128 bits secp256r1 (NIST P-256) 102 | TLSv1.2 192 bits secp384r1 (NIST P-384) 103 | TLSv1.2 260 bits secp521r1 (NIST P-521) 104 | TLSv1.2 128 bits brainpoolP256r1 105 | TLSv1.2 192 bits brainpoolP384r1 106 | TLSv1.2 256 bits brainpoolP512r1 107 | TLSv1.2 128 bits x25519 108 | TLSv1.2 224 bits x448 109 | 110 | SSL Certificate: 111 | Signature Algorithm: sha256WithRSAEncryption 112 | RSA Key Strength: 3072 113 | 114 | Subject: lmgtfy.com 115 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 116 | Not valid before: Dec 3 04:07:43 2019 GMT 117 | Not valid after: Dec 3 04:07:43 2029 GMT 118 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_2.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 enabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Connection failed - unable to determine TLS Fallback SCSV support 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | 25 | Supported Server Cipher(s): 26 | Unable to parse certificate 27 | Unable to parse certificate 28 | Unable to parse certificate 29 | Unable to parse certificate 30 | Certificate information cannot be retrieved. 31 | 32 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_3.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 enabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Connection failed - unable to determine TLS Fallback SCSV support 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | 25 | Supported Server Cipher(s): 26 | Unable to parse certificate 27 | Unable to parse certificate 28 | Unable to parse certificate 29 | Unable to parse certificate 30 | Certificate information cannot be retrieved. 31 | 32 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_4.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | TLSv1.2 not vulnerable to heartbleed 26 | TLSv1.1 not vulnerable to heartbleed 27 | TLSv1.0 not vulnerable to heartbleed 28 | 29 | Supported Server Cipher(s): 30 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 31 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 32 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 33 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve 25519 DHE 253 34 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 3072 bits 35 | Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305  Curve 25519 DHE 253 36 | Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305  DHE 3072 bits 37 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve 25519 DHE 253 38 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 3072 bits 39 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253 40 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 3072 bits 41 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253 42 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 3072 bits 43 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA  Curve 25519 DHE 253 44 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA  DHE 3072 bits 45 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA  Curve 25519 DHE 253 46 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA  DHE 3072 bits 47 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 48 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 49 | Accepted TLSv1.2 256 bits AES256-SHA256 50 | Accepted TLSv1.2 128 bits AES128-SHA256 51 | Accepted TLSv1.2 256 bits AES256-SHA  52 | Accepted TLSv1.2 128 bits AES128-SHA  53 | Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA  Curve 25519 DHE 253 54 | Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA  DHE 3072 bits 55 | Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA  Curve 25519 DHE 253 56 | Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA  DHE 3072 bits 57 | Accepted TLSv1.1 256 bits AES256-SHA  58 | Accepted TLSv1.1 128 bits AES128-SHA  59 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA  Curve 25519 DHE 253 60 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA  DHE 3072 bits 61 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA  Curve 25519 DHE 253 62 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA  DHE 3072 bits 63 | Accepted TLSv1.0 256 bits AES256-SHA  64 | Accepted TLSv1.0 128 bits AES128-SHA  65 | 66 | Server Key Exchange Group(s): 67 | TLSv1.3 128 bits secp256r1 (NIST P-256) 68 | TLSv1.3 192 bits secp384r1 (NIST P-384) 69 | TLSv1.3 260 bits secp521r1 (NIST P-521) 70 | TLSv1.3 128 bits x25519 71 | TLSv1.3 224 bits x448 72 | TLSv1.2 128 bits secp256r1 (NIST P-256) 73 | TLSv1.2 192 bits secp384r1 (NIST P-384) 74 | TLSv1.2 260 bits secp521r1 (NIST P-521) 75 | TLSv1.2 128 bits x25519 76 | TLSv1.2 224 bits x448 77 | 78 | SSL Certificate: 79 | Signature Algorithm: sha256WithRSAEncryption 80 | RSA Key Strength: 3072 81 | 82 | Subject: lmgtfy.com 83 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 84 | Not valid before: Dec 3 04:07:43 2019 GMT 85 | Not valid after: Dec 3 04:07:43 2029 GMT 86 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_5.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | TLSv1.1 not vulnerable to heartbleed 26 | TLSv1.0 not vulnerable to heartbleed 27 | 28 | Supported Server Cipher(s): 29 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve P-256 DHE 256 30 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 1024 bits 31 | Accepted TLSv1.2 256 bits ADH-AES256-GCM-SHA384  DHE 1024 bits 32 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve P-256 DHE 256 33 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 1024 bits 34 | Accepted TLSv1.2 128 bits ADH-AES128-GCM-SHA256  DHE 1024 bits 35 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 36 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits 37 | Accepted TLSv1.2 256 bits ADH-AES256-SHA256  DHE 1024 bits 38 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 39 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits 40 | Accepted TLSv1.2 128 bits ADH-AES128-SHA256  DHE 1024 bits 41 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA  Curve P-256 DHE 256 42 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA  DHE 1024 bits 43 | Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 1024 bits 44 | Accepted TLSv1.2 256 bits AECDH-AES256-SHA  Curve P-256 DHE 256 45 | Accepted TLSv1.2 256 bits ADH-AES256-SHA  DHE 1024 bits 46 | Accepted TLSv1.2 256 bits ADH-CAMELLIA256-SHA  DHE 1024 bits 47 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA  Curve P-256 DHE 256 48 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA  DHE 1024 bits 49 | Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 1024 bits 50 | Accepted TLSv1.2 128 bits AECDH-AES128-SHA  Curve P-256 DHE 256 51 | Accepted TLSv1.2 128 bits ADH-AES128-SHA  DHE 1024 bits 52 | Accepted TLSv1.2 128 bits ADH-CAMELLIA128-SHA  DHE 1024 bits 53 | Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 54 | Accepted TLSv1.2 112 bits DHE-RSA-DES-CBC3-SHA  DHE 1024 bits 55 | Accepted TLSv1.2 112 bits AECDH-DES-CBC3-SHA  Curve P-256 DHE 256 56 | Accepted TLSv1.2 112 bits ADH-DES-CBC3-SHA  DHE 1024 bits 57 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 58 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 59 | Accepted TLSv1.2 256 bits AES256-SHA256 60 | Accepted TLSv1.2 128 bits AES128-SHA256 61 | Accepted TLSv1.2 256 bits AES256-SHA  62 | Accepted TLSv1.2 256 bits CAMELLIA256-SHA  63 | Accepted TLSv1.2 128 bits AES128-SHA  64 | Accepted TLSv1.2 128 bits CAMELLIA128-SHA  65 | Accepted TLSv1.2 112 bits DES-CBC3-SHA  66 | Accepted TLSv1.2 40 bits TLS_RSA_EXPORT_WITH_RC4_40_MD5 67 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_MD5  68 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_SHA  69 | Accepted TLSv1.2 40 bits TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 70 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  71 | Accepted TLSv1.2 40 bits TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 72 | Accepted TLSv1.2 56 bits TLS_RSA_WITH_DES_CBC_SHA  73 | Accepted TLSv1.2 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  74 | Accepted TLSv1.2 128 bits TLS_DH_anon_WITH_RC4_128_MD5  75 | Accepted TLSv1.2 56 bits TLS_DH_anon_WITH_DES_CBC_SHA  76 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_SEED_CBC_SHA  77 | Accepted TLSv1.2 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 78 | Accepted TLSv1.2 128 bits TLS_DH_anon_WITH_SEED_CBC_SHA 79 | Accepted TLSv1.2 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 80 | Accepted TLSv1.2 128 bits TLS_ECDH_anon_WITH_RC4_128_SHA 81 | Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA  Curve P-256 DHE 256 82 | Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA  DHE 1024 bits 83 | Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 1024 bits 84 | Accepted TLSv1.1 256 bits AECDH-AES256-SHA  Curve P-256 DHE 256 85 | Accepted TLSv1.1 256 bits ADH-AES256-SHA  DHE 1024 bits 86 | Accepted TLSv1.1 256 bits ADH-CAMELLIA256-SHA  DHE 1024 bits 87 | Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA  Curve P-256 DHE 256 88 | Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA  DHE 1024 bits 89 | Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 1024 bits 90 | Accepted TLSv1.1 128 bits AECDH-AES128-SHA  Curve P-256 DHE 256 91 | Accepted TLSv1.1 128 bits ADH-AES128-SHA  DHE 1024 bits 92 | Accepted TLSv1.1 128 bits ADH-CAMELLIA128-SHA  DHE 1024 bits 93 | Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 94 | Accepted TLSv1.1 112 bits DHE-RSA-DES-CBC3-SHA  DHE 1024 bits 95 | Accepted TLSv1.1 112 bits AECDH-DES-CBC3-SHA  Curve P-256 DHE 256 96 | Accepted TLSv1.1 112 bits ADH-DES-CBC3-SHA  DHE 1024 bits 97 | Accepted TLSv1.1 256 bits AES256-SHA  98 | Accepted TLSv1.1 256 bits CAMELLIA256-SHA  99 | Accepted TLSv1.1 128 bits AES128-SHA  100 | Accepted TLSv1.1 128 bits CAMELLIA128-SHA  101 | Accepted TLSv1.1 112 bits DES-CBC3-SHA  102 | Accepted TLSv1.1 40 bits TLS_RSA_EXPORT_WITH_RC4_40_MD5 103 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_RC4_128_MD5  104 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_RC4_128_SHA  105 | Accepted TLSv1.1 40 bits TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 106 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  107 | Accepted TLSv1.1 40 bits TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 108 | Accepted TLSv1.1 56 bits TLS_RSA_WITH_DES_CBC_SHA  109 | Accepted TLSv1.1 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  110 | Accepted TLSv1.1 128 bits TLS_DH_anon_WITH_RC4_128_MD5  111 | Accepted TLSv1.1 56 bits TLS_DH_anon_WITH_DES_CBC_SHA  112 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_SEED_CBC_SHA  113 | Accepted TLSv1.1 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 114 | Accepted TLSv1.1 128 bits TLS_DH_anon_WITH_SEED_CBC_SHA 115 | Accepted TLSv1.1 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 116 | Accepted TLSv1.1 128 bits TLS_ECDH_anon_WITH_RC4_128_SHA 117 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA  Curve P-256 DHE 256 118 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA  DHE 1024 bits 119 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 1024 bits 120 | Accepted TLSv1.0 256 bits AECDH-AES256-SHA  Curve P-256 DHE 256 121 | Accepted TLSv1.0 256 bits ADH-AES256-SHA  DHE 1024 bits 122 | Accepted TLSv1.0 256 bits ADH-CAMELLIA256-SHA  DHE 1024 bits 123 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA  Curve P-256 DHE 256 124 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA  DHE 1024 bits 125 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 1024 bits 126 | Accepted TLSv1.0 128 bits AECDH-AES128-SHA  Curve P-256 DHE 256 127 | Accepted TLSv1.0 128 bits ADH-AES128-SHA  DHE 1024 bits 128 | Accepted TLSv1.0 128 bits ADH-CAMELLIA128-SHA  DHE 1024 bits 129 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 130 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 1024 bits 131 | Accepted TLSv1.0 112 bits AECDH-DES-CBC3-SHA  Curve P-256 DHE 256 132 | Accepted TLSv1.0 112 bits ADH-DES-CBC3-SHA  DHE 1024 bits 133 | Accepted TLSv1.0 256 bits AES256-SHA  134 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA  135 | Accepted TLSv1.0 128 bits AES128-SHA  136 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA  137 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  138 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC4_40_MD5 139 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  140 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  141 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 142 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  143 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 144 | Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA  145 | Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  146 | Accepted TLSv1.0 128 bits TLS_DH_anon_WITH_RC4_128_MD5  147 | Accepted TLSv1.0 56 bits TLS_DH_anon_WITH_DES_CBC_SHA  148 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA  149 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 150 | Accepted TLSv1.0 128 bits TLS_DH_anon_WITH_SEED_CBC_SHA 151 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 152 | Accepted TLSv1.0 128 bits TLS_ECDH_anon_WITH_RC4_128_SHA 153 | 154 | Server Key Exchange Group(s): 155 | TLSv1.2 128 bits secp256r1 (NIST P-256) 156 | 157 | SSL Certificate: 158 | Signature Algorithm: sha256WithRSAEncryption 159 | RSA Key Strength: 1024 160 | 161 | Subject: howfuckedismydatabase.com 162 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 163 | Not valid before: Dec 3 03:56:52 2019 GMT 164 | Not valid after: Dec 3 03:56:52 2029 GMT 165 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_6.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 28 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 29 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 30 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 31 | Accepted TLSv1.3 64 bits TLS_AES_128_CCM_8_SHA256  Curve 25519 DHE 253 32 | 33 | Server Key Exchange Group(s): 34 | TLSv1.3 128 bits secp256r1 (NIST P-256) 35 | TLSv1.3 192 bits secp384r1 (NIST P-384) 36 | TLSv1.3 260 bits secp521r1 (NIST P-521) 37 | TLSv1.3 128 bits x25519 38 | TLSv1.3 224 bits x448 39 | 40 | SSL Certificate: 41 | Signature Algorithm: sha256WithRSAEncryption 42 | RSA Key Strength: 3072 43 | 44 | Subject: lmgtfy.com 45 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 46 | Not valid before: Dec 3 04:07:43 2019 GMT 47 | Not valid after: Dec 3 04:07:43 2029 GMT 48 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_7.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 enabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server does not support TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.0 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA  Curve P-256 DHE 256 28 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA  DHE 512 bits 29 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 512 bits 30 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA  Curve P-256 DHE 256 31 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA  DHE 512 bits 32 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 512 bits 33 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 34 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 512 bits 35 | Accepted TLSv1.0 256 bits AES256-SHA  36 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA  37 | Accepted TLSv1.0 128 bits AES128-SHA  38 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA  39 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  40 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  41 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  42 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  43 | Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA  44 | Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  45 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA  46 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 47 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 48 | 49 | Server Key Exchange Group(s): 50 | TLSv1.0 128 bits secp256r1 (NIST P-256) 51 | 52 | SSL Certificate: 53 | Signature Algorithm: sha256WithRSAEncryption 54 | RSA Key Strength: 3072 55 | 56 | Subject: lmgtfy.com 57 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 58 | Not valid before: Dec 3 04:07:43 2019 GMT 59 | Not valid after: Dec 3 04:07:43 2029 GMT 60 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_8.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 enabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server does not support TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.0 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA  Curve P-256 DHE 256 28 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA  DHE 512 bits 29 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA  DHE 512 bits 30 | Accepted TLSv1.0 256 bits AECDH-AES256-SHA  Curve P-256 DHE 256 31 | Accepted TLSv1.0 256 bits ADH-AES256-SHA  DHE 512 bits 32 | Accepted TLSv1.0 256 bits ADH-CAMELLIA256-SHA  DHE 512 bits 33 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA  Curve P-256 DHE 256 34 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA  DHE 512 bits 35 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA  DHE 512 bits 36 | Accepted TLSv1.0 128 bits AECDH-AES128-SHA  Curve P-256 DHE 256 37 | Accepted TLSv1.0 128 bits ADH-AES128-SHA  DHE 512 bits 38 | Accepted TLSv1.0 128 bits ADH-CAMELLIA128-SHA  DHE 512 bits 39 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 40 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 512 bits 41 | Accepted TLSv1.0 112 bits AECDH-DES-CBC3-SHA  Curve P-256 DHE 256 42 | Accepted TLSv1.0 112 bits ADH-DES-CBC3-SHA  DHE 512 bits 43 | Accepted TLSv1.0 256 bits AES256-SHA  44 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA  45 | Accepted TLSv1.0 128 bits AES128-SHA  46 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA  47 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  48 | Accepted TLSv1.0 0 bits ECDHE-RSA-NULL-SHA  Curve P-256 DHE 256 49 | Accepted TLSv1.0 0 bits AECDH-NULL-SHA  Curve P-256 DHE 256 50 | Accepted TLSv1.0 0 bits NULL-SHA  51 | Accepted TLSv1.0 0 bits NULL-MD5  52 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC4_40_MD5 53 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  54 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  55 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 56 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA  57 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 58 | Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA  59 | Accepted TLSv1.0 40 bits TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 60 | Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  61 | Accepted TLSv1.0 40 bits TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 62 | Accepted TLSv1.0 128 bits TLS_DH_anon_WITH_RC4_128_MD5  63 | Accepted TLSv1.0 40 bits TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 64 | Accepted TLSv1.0 56 bits TLS_DH_anon_WITH_DES_CBC_SHA  65 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA  66 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 67 | Accepted TLSv1.0 128 bits TLS_DH_anon_WITH_SEED_CBC_SHA 68 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 69 | Accepted TLSv1.0 128 bits TLS_ECDH_anon_WITH_RC4_128_SHA 70 | 71 | Server Key Exchange Group(s): 72 | TLSv1.0 128 bits secp256r1 (NIST P-256) 73 | 74 | SSL Certificate: 75 | Signature Algorithm: sha256WithRSAEncryption 76 | RSA Key Strength: 3072 77 | 78 | Subject: lmgtfy.com 79 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 80 | Not valid before: Dec 3 04:07:43 2019 GMT 81 | Not valid after: Dec 3 04:07:43 2029 GMT 82 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_9.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  28 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  29 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  30 | 31 | Server Key Exchange Group(s): 32 | TLSv1.3 128 bits secp256r1 (NIST P-256) 33 | TLSv1.3 192 bits secp384r1 (NIST P-384) 34 | TLSv1.3 260 bits secp521r1 (NIST P-521) 35 | TLSv1.3 128 bits x25519 36 | TLSv1.3 224 bits x448 37 | TLSv1.3 128 bits brainpoolP256r1tls13 38 | TLSv1.3 192 bits brainpoolP384r1tls13 39 | TLSv1.3 256 bits brainpoolP512r1tls13 40 | TLSv1.3 112 bits ffdhe2048 41 | TLSv1.3 128 bits ffdhe3072 42 | TLSv1.3 150 bits ffdhe4096 43 | TLSv1.3 175 bits ffdhe6144 44 | TLSv1.3 192 bits ffdhe8192 45 | TLSv1.3 128 bits MLKEM512 46 | TLSv1.3 192 bits MLKEM768 47 | TLSv1.3 256 bits MLKEM1024 48 | TLSv1.3 192 bits SecP256r1MLKEM768 49 | TLSv1.3 192 bits X25519MLKEM768 50 | TLSv1.3 256 bits SecP384r1MLKEM1024 51 | 52 | SSL Certificate: 53 | Signature Algorithm: sha256WithRSAEncryption 54 | RSA Key Strength: 3072 55 | 56 | Subject: lmgtfy.com 57 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 58 | Not valid before: Dec 3 04:07:43 2019 GMT 59 | Not valid after: Dec 3 04:07:43 2029 GMT 60 | -------------------------------------------------------------------------------- /docker_test/key_1024.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIICXgIBAAKBgQDmpPrmBNS3gqCgCB9lKvH4ZpX9FvHzw3P4kNbyN45+8yq7gBUp 3 | f9JYFQO0rqm0hSebJSQUDkhrFfO6onZdsMyN32lPlVPFmBILMBPgaxJTVUOa+TWx 4 | gyVuPgaftrMQMr0Wvhbv+3Xht5hqPTEKe/GEwxXJKPSm2F1AgAkkwlQRzQIDAQAB 5 | AoGBAJgeR7xdg05lQTtLICnBYUXLozEBaSK0zlAqdxnZuonQJ2by2wI746dkdMU+ 6 | TX9aMv0ISftQUEMQf2egryCr8rx+yq8bI7LVF8H210x+8BT0H+gmd0iIcFNJNL0l 7 | WSSIAmRVTbSK0IwsvEDwR+Egcnd8wA/9s/s9d2GmbChjisIBAkEA/QY1YLKkG+IT 8 | Ad7GaOKv/UFQNLu7yLDtfjJcJ+dpjCWPv1B/orh6dwFJ4F+7MYruu0BAXhnvw70s 9 | uyPH9W290QJBAOlbZEZtl5n5iL+czI0Ibkyn9VlZ44kgVQHs9Y5hFG0Hv1VH66EP 10 | hU7ZeUUfSmiPqnTcVEKQFZjl09FSoVzTJz0CQQDROzsUlWTjsdUp7MCBp0ME1+et 11 | U7j7QmOBwb83OEOtorn16GlDc+3BTw16P2+ajlrP+VfA+Q2t/VdqATKvH2qhAkBk 12 | zLJ67Zn/y9czFbMR9KNYf3CuwPJVaF7v7wB/GRYuppsSZne04bRuw+frYMHOeshh 13 | pE7NVdnOavBdSfkj1J3tAkEAjQ/+3cGCBiv9lnDdlszKW/Zq4Uu19znfQSbSbI8L 14 | JezLQJbSlVDPG3W3NSNkLizrOg1H6AG2pnnVq2q++Lt5tQ== 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /docker_test/key_2048.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpQIBAAKCAQEAywGmJp/AoA4TCs6zbXuiBOkho35IeVvpsy7RqM3y3KxkEFnk 3 | /LM6U/ayL+j2vo4/15WPM0PaAGRRbvnQEuI1xvhn/0/T4xP+TBe91pTMo/nKrK/y 4 | cvBLBqLPZQK9SJbHk6mwfgpQs5S/+VHlU9jl7+eQWcR+o3NXtv4XFlQyqx1dcokA 5 | JrL4wr2vGPkigUNU2iI6FwRB4f7Wo1rBNzI49uE97IWuh+VBMPYMp+Zn2Om4ptCy 6 | jdvSI7DEYc6jyKlPzH2UOgd0RkcwivaSpxfXJEBOC8PtOxyLg/KPjUTwUh0nHSpe 7 | OIbT3HKnOErEbbiHQmlYbbcOyinv3hIlRj+PyQIDAQABAoIBAGiA09BkQpviQuk4 8 | WOOOVmxiut9YHeTjbN3Bx0o3osL4t5Y3QIrZlLgucbH6IjMcNT88jXgdgLbc7ZLM 9 | ZNGjw31G2Pp0VKY735e6TQ6OkP4Ek9HrzUpf6q9i1pKwI1Kf0+Nu4h0wIDUh6OVm 10 | xEAyksO6F/QuE+b+dHQOP0JOW7r7uxTMB/tbs1U+idcIRVrPTlO9Ixuaolmd/flz 11 | jmcwwTtwBe+mA53IywCOV6ZxO3lMKzDkSvViRam37fmSh9JJyPEa6KpPTR5ps3w8 12 | 7eG0u9nsEf1wYVA2u575iH4+uM6250bRuw3icZxTU2FPuMOtzJPnxY+A6q13bteW 13 | h0zdzbUCgYEA6ryUy+BSOIFzX4e6dB2gwmn2PUEF1rO9dOG8H0YktOGHnHFDXECy 14 | FYHf6njWEzwztd9ZiE8YQYjAjn829Gr4e45H6rEPAMzSpOJ/ZoLd6PG8d5L6A7AD 15 | RtMS8KzG2fAMwvd0HJ0N4SwuwhFmq6/TLHB9vstwo0myyYqH2qWIOAcCgYEA3WVC 16 | 2VnrcuMZngYpXP+gWQDhkIxI7yqUhTB+OZGxHMMjfJ72JHKOI3StnQWSqhxmFtWF 17 | x+XtnihcaWG+G7Po6TmW75oazoitqXjiixJOXGrN3jcmFj97nIh3NlhG2mskP9Ut 18 | 5iDE2w2nDRk1eI+13c7j12/bJy7kdi70gr0l5a8CgYEA03V6nYbAysJiyqYco0ml 19 | bj3CYz/WIKnefBJ2Q74Ohxu77IRj6BEn3BQZQMIGJ2HOO4KuxwppkW+99yBGwzwy 20 | CCwOQS+rkk7xWzPnDNPLUHOkEhvHOdcvvHec0k7y+5UyCdidMsGQpU4F+TFvyi4k 21 | EB5uSJhAKfjUJJa095Sy97UCgYEAlOLpPtP6w+s3qg7IuFLsWY5/Ir9EuRowgRVo 22 | fXyd2BLfBYq9SyuCrRNlQeiihiXM/eQgMJtO3gKUiwYBXA30PwvMlltTVbuS1hqG 23 | dzIbYoks4xjBU0rj7RPU38Yj9/T/jrHlSRKWcB3RTry6OdajXoQosxP1FHezikrv 24 | ghCDsN8CgYEA4JuCSuOxmP5/4MTl9oLUDHDbUBGPZICR+2Y0I76kRISQbHT+oidz 25 | /ceQpOP20fBQquVhMrHmKthyN13TvBSn5SaNIa5SVIIGhVZJQPU1/Udfox1gx7iF 26 | TcFx7dbMIh7byuVRy8iIyaVYr9ZtSX+6mYWFUXVrzF9LTGyDVta6YQA= 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /docker_test/key_3072.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIG4gIBAAKCAYEAxA1ToQ2HLVYDmKSjPSlCposbUMYA30BlRXMzdJe1OVBg/qwE 3 | rhURlFAvGF9ljgXFnMZ6oTK164sJXscjNXS/AbqWO9rBeMbUxD85/PRo4emmBVio 4 | e5A/A4xbAvPt1snwgjbtZNTsxZoheUox216/NTJ24c3SGEBOlASBHtT6VBJPamx1 5 | aALlSlS4jqtLAlkxz6M/XUPeRER6DKYXUi37w0XCZRRk1U2ueM2nfkz47a/GxoeA 6 | WmvWPVW1Bu+VbJb9Hsh/2otyhHZAVX9/fsKZwHf9qcSrutLk5M0ix9NUFnq8qZVu 7 | ZLTZa7/rCw6YnmlOv1mAZJ8sNJtt1wyhMGLebkfVHKERCqk37LRpSzloTu95+uPu 8 | /q+391XMKTOmMHqwhvZBpAoOvN7bs4o8N1JF8hPu+MBGsZUs8P+e9WTJU29zvORW 9 | d7Z/8K1zakihJD9FXcC38OGO88h/7JVxYcMyVUZW3zZKxITlJWl8J18OqQpT66K4 10 | ceLOW1SjRIeHGX9TAgMBAAECggF/D1D7N5nW9bPClCpIln6itmAnwie16bseLk7R 11 | tkoj3lZpPXwy4WbD+NJK25yYUoAg8B6RdgaAL+as1Lq6BXMZeQkas5Jjiwv9k1dd 12 | MGXny751OfWzM/QQ+DX+5jwoWJ9uKr4fzcDUvptMAi3Jt1mvlnha0UlDIKHlgarY 13 | a5A3/llv2uCeS4HuZ+A2iu7W7VgKjC40xRSISM0Qu+w95i2xfY/1n+/38LIg708h 14 | xrw8tlUFMn1jiazjD+eiPOh6xAEHojAGu1actfW+jg8NySpTGWAUPfTxXV9J6r/c 15 | BdCldXP5lQHfWKBIAKUK9MZyrFFQnZZMdPDXyyKsfbO04gVW5BsEK9Br5dnGbFGu 16 | e+Ve4jOCAC9//wLqgLDL2t3CCnnPU1bGFnqLqzwtEKrEP3XeK1CFLYCwOZ2tUH9h 17 | IbQRZKbEMlsXR4XvplmwjNqRb/uHSIVmPJ1DVXbFZy/2j7i59+Kl+JqINHEPvGc1 18 | tfLOFvOHYRWRONkylj3O+qH6lyECgcEA+CErcMNYkM7Y2uRRB2UhQQ96NDoflQmg 19 | uObO0XTnhMbRFrRRrgEr0POOo4oCqDSVQk/vJjmB1ugo/IKxGphnAOmi1xDpSXqo 20 | UWnUR34nrqL76ZdV1R3FZX0b4iO9X1R/P9sNl4S0+XCDyAMlcaXroPoUIo9mzxbX 21 | vIAk6lMiJijfzLt7RssVCfgCfHZ9srBMG5oaEfTbFImc9fwjNoJdLTDopEQzA1X5 22 | AjVa8VhIGyE+uoLkPsy9jBNF9asEEdc/AoHBAMpFSKUdTIXuYOOGltr1qFAMofUU 23 | +ztagHg1/UdV3EOhkYZOfpa4clu++x0MNp+bRySxEK6IOpEtSaKHaJlHnvR4+4e7 24 | xQp/jBoWCrxWtqXHe3ufyglsq/1ID7HIEGfBs9IAVPx9PkY9IOC8cXX3q9uRB7xM 25 | MCtl/H8QMf01f4p3vEgx+XXb2+MKsjOqOVDpAqfqrcUmTiK9ixC7BJWwWSBAvN4e 26 | 2jS4UEOoBiczX6qhKo+tUEddfnAJGnxp2cZG7QKBwHwU8klIltCLb+w+grrE+tUz 27 | LTRS4JpCH0p3uXMLF//RAJxu/e2bDlNGiM0FZgDBkuZ/XKNr3J8gp+ZmYLRhBBlz 28 | vIf6H/8rxGI6HvrFfoiZXopYsIaLhbwTzU7P+pJiiePf4jMkHPAkMPJjiGUFyQhO 29 | JqWFuq7SyH2uQ0ee3RPiGtCh7KrhQZsjl/KvunoSKW0gKetS2/+wNXrZZK6MkJXZ 30 | wGzs4enII2bUUa8hK6XNgTX54LP65MrYlIKey8E0NwKBwHBb3kfCJ8D6Mx4QpHoL 31 | Hi0hZ1ISDqDg3B5qt0BKJKn49TKrJcyptvTZ+Pogz7MHeZSbO04IZKhChPXgzCzh 32 | SR46mlbC6mizg2r2NY57iMg8MI7yqzNjB4MR5Y33OY25Xx9Xid4b4Fz6FephI5HJ 33 | O9EjFi32EIf7BjC7GVmzvx529sMP56gdsl7DkUv70gzs8sm+Jjsu1RadPcPUb26L 34 | YGb3LzMf5kyE2ilLC+f4tLq+/jqDpuWNvO+VTv4veoaW3QKBwQDQlmXDJ+4SdYnD 35 | QkHis9G5AnyXkUHhBFTWLyhsJMrt3CZyVp8L7xXgEJTsSVoyvURimeBmua4LEqci 36 | 5PPo1fOfyEqUIrHIJVR26ATeMsxC3icV6kna7cD0K1BILtAGTJeO7sWceFhl2QJb 37 | E4wio0Vljyt+foytCL/KV3bIj/OYGk8bUp1OMzEIXot4kx3l2SOf+cYE5UDca9Ey 38 | Z/6IvSvAP/JSqo2pk4azaqxSuZIMQnZB2YlFxllCZ6ce/Z6YcSs= 39 | -----END RSA PRIVATE KEY----- 40 | -------------------------------------------------------------------------------- /docker_test/key_512.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIBPQIBAAJBAMvdzx+XSLVGpLLVy0NIBZVs6k7Lxviu5Cym+5n0zbwsYKtiralI 3 | vc0HPekJik1o/QLgqcO83837wOS8hPU0k9UCAwEAAQJBAJP8Vj7TXZchSar7oMod 4 | PNhkMI20RKH+qmlzaU4vsyx1Kqcv2uTkAPMugNZZtRP7bOYU9inbH8LUIrHJIpZP 5 | /H0CIQDliBIQF6c7uaVbjCZ4iki9wnGZ5JA8hFZDoREgJCsHxwIhAONgFmVUzsUw 6 | Z/hjjodDMMX9KgZ0pYHSfbKoNRuJzZ+DAiEAp9ooC2igvUZ3rEkDYScPJuXpGXdS 7 | G09TnkVNNsn8RcUCIQCQ2ERMFwOFgHmrNRi1uCrY5Zag+Cv7ELE8X4U9XsLbqwIh 8 | ALM7UlYJ1ZKAFlK2cnqUCiLoD7Ah9eVfg+rOTUVMOa3v 9 | -----END RSA PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /docker_test/key_ecdsa_prime256v1.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN EC PRIVATE KEY----- 2 | MHcCAQEEIP5zy1nQDeAkFKDZ1F/ur26G7SBeu1HbCgbNLwFVUzrroAoGCCqGSM49 3 | AwEHoUQDQgAEQkb8ffhxrztFHu3PiZ4MarPyxX6dJKXb5UEkVbczdbzkLzhOXHlY 4 | blnXr4a2mwrSEFPzjCORSjQqk99jv90IVg== 5 | -----END EC PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /docker_test/key_notes.txt: -------------------------------------------------------------------------------- 1 | There is one Certificate Authority in this directory: ca_cert.pem / ca_key.pem. 2 | 3 | This CA directly signed these certificates (with their corresponding keys): 4 | * cert_512.crt / key_512.pem 5 | * cert_1024.crt / key_3072.pem 6 | * cert_2048.crt / key_2048.pem 7 | * cert_3072.crt / key_3072.pem 8 | 9 | The 512, 1024, 2048, and 3072 refer to the RSA key size. 10 | 11 | --- 12 | 13 | To generate new keys, and sign them by the CA: 14 | 15 | 1.) Generate the key. 16 | 17 | * For RSA keys: openssl genrsa -out key.pem 1024 18 | * For ECDSA keys: openssl ecparam -name prime256v1 -genkey -noout -out key.pem 19 | 20 | 2.) Make CSR: openssl req -new -key key.pem -out new.csr 21 | 22 | 3.) Sign with CA: openssl x509 -req -days 3653 -in new.csr -CA path/to/ca_cert.pem -CAkey path/to/ca_key.pem -CAcreateserial -out new.crt [-md5|-sha1|-sha256] 23 | -------------------------------------------------------------------------------- /docker_test/nginx_site_client_cert_required: -------------------------------------------------------------------------------- 1 | server { 2 | listen 443 ssl default_server; 3 | listen [::]:443 ssl default_server; 4 | gzip off; 5 | root /var/www/html; 6 | index index.html index.nginx-debian.html; 7 | server_name _; 8 | location / { 9 | try_files $uri $uri/ =404; 10 | } 11 | # Only TLSv1.2 with one cipher is specified, so the test that runs against this 12 | # finishes quicker (all that's needed is the HTTP response of one successful 13 | # TLS connection). 14 | ssl_protocols TLSv1.2; 15 | ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305; 16 | ssl_prefer_server_ciphers on; 17 | ssl_certificate /etc/ssl/cert_3072.crt; 18 | ssl_certificate_key /etc/ssl/key_3072.pem; 19 | ssl_client_certificate /etc/ssl/ca_cert.pem; 20 | ssl_verify_client on; 21 | } 22 | -------------------------------------------------------------------------------- /docker_test/nginx_test9.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | daemon off; 5 | 6 | events { 7 | worker_connections 768; 8 | } 9 | 10 | http { 11 | sendfile on; 12 | tcp_nopush on; 13 | tcp_nodelay on; 14 | keepalive_timeout 65; 15 | types_hash_max_size 2048; 16 | include /etc/nginx/mime.types; 17 | default_type application/octet-stream; 18 | access_log /var/log/nginx/access.log; 19 | error_log /var/log/nginx/error.log; 20 | include /etc/nginx/sites-available/nginx_site_client_cert_required; 21 | } 22 | -------------------------------------------------------------------------------- /sslscan.1: -------------------------------------------------------------------------------- 1 | .TH SSLSCAN 1 "March 19, 2020" 2 | .SH NAME 3 | sslscan \- Fast SSL/TLS scanner 4 | .SH SYNOPSIS 5 | .B sslscan 6 | .RI [ options ] " [host:port | host]" 7 | .SH DESCRIPTION 8 | .PP 9 | \fBsslscan\fP queries SSL/TLS services (such as HTTPS) and reports the protocol versions, cipher suites, key exchanges, signature algorithms, and certificates in use. This helps the user understand which parameters are weak from a security standpoint. \fBsslscan\fP can also output results into an XML file for easy consumption by external programs. 10 | 11 | Terminal output is thus colour-coded as follows: 12 | 13 | .B Red Background 14 | NULL ciphers (no encryption) or anonymous ciphers (no verification of peer) 15 | .br 16 | .B Red 17 | Ciphers and algorithms with demonstrated vulnerabilities, or that are generally considered to be untrusted. 18 | .br 19 | .B Yellow 20 | Ciphers and algorithms with known weaknesses or that are still too new to widely trusted, but that are not generally considered exploitable (even by the standards of TLS vulnerabilities). 21 | .br 22 | .B Green 23 | Ciphers and algorithms that are aligned with current recommended best practices. 24 | .br 25 | .br 26 | .SH OPTIONS 27 | .TP 28 | .B \-\-help 29 | .br 30 | Show summary of options 31 | .TP 32 | .B \-\-targets= 33 | A file containing a list of hosts to 34 | check. Hosts can be supplied with 35 | ports (i.e. host:port). One target per line 36 | .TP 37 | .B \-\-sni\-name= 38 | Use a different hostname for SNI 39 | .br 40 | .TP 41 | .B \-\-ipv4, \-4 42 | .br 43 | Force IPv4 DNS resolution. 44 | Default is to try IPv4, and if that fails then fall back to IPv6. 45 | .TP 46 | .B \-\-ipv6, \-6 47 | .br 48 | Force IPv6 DNS resolution. 49 | Default is to try IPv4, and if that fails then fall back to IPv6. 50 | .TP 51 | .B \-\-show\-certificate 52 | Display certificate information. 53 | .TP 54 | .B \-\-show\-certificates 55 | Display the full certificate chain. 56 | .TP 57 | .B \-\-no\-check\-certificate 58 | .B \-\-no\-check\-certificate 59 | Don't flag certificates signed with weak algorithms (MD5 and SHA-1) or short (<2048 bit) RSA keys 60 | .TP 61 | .B \-\-show\-client\-cas 62 | Show a list of CAs that the server allows for client authentication. Will be blank for IIS/Schannel servers. 63 | .TP 64 | .B \-\-show\-ciphers 65 | Show a complete list of ciphers supported by sslscan 66 | .TP 67 | .B \-\-show\-cipher-ids 68 | Print the hexadecimal cipher IDs 69 | .TP 70 | .B \-\-iana\-names 71 | Use IANA/RFC cipher names rather than OpenSSL ones 72 | .TP 73 | .B \-\-show\-times 74 | Show the time taken for each handshake in milliseconds. Note that only a single request is made with each cipher, and that the size of the ClientHello is not constant, so this should not be used for proper benchmarking or performance testing. 75 | 76 | You might want to also use \-\-no\-cipher\-details to make the output a bit clearer. 77 | .TP 78 | .B \-\-ssl2 79 | .br 80 | Only check if SSLv2 is enabled 81 | .TP 82 | .B \-\-ssl3 83 | .br 84 | Only check if SSLv3 is enabled 85 | .TP 86 | .B \-\-tls10 87 | .br 88 | Only check TLS 1.0 ciphers 89 | .TP 90 | .B \-\-tls11 91 | .br 92 | Only check TLS 1.1 ciphers 93 | .TP 94 | .B \-\-tls12 95 | .br 96 | Only check TLS 1.2 ciphers 97 | .TP 98 | .B \-\-tls13 99 | .br 100 | Only check TLS 1.3 ciphers 101 | .TP 102 | .B \-\-tlsall 103 | .br 104 | Only check TLS ciphers (versions 1.0, 1.1, 1.2, and 1.3) 105 | .TP 106 | .B \-\-ocsp 107 | .br 108 | Display OCSP status 109 | .TP 110 | .B \-\-pk= 111 | A file containing the private key or 112 | a PKCS#12 file containing a private 113 | key/certificate pair (as produced by 114 | MSIE and Netscape) 115 | .TP 116 | .B \-\-pkpass= 117 | The password for the private key or PKCS#12 file 118 | .TP 119 | .B \-\-certs= 120 | A file containing PEM/ASN1 formatted client certificates 121 | .TP 122 | .B \-\-no\-ciphersuites 123 | Do not scan for supported ciphersuites. 124 | .TP 125 | .B \-\-no\-fallback 126 | Do not check for TLS Fallback Signaling Cipher Suite Value (fallback) 127 | .TP 128 | .B \-\-no\-renegotiation 129 | Do not check for secure TLS renegotiation 130 | .TP 131 | .B \-\-no\-compression 132 | Do not check for TLS compression (CRIME) 133 | .TP 134 | .B \-\-no\-heartbleed 135 | Do not check for OpenSSL Heartbleed (CVE-2014-0160) 136 | .TP 137 | .B \-\-no\-groups 138 | Do not enumerate key exchange groups 139 | .TP 140 | .B \-\-show\-sigs 141 | Enumerate signature algorithms 142 | .TP 143 | .B \-\-starttls\-ftp 144 | STARTTLS setup for FTP 145 | .TP 146 | .B \-\-starttls\-imap 147 | STARTTLS setup for IMAP 148 | .TP 149 | .B \-\-starttls\-irc 150 | STARTTLS setup for IRC 151 | .TP 152 | .B \-\-starttls\-ldap 153 | STARTTLS setup for LDAP 154 | .TP 155 | .B \-\-starttls\-pop3 156 | STARTTLS setup for POP3 157 | .TP 158 | .B \-\-starttls\-smtp 159 | STARTTLS setup for SMTP 160 | .TP 161 | .B \-\-starttls\-mysql 162 | STARTTLS setup for MySQL 163 | .TP 164 | .B \-\-starttls\-xmpp 165 | STARTTLS setup for XMPP 166 | .TP 167 | .B \-\-starttls\-psql 168 | STARTTLS setup for PostgreSQL 169 | .TP 170 | .B \-\-xmpp-server 171 | Perform a server-to-server XMPP connection. Try this if --starttls-xmpp is failing. 172 | .TP 173 | .B \-\-rdp 174 | .br 175 | Send RDP preamble before starting scan. 176 | .TP 177 | .B \-\-bugs 178 | .br 179 | Enables workarounds for SSL bugs 180 | .TP 181 | .B \-\-timeout= 182 | .br 183 | Set socket timeout. Useful for hosts that fail to respond to ciphers they don't understand. Default is 3s. 184 | .TP 185 | .B \-\-connect\-timeout= 186 | .br 187 | Set initial connection timeout. Useful for hosts that are slow to respond to the initial connect(). Default is 75s. 188 | .TP 189 | .B \-\-sleep= 190 | .br 191 | Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Default is disabled. 192 | .TP 193 | .B \-\-xml= 194 | .br 195 | Output results to an XML file. - can be used to mean stdout. 196 | .br 197 | .TP 198 | .B \-\-version 199 | Show version of program 200 | .TP 201 | .B \-\-verbose 202 | Display verbose output 203 | .TP 204 | .B \-\-no\-cipher\-details 205 | .br 206 | Hide NIST EC curve name and EDH/RSA key length. 207 | .TP 208 | .B \-\-no-colour 209 | .br 210 | Disable coloured output. 211 | .SH EXAMPLES 212 | .LP 213 | Scan a local HTTPS server 214 | .RS 215 | .nf 216 | sslscan localhost 217 | sslscan 127.0.0.1 218 | sslscan 127.0.0.1:443 219 | sslscan [::1] 220 | sslscan [::1]:443 221 | .SH AUTHOR 222 | sslscan was originally written by Ian Ventura-Whiting . 223 | .br 224 | sslscan was extended by Jacob Appelbaum . 225 | .br 226 | sslscan was extended by rbsec . 227 | .br 228 | This manual page was originally written by Marvin Stark . 229 | -------------------------------------------------------------------------------- /sslscan.h: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * sslscan - A SSL cipher scanning tool * 3 | * Copyright 2007-2009 by Ian Ventura-Whiting (Fizz) * 4 | * fizz@titania.co.uk * 5 | * Copyright 2010 by Michael Boman (michael@michaelboman.org) * 6 | * Copyleft 2010 by Jacob Appelbaum * 7 | * Copyleft 2013 by rbsec * 8 | * Copyleft 2014 by Julian Kornberger * 9 | * * 10 | * This program is free software; you can redistribute it and/or modify * 11 | * it under the terms of the GNU General Public License as published by * 12 | * the Free Software Foundation; either version 3 of the License, or * 13 | * (at your option) any later version. * 14 | * * 15 | * This program is distributed in the hope that it will be useful, * 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 18 | * GNU General Public License for more details. * 19 | * * 20 | * You should have received a copy of the GNU General Public License * 21 | * along with this program. If not, see . * 22 | * * 23 | * In addition, as a special exception, the copyright holders give * 24 | * permission to link the code of portions of this program with the * 25 | * OpenSSL library under certain conditions as described in each * 26 | * individual source file, and distribute linked combinations * 27 | * including the two. * 28 | * You must obey the GNU General Public License in all respects * 29 | * for all of the code used other than OpenSSL. If you modify * 30 | * file(s) with this exception, you may extend this exception to your * 31 | * version of the file(s), but you are not obligated to do so. If you * 32 | * do not wish to do so, delete this exception statement from your * 33 | * version. If you delete this exception statement from all source * 34 | * files in the program, then also delete it here. * 35 | ***************************************************************************/ 36 | 37 | #ifndef HAVE_SSLSCAN_H_ 38 | #define HAVE_SSLSCAN_H_ 39 | 40 | #include "missing_ciphersuites.h" 41 | 42 | // Defines... 43 | #define false 0 44 | #define true 1 45 | 46 | #define mode_help 0 47 | #define mode_version 1 48 | #define mode_single 2 49 | #define mode_multiple 3 50 | 51 | #define BUFFERSIZE 1024 52 | 53 | // For options.sslVersion field. 54 | #define ssl_all 0 55 | #define ssl_v2 1 56 | #define ssl_v3 2 57 | #define tls_all 3 58 | #define tls_v10 4 59 | #define tls_v11 5 60 | #define tls_v12 6 61 | #define tls_v13 7 62 | 63 | // For functions that take a tls_version argument. 64 | #define TLSv1_0 0 65 | #define TLSv1_1 1 66 | #define TLSv1_2 2 67 | #define TLSv1_3 3 68 | 69 | /* We must maintain our own list of TLSv1.3-specific ciphersuites here, because SSL_CTX_get_ciphers() will *always* return TLSv1.2 ciphersuites, even when SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() are used. This is confirmed by an OpenSSL developer here: https://github.com/openssl/openssl/issues/7196#issuecomment-420575202 */ 70 | #define TLSV13_CIPHERSUITES "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256" 71 | 72 | /* Cipherlist for TLSv1.2 and below that corresponds to all available ciphersuites. */ 73 | #define CIPHERSUITE_LIST_ALL "ALL:COMPLEMENTOFALL" 74 | 75 | // Macros for various outputs 76 | #define printf(format, ...) if (!xml_to_stdout) fprintf(stdout, format, ##__VA_ARGS__) 77 | #define printf_xml(format, ...) if (options->xmlOutput) fprintf(options->xmlOutput, format, ##__VA_ARGS__) 78 | #define printf_verbose(format, ...) if (options->verbose) printf(format, ##__VA_ARGS__) 79 | 80 | #define printf_error(format, ...) \ 81 | if (!xml_to_stdout) fprintf(stderr, "%sERROR: " format "%s\n", COL_RED, ##__VA_ARGS__, RESET); \ 82 | printf_xml(" \n", ##__VA_ARGS__) 83 | 84 | /* Calls close() on a file descriptor, then sets it to zero to prevent accidental re-use. */ 85 | #define CLOSE(fd) { if ((fd) != -1) { close((fd)); (fd) = -1; } } 86 | 87 | /* Calls free() on a pointer, then explicitly sets it to NULL to avoid use-after-free. */ 88 | #define FREE(ptr) { free((ptr)); (ptr) = NULL; } 89 | 90 | /* Frees an SSL pointer, and explicitly sets it to NULL to avoid use-after-free. */ 91 | #define FREE_SSL(ssl) { if ((ssl) != NULL) { SSL_free((ssl)); (ssl) = NULL; } } 92 | 93 | /* Frees a SSL_CTX pointer, and explicitly sets it to NULL to avoid use-after-free. */ 94 | #define FREE_CTX(ctx) { if ((ctx) != NULL) { SSL_CTX_free((ctx)); (ctx) = NULL; } } 95 | 96 | // Colour Console Output... 97 | // Always better to do "const char RESET[] = " because it saves relocation records. 98 | // Default colours were hard to read on Windows, so use lighter ones 99 | #ifdef _WIN32 100 | char *RESET = ""; // DEFAULT 101 | char *COL_RED = ""; 102 | char *COL_YELLOW = ""; 103 | char *COL_BLUE = ""; 104 | char *COL_GREEN = ""; 105 | char *COL_PURPLE = ""; 106 | char *COL_GREY = ""; 107 | char *COL_RED_BG = ""; 108 | #else 109 | char *RESET = ""; // DEFAULT 110 | char *COL_RED = ""; 111 | char *COL_YELLOW = ""; 112 | char *COL_BLUE = ""; 113 | char *COL_GREEN = ""; 114 | char *COL_PURPLE = ""; 115 | char *COL_GREY = ""; 116 | char *COL_RED_BG = ""; 117 | #endif 118 | 119 | #ifdef _WIN32 120 | #define SLEEPMS(ms) Sleep(ms); 121 | #else 122 | #define SLEEPMS(ms) do { \ 123 | struct timeval wait = { 0, ms*1000 }; \ 124 | select(0, NULL, NULL, NULL, &wait); \ 125 | } while(0) 126 | #endif 127 | 128 | const char *program_banner = " _\n" 129 | " ___ ___| |___ ___ __ _ _ __\n" 130 | " / __/ __| / __|/ __/ _` | '_ \\\n" 131 | " \\__ \\__ \\ \\__ \\ (_| (_| | | | |\n" 132 | " |___/___/_|___/\\___\\__,_|_| |_|\n\n"; 133 | 134 | struct sslCipher 135 | { 136 | // Cipher Properties... 137 | const char *name; 138 | const char *version; 139 | int bits; 140 | char description[512]; 141 | const SSL_METHOD *sslMethod; 142 | struct sslCipher *next; 143 | }; 144 | 145 | struct sslCheckOptions 146 | { 147 | // Program Options... 148 | char host[512]; 149 | char sniname[512]; 150 | int sni_set; 151 | char addrstr[INET6_ADDRSTRLEN]; 152 | int port; 153 | int showCertificate; 154 | int showCertificates; 155 | int checkCertificate; 156 | int showTrustedCAs; 157 | int showClientCiphers; 158 | int showCipherIds; 159 | int showTimes; 160 | int ciphersuites; 161 | int reneg; 162 | int fallback; 163 | int compression; 164 | int heartbleed; 165 | int groups; 166 | int signature_algorithms; 167 | int starttls_ftp; 168 | int starttls_imap; 169 | int starttls_irc; 170 | int starttls_ldap; 171 | int starttls_pop3; 172 | int starttls_smtp; 173 | int starttls_mysql; 174 | int starttls_xmpp; 175 | int starttls_psql; 176 | int xmpp_server; 177 | int sslVersion; 178 | int targets; 179 | int sslbugs; 180 | int rdp; 181 | int verbose; 182 | int cipher_details; 183 | int ipv4; 184 | int ipv6; 185 | int ocspStatus; 186 | int ianaNames; 187 | char cipherstring[65536]; 188 | 189 | // File Handles... 190 | FILE *xmlOutput; 191 | 192 | // TCP Connection Variables... 193 | short h_addrtype; 194 | struct sockaddr_in serverAddress; 195 | struct sockaddr_in6 serverAddress6; 196 | struct timeval timeout; 197 | int connect_timeout; 198 | unsigned int sleep; 199 | 200 | // SSL Variables... 201 | SSL_CTX *ctx; 202 | struct sslCipher *ciphers; 203 | char *clientCertsFile; 204 | char *privateKeyFile; 205 | char *privateKeyPassword; 206 | 207 | // TLS versions supported by the server. 208 | unsigned int tls10_supported; 209 | unsigned int tls11_supported; 210 | unsigned int tls12_supported; 211 | unsigned int tls13_supported; 212 | }; 213 | 214 | // store renegotiation test data 215 | struct renegotiationOutput 216 | { 217 | int supported; 218 | int secure; 219 | }; 220 | 221 | /* For OCSP processing. Taken from crypto/ocsp/ocsp_local.h in OpenSSL, which does not seem to be normally exposed externally. */ 222 | struct ocsp_response_st { 223 | ASN1_ENUMERATED *responseStatus; 224 | OCSP_RESPBYTES *responseBytes; 225 | }; 226 | 227 | struct ocsp_resp_bytes_st { 228 | ASN1_OBJECT *responseType; 229 | ASN1_OCTET_STRING *response; 230 | }; 231 | 232 | struct ocsp_responder_id_st { 233 | int type; 234 | union { 235 | X509_NAME *byName; 236 | ASN1_OCTET_STRING *byKey; 237 | } value; 238 | }; 239 | typedef struct ocsp_responder_id_st OCSP_RESPID; 240 | 241 | struct ocsp_response_data_st { 242 | ASN1_INTEGER *version; 243 | OCSP_RESPID responderId; 244 | ASN1_GENERALIZEDTIME *producedAt; 245 | STACK_OF(OCSP_SINGLERESP) *responses; 246 | STACK_OF(X509_EXTENSION) *responseExtensions; 247 | }; 248 | typedef struct ocsp_response_data_st OCSP_RESPDATA; 249 | 250 | struct ocsp_basic_response_st { 251 | OCSP_RESPDATA tbsResponseData; 252 | X509_ALGOR signatureAlgorithm; 253 | ASN1_BIT_STRING *signature; 254 | STACK_OF(X509) *certs; 255 | }; 256 | 257 | struct ocsp_single_response_st { 258 | OCSP_CERTID *certId; 259 | OCSP_CERTSTATUS *certStatus; 260 | ASN1_GENERALIZEDTIME *thisUpdate; 261 | ASN1_GENERALIZEDTIME *nextUpdate; 262 | STACK_OF(X509_EXTENSION) *singleExtensions; 263 | }; 264 | 265 | struct ocsp_cert_status_st { 266 | int type; 267 | union { 268 | ASN1_NULL *good; 269 | OCSP_REVOKEDINFO *revoked; 270 | ASN1_NULL *unknown; 271 | } value; 272 | }; 273 | 274 | struct ocsp_revoked_info_st { 275 | ASN1_GENERALIZEDTIME *revocationTime; 276 | ASN1_ENUMERATED *revocationReason; 277 | }; 278 | 279 | struct ocsp_cert_id_st { 280 | X509_ALGOR hashAlgorithm; 281 | ASN1_OCTET_STRING issuerNameHash; 282 | ASN1_OCTET_STRING issuerKeyHash; 283 | ASN1_INTEGER serialNumber; 284 | }; 285 | 286 | #define BS_DEFAULT_NEW_SIZE 256 /* The starting size of the buffer when bs_new() is used. */ 287 | struct _bs { 288 | unsigned char *buf; 289 | size_t size; /* The size of the allocated buffer. */ 290 | size_t len; /* The number of bytes currently in the buffer. */ 291 | }; 292 | typedef struct _bs bs; /* Stands for 'byte string'. */ 293 | 294 | /* We redefine these so that we can run correctly even if the vendor gives us 295 | * a version of OpenSSL that does not match its header files. (Apple: I am 296 | * looking at you.) 297 | */ 298 | #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 299 | # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L 300 | #endif 301 | #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 302 | # define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010 303 | #endif 304 | 305 | // Utilities 306 | void bs_new(bs **); 307 | void bs_new_size(bs **, size_t); 308 | void bs_free(bs **); 309 | void bs_append_bytes(bs *, unsigned char *, size_t); 310 | void bs_append_uint32_t(bs *, uint32_t); 311 | void bs_append_ushort(bs *, unsigned short); 312 | void bs_append_bs(bs *, bs *); 313 | size_t bs_get_len(bs *); 314 | size_t bs_get_size(bs *); 315 | unsigned char *bs_get_bytes(bs *); 316 | unsigned char bs_get_byte(bs *, size_t); 317 | void bs_set_byte(bs *, size_t, unsigned char); 318 | void bs_set_ushort(bs *b, size_t offset, unsigned short length); 319 | int bs_read_socket(bs *b, int s, size_t num_bytes); 320 | unsigned int checkIfTLSVersionIsSupported(struct sslCheckOptions *options, unsigned int tls_version); 321 | unsigned int checkIfTLSVersionIsSupported_Backup(struct sslCheckOptions *options, unsigned int tls_version); 322 | SSL_CTX *CTX_new(const SSL_METHOD *method); 323 | int fileExists(char *); 324 | void findMissingCiphers(); 325 | char *getPrintableTLSName(unsigned int tls_version); 326 | bs *getServerHello(int s); 327 | bs *makeCiphersuiteListAll(unsigned int tls_version); 328 | bs *makeCiphersuiteListTLS13All(); 329 | bs *makeCiphersuiteListMissing(unsigned int tls_version); 330 | bs *makeClientHello(struct sslCheckOptions *options, unsigned int version, bs *ciphersuite_list, bs *tls_extensions); 331 | bs *makeTLSExtensions(struct sslCheckOptions *options, unsigned int include_signature_algorithms); 332 | void markFoundCiphersuite(unsigned short server_cipher_id, unsigned int tls_version); 333 | int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent); 334 | static int ocsp_resp_cb(SSL *s, void *arg); 335 | void readLine(FILE *, char *, int); 336 | int readOrLogAndClose(int, void *, size_t, const struct sslCheckOptions *); 337 | char *resolveCipherID(unsigned short cipher_id, int *cipher_bits); 338 | static int password_callback(char *, int, int, void *); 339 | const char *printableSslMethod(const SSL_METHOD *); 340 | ssize_t sendString(int, const char[]); 341 | int ssl_print_tmp_key(struct sslCheckOptions *, SSL *s); 342 | void tlsExtensionAddDefaultKeyShare(bs *tls_extensions); 343 | void tlsExtensionAddSupportedGroups(unsigned int tls_version, bs *tls_extensions); 344 | void tlsExtensionAddTLSv1_3(bs *tls_extensions); 345 | void tlsExtensionUpdateLength(bs *tls_extensions); 346 | int tcpConnect(struct sslCheckOptions *); 347 | 348 | // Tests 349 | void tls_reneg_init(struct sslCheckOptions *); 350 | int outputRenegotiation(struct sslCheckOptions *, struct renegotiationOutput *); 351 | struct renegotiationOutput *newRenegotiationOutput(void); 352 | int freeRenegotiationOutput(struct renegotiationOutput *); 353 | 354 | int testCompression(struct sslCheckOptions *, const SSL_METHOD *); 355 | int testRenegotiation(struct sslCheckOptions *, const SSL_METHOD *); 356 | #ifdef SSL_MODE_SEND_FALLBACK_SCSV 357 | int testfallback(struct sslCheckOptions *, const SSL_METHOD *); 358 | #endif 359 | int testHeartbleed(struct sslCheckOptions *, const SSL_METHOD *); 360 | int testSupportedGroups(struct sslCheckOptions *options); 361 | int testSignatureAlgorithms(struct sslCheckOptions *options); 362 | int testCipher(struct sslCheckOptions *, const SSL_METHOD *); 363 | int testMissingCiphers(struct sslCheckOptions *options, unsigned int version); 364 | int testProtocolCiphers(struct sslCheckOptions *, const SSL_METHOD *); 365 | int testConnection(struct sslCheckOptions *); 366 | int testHost(struct sslCheckOptions *); 367 | int loadCerts(struct sslCheckOptions *); 368 | int checkCertificateProtocols(struct sslCheckOptions *, const SSL_METHOD *); 369 | int checkCertificate(struct sslCheckOptions *, const SSL_METHOD *); 370 | int showCertificate(struct sslCheckOptions *); 371 | 372 | int runSSLv2Test(struct sslCheckOptions *options); 373 | int runSSLv3Test(struct sslCheckOptions *options); 374 | #endif 375 | 376 | /* vim :set ts=4 sw=4 sts=4 et : */ 377 | -------------------------------------------------------------------------------- /tools/iana_tls_ciphersuite_parser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | # 4 | # Copyright (C) 2019 Joe Testa 5 | # 6 | # This tool will parse the list of TLS ciphersuites from IANA 7 | # (https://www.iana.org/assignments/tls-parameters/tls-parameters.xml) into a C-struct 8 | # for use in missing_ciphersuites.h. 9 | # 10 | 11 | import csv, sys 12 | from datetime import date 13 | 14 | 15 | # We must be given a path to a CSV file with the ciphersuites. It can be obtained from 16 | # . 17 | if len(sys.argv) != 2: 18 | print("\nUsage: %s tls_ciphers.csv\n\nHint: copy the TLS table in CSV format from .\n" % sys.argv[0]) 19 | exit() 20 | 21 | csv_file = sys.argv[1] 22 | 23 | print("/* Auto-generated by %s on %s. */" % (sys.argv[0], date.today().strftime("%B %d, %Y"))) 24 | print("struct missing_ciphersuite missing_ciphersuites[] = {") 25 | with open(csv_file, 'r') as f: 26 | reader = csv.reader(f) 27 | for row in reader: 28 | id = row[0] 29 | cipher_name = row[1] 30 | 31 | # Skip the header. 32 | if '0x' not in id: 33 | continue 34 | 35 | # Skip reserved or unassigned ranges. Also skip SCSV ciphers. 36 | if ('Reserved' in cipher_name) or ('Unassigned' in cipher_name) or ('TLS_FALLBACK_SCSV' in cipher_name) or ('TLS_EMPTY_RENEGOTIATION_INFO_SCSV' in cipher_name): 37 | continue 38 | 39 | # Convert '0xC0,0x87' to '0xC087' 40 | parsed_id = id[0:4] + id[7:9] 41 | if len(parsed_id) != 6: 42 | print("Error: parsed ID is not length 6: %s" % parsed_id) 43 | exit -1 44 | 45 | # Make an educated guess of the cipher's bit strength based on its name. 46 | bits = -1 47 | if 'AES_128' in cipher_name: 48 | bits = 128 49 | elif 'AES_256' in cipher_name: 50 | bits = 256 51 | elif 'CHACHA20' in cipher_name: 52 | bits = 256 53 | elif 'CAMELLIA_128' in cipher_name: 54 | bits = 128 55 | elif 'CAMELLIA_256' in cipher_name: 56 | bits = 256 57 | elif 'ARIA_128' in cipher_name: 58 | bits = 128 59 | elif 'ARIA_256' in cipher_name: 60 | bits = 256 61 | elif 'AEGIS_128' in cipher_name: 62 | bits = 128 63 | elif 'AEGIS_256' in cipher_name: 64 | bits = 256 65 | elif 'SEED' in cipher_name: 66 | bits = 128 67 | elif '3DES' in cipher_name: 68 | bits = 112 69 | elif 'DES40' in cipher_name: 70 | bits = 40 71 | elif '_DES_' in cipher_name: 72 | bits = 56 73 | elif 'RC4_128' in cipher_name: 74 | bits = 128 75 | elif 'RC4_40' in cipher_name: 76 | bits = 40 77 | elif 'IDEA' in cipher_name: 78 | bits = 128 79 | elif '_RC2_' in cipher_name: 80 | bits = 40 81 | elif 'GOSTR341112_256' in cipher_name: 82 | bits = 256 83 | elif '_SM4_' in cipher_name: # See http://www.gmbz.org.cn/upload/2018-04-04/1522788048733065051.pdf 84 | bits = 128 85 | 86 | print(' {%s, "%s", %d, VALL, 0},' % (parsed_id, cipher_name, bits)) 87 | 88 | # These ciphers are reserved for private use. Kind of like the 10.0.0.0/8 IPv4 89 | # addresses. 90 | print("\n /* The ciphers below are reserved for private use (see RFC8446). */") 91 | for i in range(0, 256): 92 | low_byte = hex(i)[2:].upper() 93 | if len(low_byte) == 1: 94 | low_byte = '0' + low_byte 95 | 96 | parsed_id = '0xFF' + low_byte 97 | cipher_name = 'PRIVATE_CIPHER_%d' % i 98 | bits = -1 99 | print(' {%s, "%s", %d, VALL, 0},' % (parsed_id, cipher_name, bits)) 100 | 101 | print("};") 102 | -------------------------------------------------------------------------------- /tools/iana_tls_supported_groups_parser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | # 4 | # Copyright (C) 2019 Joe Testa 5 | # 6 | # This tool will parse the list of TLS supported groups from IANA 7 | # (https://www.iana.org/assignments/tls-parameters/tls-parameters-8.csv) into a C-struct 8 | # for use in testSupportedGroups(). 9 | # 10 | 11 | import csv, sys 12 | from datetime import date 13 | 14 | 15 | # We must be given a path to a CSV file with the groups. It can be obtained from 16 | # . 17 | if len(sys.argv) != 2: 18 | print("\nUsage: %s tls_ciphers.csv\n\nHint: copy the TLS table in CSV format from .\n" % sys.argv[0]) 19 | exit(0) 20 | 21 | csv_file = sys.argv[1] 22 | 23 | print() 24 | print(" /* Auto-generated by %s on %s. */" % (sys.argv[0], date.today().strftime("%B %d, %Y"))) 25 | print('#define COL_PLAIN ""') 26 | print('#define NID_TYPE_NA 0 /* Not Applicable (i.e.: X25519/X448) */') 27 | print('#define NID_TYPE_ECDHE 1 /* For ECDHE curves (sec*, P-256/384-521) */') 28 | print('#define NID_TYPE_DHE 2 /* For ffdhe* */') 29 | print(" /* Bit strength of DHE 2048 and 3072-bit moduli is taken directly from NIST SP 800-57 pt.1, rev4., pg. 53; DHE 4096, 6144, and 8192 are estimated using that document. */") 30 | print(" struct group_key_exchange group_key_exchanges[] = {") 31 | with open(csv_file, 'r') as f: 32 | reader = csv.reader(f) 33 | for row in reader: 34 | id = row[0] 35 | group_name = row[1] 36 | reference = row[4] 37 | 38 | # Skip the header. 39 | try: 40 | int(id) 41 | except ValueError as e: 42 | continue 43 | 44 | id = int(id) 45 | 46 | # Skip reserved or unassigned IDs. 47 | if group_name in ('Reserved', 'Unassigned'): 48 | continue 49 | 50 | # The Reference field looks like "[RFC1234]", "[draft-blah-blah]", or "[RFC-ietf-tls-blah-02]". Skip all rows that aren't of the "[RFC1234]" variety. 51 | reference = reference[1:] 52 | rt_bracket_pos = reference.find(']') 53 | if rt_bracket_pos == -1: 54 | print("Warning: can't parse reference: %s" % reference) 55 | else: 56 | reference = reference[3:rt_bracket_pos] 57 | 58 | try: 59 | int(reference) 60 | except ValueError as e: 61 | continue 62 | 63 | bits = 0 64 | nid = "NID_x" 65 | nid_type = "NID_TYPE_x" 66 | key_exchange_len = 0 67 | color = "COL_PLAIN" 68 | if group_name.startswith('sec'): 69 | bits = int(group_name[4:-2]) / 2 70 | nid = "NID_%s" % group_name 71 | nid_type = "NID_TYPE_ECDHE" 72 | if group_name == "secp192r1": 73 | nid = "NID_X9_62_prime192v1" 74 | elif group_name == "secp256r1": 75 | nid = "NID_X9_62_prime256v1" 76 | group_name += ' (NIST P-256)' 77 | elif group_name == "secp256k1": 78 | color = "COL_GREEN" # This is the very well-tested Bitcoin curve. 79 | elif group_name == "secp384r1": 80 | group_name += ' (NIST P-384)' 81 | elif group_name == "secp521r1": 82 | group_name += ' (NIST P-521)' 83 | elif group_name.startswith('brainpoolP'): 84 | bits = int(group_name[10:-2]) / 2 85 | nid = "NID_%s" % group_name 86 | nid_type = "NID_TYPE_ECDHE" 87 | elif group_name in ('x25519', 'x448'): 88 | color = "COL_GREEN" 89 | nid = "-1" 90 | nid_type = "NID_TYPE_NA" 91 | if group_name == 'x25519': 92 | bits = 128 93 | key_exchange_len = 32 94 | elif group_name == 'x448': 95 | bits = 224 96 | key_exchange_len = 56 97 | elif group_name.startswith('ffdhe'): 98 | # Bit strength of DHE 2048 and 3072-bit moduli is taken directly from NIST SP 800-57 pt.1, rev4., pg. 53; DHE 4096, 6144, and 8192 are estimated using that document. 99 | if group_name == 'ffdhe2048': 100 | bits = 112 101 | key_exchange_len = 256 102 | elif group_name == 'ffdhe3072': 103 | bits = 128 104 | key_exchange_len = 384 105 | elif group_name == 'ffdhe4096': 106 | bits = 150 107 | key_exchange_len = 512 108 | elif group_name == 'ffdhe6144': 109 | bits = 175 110 | key_exchange_len = 768 111 | elif group_name == 'ffdhe8192': 112 | bits = 192 113 | key_exchange_len = 1024 114 | nid = "NID_%s" % group_name 115 | nid_type = "NID_TYPE_DHE" 116 | elif group_name.startswith('arbitrary_'): # Skip these two. 117 | continue 118 | 119 | if bits < 112: 120 | color = "COL_RED" 121 | 122 | print(' {0x%04x, "%s", %d, %s, %s, %s, %d},' % (id, group_name, bits, color, nid, nid_type, key_exchange_len)) 123 | 124 | print(" };") 125 | print() 126 | exit(0) 127 | -------------------------------------------------------------------------------- /win32bit-compat.h: -------------------------------------------------------------------------------- 1 | /* The file below was copied from glibc v2.26 (resolv/inet_ntop.c). */ 2 | /* This is needed for legacy 32-bit Windows builds only. */ 3 | 4 | #include 5 | typedef unsigned char u_char; 6 | #define __set_errno(X) 7 | #define libc_hidden_def(X) 8 | #define internal_function 9 | #define NS_IN6ADDRSZ 16 10 | #define NS_INT16SZ 2 11 | 12 | /* 13 | * Copyright (c) 1996-1999 by Internet Software Consortium. 14 | * 15 | * Permission to use, copy, modify, and distribute this software for any 16 | * purpose with or without fee is hereby granted, provided that the above 17 | * copyright notice and this permission notice appear in all copies. 18 | * 19 | * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS 20 | * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES 21 | * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE 22 | * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL 23 | * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 24 | * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS 25 | * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 26 | * SOFTWARE. 27 | */ 28 | 29 | #include 30 | #include 31 | /*#include 32 | 33 | #include 34 | #include 35 | #include */ 36 | 37 | #include 38 | #include 39 | #include 40 | 41 | #ifdef SPRINTF_CHAR 42 | # define SPRINTF(x) strlen(sprintf/**/x) 43 | #else 44 | # define SPRINTF(x) ((size_t)sprintf x) 45 | #endif 46 | 47 | /* 48 | * WARNING: Don't even consider trying to compile this on a system where 49 | * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX. 50 | */ 51 | 52 | static const char *inet_ntop4 (const u_char *src, char *dst, socklen_t size) 53 | internal_function; 54 | static const char *inet_ntop6 (const u_char *src, char *dst, socklen_t size) 55 | internal_function; 56 | 57 | /* char * 58 | * inet_ntop(af, src, dst, size) 59 | * convert a network format address to presentation format. 60 | * return: 61 | * pointer to presentation format address (`dst'), or NULL (see errno). 62 | * author: 63 | * Paul Vixie, 1996. 64 | */ 65 | const char * 66 | inet_ntop (int af, const void *src, char *dst, socklen_t size) 67 | { 68 | switch (af) { 69 | case AF_INET: 70 | return (inet_ntop4(src, dst, size)); 71 | case AF_INET6: 72 | return (inet_ntop6(src, dst, size)); 73 | default: 74 | __set_errno (EAFNOSUPPORT); 75 | return (NULL); 76 | } 77 | /* NOTREACHED */ 78 | } 79 | libc_hidden_def (inet_ntop) 80 | 81 | /* const char * 82 | * inet_ntop4(src, dst, size) 83 | * format an IPv4 address 84 | * return: 85 | * `dst' (as a const) 86 | * notes: 87 | * (1) uses no statics 88 | * (2) takes a u_char* not an in_addr as input 89 | * author: 90 | * Paul Vixie, 1996. 91 | */ 92 | static const char * 93 | internal_function 94 | inet_ntop4 (const u_char *src, char *dst, socklen_t size) 95 | { 96 | static const char fmt[] = "%u.%u.%u.%u"; 97 | char tmp[sizeof "255.255.255.255"]; 98 | 99 | if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) >= size) { 100 | __set_errno (ENOSPC); 101 | return (NULL); 102 | } 103 | return strcpy(dst, tmp); 104 | } 105 | 106 | /* const char * 107 | * inet_ntop6(src, dst, size) 108 | * convert IPv6 binary address into presentation (printable) format 109 | * author: 110 | * Paul Vixie, 1996. 111 | */ 112 | static const char * 113 | internal_function 114 | inet_ntop6 (const u_char *src, char *dst, socklen_t size) 115 | { 116 | /* 117 | * Note that int32_t and int16_t need only be "at least" large enough 118 | * to contain a value of the specified size. On some systems, like 119 | * Crays, there is no such thing as an integer variable with 16 bits. 120 | * Keep this in mind if you think this function should have been coded 121 | * to use pointer overlays. All the world's not a VAX. 122 | */ 123 | char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp; 124 | struct { int base, len; } best, cur; 125 | u_int words[NS_IN6ADDRSZ / NS_INT16SZ]; 126 | int i; 127 | 128 | /* 129 | * Preprocess: 130 | * Copy the input (bytewise) array into a wordwise array. 131 | * Find the longest run of 0x00's in src[] for :: shorthanding. 132 | */ 133 | memset(words, '\0', sizeof words); 134 | for (i = 0; i < NS_IN6ADDRSZ; i += 2) 135 | words[i / 2] = (src[i] << 8) | src[i + 1]; 136 | best.base = -1; 137 | cur.base = -1; 138 | best.len = 0; 139 | cur.len = 0; 140 | for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) { 141 | if (words[i] == 0) { 142 | if (cur.base == -1) 143 | cur.base = i, cur.len = 1; 144 | else 145 | cur.len++; 146 | } else { 147 | if (cur.base != -1) { 148 | if (best.base == -1 || cur.len > best.len) 149 | best = cur; 150 | cur.base = -1; 151 | } 152 | } 153 | } 154 | if (cur.base != -1) { 155 | if (best.base == -1 || cur.len > best.len) 156 | best = cur; 157 | } 158 | if (best.base != -1 && best.len < 2) 159 | best.base = -1; 160 | 161 | /* 162 | * Format the result. 163 | */ 164 | tp = tmp; 165 | for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) { 166 | /* Are we inside the best run of 0x00's? */ 167 | if (best.base != -1 && i >= best.base && 168 | i < (best.base + best.len)) { 169 | if (i == best.base) 170 | *tp++ = ':'; 171 | continue; 172 | } 173 | /* Are we following an initial run of 0x00s or any real hex? */ 174 | if (i != 0) 175 | *tp++ = ':'; 176 | /* Is this address an encapsulated IPv4? */ 177 | if (i == 6 && best.base == 0 && 178 | (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) { 179 | if (!inet_ntop4(src+12, tp, sizeof tmp - (tp - tmp))) 180 | return (NULL); 181 | tp += strlen(tp); 182 | break; 183 | } 184 | tp += SPRINTF((tp, "%x", words[i])); 185 | } 186 | /* Was it a trailing run of 0x00's? */ 187 | if (best.base != -1 && (best.base + best.len) == 188 | (NS_IN6ADDRSZ / NS_INT16SZ)) 189 | *tp++ = ':'; 190 | *tp++ = '\0'; 191 | 192 | /* 193 | * Check for overflow, copy, and we're done. 194 | */ 195 | if ((socklen_t)(tp - tmp) > size) { 196 | __set_errno (ENOSPC); 197 | return (NULL); 198 | } 199 | return strcpy(dst, tmp); 200 | } 201 | --------------------------------------------------------------------------------