├── .dockerignore ├── .github └── workflows │ └── ci.yml ├── .gitignore ├── Changelog ├── Dockerfile ├── INSTALL ├── LICENSE ├── Makefile ├── Makefile.mingw ├── Makefile.vs ├── README.md ├── TODO ├── docker_test.sh ├── docker_test ├── Dockerfile ├── ca_cert.pem ├── ca_key.pem ├── cert_1024.crt ├── cert_2048.crt ├── cert_3072.crt ├── cert_512.crt ├── cert_ecdsa_prime256v1.crt ├── dhparams_1024.pem ├── dhparams_2048.pem ├── dhparams_3072.pem ├── dhparams_512.pem ├── expected_output │ ├── test_1.txt │ ├── test_10.txt │ ├── test_11.txt │ ├── test_12.txt │ ├── test_13.txt │ ├── test_14.txt │ ├── test_15.txt │ ├── test_16.txt │ ├── test_17.txt │ ├── test_18.txt │ ├── test_2.txt │ ├── test_3.txt │ ├── test_4.txt │ ├── test_5.txt │ ├── test_6.txt │ ├── test_7.txt │ ├── test_8.txt │ └── test_9.txt ├── key_1024.pem ├── key_2048.pem ├── key_3072.pem ├── key_512.pem ├── key_ecdsa_prime256v1.pem ├── key_notes.txt ├── nginx_site_client_cert_required └── nginx_test9.conf ├── missing_ciphersuites.h ├── sslscan.1 ├── sslscan.c ├── sslscan.h ├── tags ├── tools ├── iana_tls_ciphersuite_parser.py └── iana_tls_supported_groups_parser.py └── win32bit-compat.h /.dockerignore: -------------------------------------------------------------------------------- 1 | openssl 2 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: ci 2 | 3 | on: push 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | strategy: 9 | fail-fast: false 10 | matrix: 11 | cc: [clang, gcc] 12 | steps: 13 | - uses: actions/checkout@v4 14 | - name: build with ${{ matrix.cc }} 15 | run: | 16 | make sslscan 17 | make static 18 | env: 19 | CC: ${{ matrix.cc }} 20 | build_mingw: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - uses: actions/checkout@v4 24 | - name: install mingw-w64 25 | run: | 26 | sudo apt-get update -qq 27 | sudo apt-get install -qq mingw-w64 28 | - name: build with mingw-w64 29 | run: | 30 | make -f Makefile.mingw 31 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # object files 2 | *.o 3 | *.obj 4 | 5 | # compiled binary 6 | sslscan 7 | sslscan.exe 8 | 9 | # debian build of openssl 10 | openssl-*/ 11 | openssl_* 12 | libcrypto* 13 | libssl* 14 | 15 | # custom openssl build 16 | openssl/ 17 | .openssl.is.fresh 18 | .openssl_mingw.is.fresh 19 | 20 | # custom zlib build for Windows 21 | zlib_mingw/ -------------------------------------------------------------------------------- /Changelog: -------------------------------------------------------------------------------- 1 | Changelog 2 | ========= 3 | Version: 2.1.6 4 | Date : 02/12/2024 5 | Author : rbsec 6 | Changes: The following are a list of changes 7 | > Flag CCM8 ciphers as weak and manually override their displayed 8 | bit strength to match newer versions of OpenSSL 9 | See https://github.com/openssl/openssl/pull/16652 10 | 11 | Version: 2.1.5 12 | Date : 21/09/2024 13 | Author : rbsec 14 | Changes: The following are a list of changes 15 | > Various build improvements 16 | > Makefile improvements 17 | 18 | Version: 2.1.4 19 | Date : 16/06/2024 20 | Author : rbsec 21 | Changes: The following are a list of changes 22 | > Display the full cert chain --show-certificates (credit fhtino) 23 | 24 | Version: 2.1.3 25 | Date : 21/01/2024 26 | Author : rbsec 27 | Changes: The following are a list of changes 28 | > Enable quiet shutdown for scanning (credit jarnfast) 29 | > Fix Docker build on non-x64 architectures (credit jtesta) 30 | 31 | Version: 2.1.2 32 | Date : 14/11/2023 33 | Author : rbsec 34 | Changes: The following are a list of changes 35 | > Fix certificate and cipher enumeration when unsafe renegotiation is 36 | required(credit jtesta) 37 | 38 | Version: 2.1.1 39 | Date : 19/09/2023 40 | Author : rbsec 41 | Changes: The following are a list of changes 42 | > Work around several dodgy TLS implementations (credit jtesta) 43 | 44 | Version: 2.1.0 45 | Date : 05/09/2023 46 | Author : rbsec 47 | Changes: The following are a list of changes 48 | > Build against OpenSSL 3.0 instead of 1.1.0 (credit jtesta) 49 | > Improve CPU detection on OSX (tetlowgm) 50 | 51 | Version: 2.0.16 52 | Date : 08/04/2023 53 | Author : rbsec 54 | Changes: The following are a list of changes 55 | > Fix incorret detection of TLSv1.3 on Server 2019 (credit jtesta) 56 | > Fix incorrect XML certificate output 57 | 58 | Version: 2.0.15 59 | Date : 03/07/2022 60 | Author : rbsec 61 | Changes: The following are a list of changes 62 | > Obtain certificate info even if we can't connect properly 63 | 64 | Version: 2.0.14 65 | Date : 23/06/2022 66 | Author : rbsec 67 | Changes: The following are a list of changes 68 | > Strip out https:// from lines in a target file 69 | 70 | Version: 2.0.13 71 | Date : 03/04/2022 72 | Author : rbsec 73 | Changes: The following are a list of changes 74 | > Fix TLSv1.3 detection against Server 2022 (credit jtesta) 75 | 76 | Version: 2.0.12 77 | Date : 23/02/2022 78 | Author : rbsec 79 | Changes: The following are a list of changes 80 | > Add XML element (credit lucacapacci) 81 | 82 | Version: 2.0.11 83 | Date : 16/12/2021 84 | Author : rbsec 85 | Changes: The following are a list of changes 86 | > Add --iana-names option to use IANA/RFC cipher names 87 | > Improve signature algorithm detection 88 | 89 | Version: 2.0.10 90 | Date : 27/04/2021 91 | Author : rbsec 92 | Changes: The following are a list of changes 93 | > Add the --connect-timeout option (credit alkalim) 94 | > Fix a typo in output 95 | 96 | Version: 2.0.9 97 | Date : 24/03/2021 98 | Author : rbsec 99 | Changes: The following are a list of changes 100 | > Warn on TLSv1.1, as it's now deprecated by RFC 8996 101 | 102 | Version: 2.0.8 103 | Date : 12/02/2021 104 | Author : rbsec 105 | Changes: The following are a list of changes 106 | > Fix a bug with LDAP STARTTLS 107 | > Fix certificate detection on some broken servers 108 | > Fix missing SCSV Fallback in XML output 109 | 110 | Version: 2.0.7 111 | Date : 10/02/2021 112 | Author : rbsec 113 | Changes: The following are a list of changes 114 | > Don't show server signature algorithms by default 115 | > Use --show-sigs to display them 116 | 117 | Version: 2.0.6 118 | Date : 31/10/2020 119 | Author : rbsec 120 | Changes: The following are a list of changes 121 | > Flag certificates in red if CN is the same as issuer 122 | 123 | Version: 2.0.5 124 | Date : 24/10/2020 125 | Author : rbsec 126 | Changes: The following are a list of changes 127 | > Fix --targets not working properly 128 | 129 | Version: 2.0.4 130 | Date : 13/10/2020 131 | Author : rbsec 132 | Changes: The following are a list of changes 133 | > Remove the broken HTTP request scanning option (--http) 134 | 135 | Version: 2.0.3 136 | Date : 11/10/2020 137 | Author : rbsec 138 | Changes: The following are a list of changes 139 | > Fix the extraneous padding of HTTP responses in XML 140 | > Update the HTTP request to HTTP/1.1 141 | > More robust checking the HTTP response is valid 142 | > Display "No response" when no HTTP response is returned 143 | 144 | Version: 2.0.2 145 | Date : 04/10/2020 146 | Author : rbsec 147 | Changes: The following are a list of changes 148 | > Add element to XML output 149 | 150 | Version: 2.0.1 151 | Date : 20/09/2020 152 | Author : rbsec 153 | Changes: The following are a list of changes 154 | > Fix SNI name when using --targets 155 | 156 | Version: 2.0.0 157 | Date : 22/07/2020 158 | Author : rbsec 159 | Changes: The following are a list of changes 160 | > Documentation updates 161 | 162 | Version: 2.0.0-beta6 163 | Date : 02/07/2020 164 | Author : rbsec 165 | Changes: The following are a list of changes 166 | > Report servers that accept any signature algorithm in the XML 167 | 168 | Version: 2.0.0-beta5 169 | Date : 30/06/2020 170 | Author : rbsec 171 | Changes: The following are a list of changes 172 | > Remove the "Signature Algorithm:" text and spacing from the XML. 173 | 174 | Version: 2.0.0-beta4 175 | Date : 10/06/2020 176 | Author : rbsec 177 | Changes: The following are a list of changes 178 | > Add a new "" element to the XML output. 179 | 180 | Version: 2.0.0-beta3 181 | Date : 10/06/2020 182 | Author : rbsec 183 | Changes: The following are a list of changes 184 | > Fix a few compiler warnings. 185 | > Fix a regression where the "strength" attribute was missing. 186 | 187 | Version: 2.0.0-beta2 188 | Date : 10/05/2020 189 | Author : rbsec 190 | Changes: The following are a list of changes 191 | > Fix a bug with servers that return incorrect cipher IDs. 192 | > Portability improvements. 193 | > Fix x86 windows build. 194 | 195 | Version: 2.0.0-beta1 196 | Date : 29/02/2020 197 | Author : rbsec 198 | Changes: The following are a list of changes 199 | > Print curve name and key strength for ECC certs 200 | > Various documentation updates 201 | 202 | Version: 2.0.0-alpha2 203 | Date : 29/02/2020 204 | Author : rbsec 205 | Changes: The following are a list of changes 206 | > Fix compilation on old versions of GCC. 207 | > Minor changes to protocol support output. 208 | > Strip a trailing slash from the specified target. 209 | > Various other minor bugfixes. 210 | 211 | Version: 2.0.0-alpha1 212 | Date : 22/02/2020 213 | Author : rbsec 214 | Changes: The following are a list of changes 215 | > Major rewrite of backend scanning code. 216 | > Support for additional cipher suites. 217 | > Support for TLSv1.3 218 | > Support for SSLv2 and SSLv3 protocol detection regardless of 219 | OpenSSL. 220 | > Checks for server key exchange groups. 221 | > Checks for server signature algorithms. 222 | 223 | Version: 1.11.13 224 | Date : 24/03/2019 225 | Author : rbsec 226 | Changes: The following are a list of changes 227 | > Added strength attribute to XML to reflect colouring in stdout 228 | 229 | Version: 1.11.12 230 | Date : 18/10/2018 231 | Author : rbsec 232 | Changes: The following are a list of changes 233 | > Enable colours in Windows console output if supported 234 | > Include SCSV fallback in XML output 235 | > Various bugfixes 236 | 237 | Version: 1.11.11 238 | Date : 31/12/2017 239 | Author : rbsec 240 | Changes: The following are a list of changes 241 | > Added -4 and -6 options to force IPv4 and IPv6. 242 | > Fix build on Solaris and Windows. 243 | > Fix cross-compiling. 244 | 245 | Version: 1.11.10 246 | Date : 04/05/2017 247 | Author : rbsec 248 | Changes: The following are a list of changes 249 | > Build against Peter Mosmans' branch of OpenSSL 250 | > Support for ChaCha ciphers 251 | > NOTE: you will need to run `make clean && make static`. 252 | 253 | Version: 1.11.9 254 | Date : 09/04/2017 255 | Author : rbsec 256 | Changes: The following are a list of changes 257 | > Add support for STARTTLS on mysql (--starttls-mysql) 258 | > Display SNI information in XML output 259 | > Fix some compiler warnings 260 | > Mark SHA-1 certificates as weak 261 | > Fix build on some platforms 262 | 263 | Version: 1.11.8 264 | Date : 06/11/2016 265 | Author : rbsec 266 | Changes: The following are a list of changes 267 | > Support alternate SNI hostnames (--sni=) 268 | > Allow building with no support for TLS SCSV Fallback 269 | 270 | Version: 1.11.7 271 | Date : 13/06/2016 272 | Author : rbsec 273 | Changes: The following are a list of changes 274 | > Check for TLS Fallback SCSV 275 | > Allow xml to be output on stdout (--xml=-) 276 | 277 | Version: 1.11.6 278 | Date : 09/04/2016 279 | Author : rbsec 280 | Changes: The following are a list of changes 281 | > Re-eanble support for weak (<1024) DH keys in OpenSSL 282 | 283 | Version: 1.11.5 284 | Date : 24/03/2016 285 | Author : rbsec 286 | Changes: The following are a list of changes 287 | > Fix bug in heartbleed check (credit nuxi) 288 | > Makefile improvements and fixes for OSX and FreeBSD 289 | > Optimize OpenSSL clone 290 | > Implement --show-times to display handshake times in milliseconds 291 | 292 | Version: 1.11.4 293 | Date : 06/03/2016 294 | Author : rbsec 295 | Changes: The following are a list of changes 296 | > Fix compression detection (credit nuxi) 297 | > Added support for PostgreSQL (credit nuxi) 298 | 299 | Version: 1.11.3 300 | Date : 03/03/2016 301 | Author : rbsec 302 | Changes: The following are a list of changes 303 | > Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL 304 | 305 | Version: 1.11.2 306 | Date : 02/03/2016 307 | Author : rbsec 308 | Changes: The following are a list of changes 309 | > Makefile improvements 310 | > Update OpenSSL from Git when statically building 311 | > Use enable-ssl2 and enable-weak-ciphers when building statically 312 | 313 | Version: 1.11.1 314 | Date : 11/12/2015 315 | Author : rbsec 316 | Changes: The following are a list of changes 317 | > Show cipher IDs with --show-cipher-ids (credit maurice2k) 318 | > Warn when building agsinst system OpenSSL rather than statically 319 | > Allow building statically on OSX (experimental) 320 | 321 | Version: 1.11.0 322 | Date : 24/09/2015 323 | Author : rbsec 324 | Changes: The following are a list of changes 325 | > Rewrote ciphersuite scanning engine to be much faster 326 | > Ciphers are now output in order of server preference 327 | > Most secure protocols are scanned first (TLSv1.2 -> SSLv2) 328 | > All protocols are tried when trying to obtain the certificate 329 | > Obselete --failed and --no-preferred-ciphers options removed 330 | > Flag TLSv1.0 ciphers in output 331 | > Flag 56 bit ciphers as red, not yellow 332 | > Fix building on OpenBSD (credit Stuart Henderson) 333 | > Fix incorrect output when server prefers NULL ciphers 334 | 335 | Version: 1.10.6 336 | Date : 06/08/2015 337 | Author : rbsec 338 | Changes: The following are a list of changes 339 | > Fix --sleep only working for whole seconds (credit dmke) 340 | > Fix compiling against OpenSSL 0.9.8 (credit aclemons) 341 | > Flag expired certificates (credit jacktrice) 342 | 343 | Version: 1.10.5 344 | Date : 07/07/2015 345 | Author : rbsec 346 | Changes: The following are a list of changes 347 | > Added IRC STARTTLS support (--starttls-irc, credit jkent) 348 | > Highlight weak RSA keys in output 349 | > Added option to show OCSP status (--ocsp, credit kelbyludwig) 350 | > Fix a segfault with certificate parsing 351 | 352 | Version: 1.10.4 353 | Date : 21/06/2015 354 | Author : rbsec 355 | Changes: The following are a list of changes 356 | > Display cipher details by default (hide with --no-cipher-details) 357 | > Fix scanning multiple targets if one fails (credit shellster) 358 | > Fix bug with --no-color and --failed (credit yasulib) 359 | > Minor bugfixes to output 360 | 361 | Version: 1.10.3 362 | Date : 22/05/2015 363 | Author : rbsec 364 | Changes: The following are a list of changes 365 | > Flag weak DHE keys in --cipher-details 366 | > Report DHE key bits in XML 367 | > Change ECDHE key bits to "ecdhebits" rather than "dhebits" in XML 368 | 369 | Version: 1.10.2 370 | Date : 12/05/2015 371 | Author : rbsec 372 | Changes: The following are a list of changes 373 | > Wrap TLS extensions in CDATA blocks in XML output. 374 | > Fix incorrect TLS versions in heartbleed checks 375 | 376 | Version: 1.10.1 377 | Date : 06/04/2015 378 | Author : rbsec 379 | Changes: The following are a list of changes 380 | > Fix XML output to use "TLSv1.0" in preferred ciphers, not "TLSv1" 381 | > Added --cipher-details option to display EC curves and EDH keys 382 | Note that this feature requires OpenSSL >= 1.0.2 383 | > Update static build options to compile against OpenSSL 1.0.2 384 | 385 | Version: 1.10.0 386 | Date : 28/02/2015 387 | Author : rbsec 388 | Changes: The following are a list of changes 389 | > Experimental build support (credit jtesta). 390 | > Support XMPP server-to-server connections (--xmpp-server). 391 | 392 | Version: 1.9.11 393 | Date : 03/02/2015 394 | Author : rbsec 395 | Changes: The following are a list of changes 396 | > Makefile updates to assist packaging in Kali. 397 | > Fix missing static build number when compiling from tarball. 398 | 399 | Version: 1.9.10 400 | Date : 24/01/2015 401 | Author : rbsec 402 | Changes: The following are a list of changes 403 | > Display certificate CN, Altnames and Issuer in default output. 404 | > Flag certificates where CN == issuer, or CN = * 405 | > Highlight GCM ciphersuites as good 406 | 407 | Version: 1.9.9 408 | Date : 22/01/2015 409 | Author : kyprizel 410 | Changes: The following are a list of changes 411 | > Added --show-client-cas option to determine trusted CAs 412 | for client authentication 413 | > Added --no-preferred option to disable any output except specified 414 | 415 | Version: 1.9.8 416 | Date : 08/12/2014 417 | Author : rbsec 418 | Changes: The following are a list of changes 419 | > Added --sleep option to pause between request 420 | > Only check for heartbleed against specified TLS version 421 | > Added --sleep option to pause between request 422 | > Fix issues compiling against OpenSSL 0.9.8 423 | > Highlight CBC ciphersuites on SSLv3 (POODLE) 424 | > Experimental build support on OSX (credit MikeSchroll) 425 | 426 | Version: 1.9.7 427 | Date : 26/10/2014 428 | Author : rbsec 429 | Changes: The following are a list of changes 430 | > Added option for static compilation with OpenSSL (credit dmke) 431 | > Added "sslmethod" attribute to Heartbleed XML output (credit dmke) 432 | > Split headers into sslscan.h (credit dmke) 433 | 434 | Version: 1.9.6 435 | Date : 10/10/2014 436 | Author : rbsec 437 | Changes: The following are a list of changes 438 | > Highlight NULL ciphers in output. 439 | > Highlight SSLv3 ciphers. 440 | > Added --rdp option to support RDP servers (credit skettler). 441 | > Added --timeout option to set socket timeout (default 3s). 442 | 443 | Version: 1.9.5 444 | Date : 13/09/2014 445 | Author : rbsec 446 | Changes: The following are a list of changes 447 | > Renamed --get-certificate option to --show-certficate. 448 | > Display certificate signing algorithm highlighting weak algorithms. 449 | > Display certificate key strength highlighting weak keys. 450 | > Bumped XML version to 1.9.5 due to minor changes. 451 | 452 | Version: 1.9.4 453 | Date : 22/05/2014 454 | Author : rbsec 455 | Changes: The following are a list of changes 456 | > Check for SSLv2 and SSLv3 ciphers over STARTTLS. 457 | 458 | Version: 1.9.3 459 | Date : 20/05/2014 460 | Author : rbsec 461 | Changes: The following are a list of changes 462 | > Fixed broken STARTTLS SMTP check. 463 | 464 | Version: 1.9.2 465 | Date : 09/04/2014 466 | Author : rbsec 467 | Changes: The following are a list of changes 468 | > Added check for OpenSSL Heartbleed (CVE-2014-0160). 469 | 470 | Version: 1.9.1 471 | Date : 06/03/2014 472 | Author : rbsec 473 | Changes: The following are a list of changes 474 | > Added --tlsall option to only scan TLS ciphersuites. 475 | > Scan all TLS versions by default for STARTTLS services. 476 | > Added support for IPv6 addresses using square bracket notation [:1]. 477 | > Highlight anonymous (ADH and AECDH) ciphers in output. 478 | > Added option to disable colour in output (--no-colour). 479 | > Removed undocumented -p output option. 480 | > Removed old references to titania.co.uk domain. 481 | 482 | Version: 1.9 483 | Date : 30/12/2013 484 | Author : rbsec 485 | Changes: The following are a list of changes 486 | > Highlight SSLv2 ciphers 487 | > Highlight weak (n <= 40 bit) and medium (40 < n <= 56 bit) ciphers 488 | > Highlight RC4 ciphers 489 | > Highlight anonymous (ADH) ciphers 490 | > Hide certificate information by default 491 | > Hide rejected ciphers by default (display with --failed). 492 | > Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan). 493 | > Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan). 494 | > Supports IPv6 hostnames (can be forced with --ipv6). 495 | > Check for TLS compression (CRIME, disable with --no-compression) 496 | 497 | Version: 1.8.4 498 | Date : xx/xx/2010 499 | Author : Jacob Appelbaum 500 | Changes: The following are a list of changes 501 | > Add demo targets in Makefile 502 | > Refactoring of code by Adam Langley 503 | > Add SNI patch from Tim Brown 504 | > Bug fixes from craSH and Cygwin build improvements 505 | 506 | Version: 1.8.3 507 | Date : 11/08/2010 508 | Author : Jacob Appelbaum 509 | Changes: The following are a list of changes 510 | > Improve new protocol setup support for STARTTLS: 511 | POP3, IMAP, FTP, and XMPP 512 | This modeled after the support found in OpenSSL's s_client 513 | > Add verbose option to print more info 514 | > Add default ports when a STARTTLS setup flag is called without 515 | any port at all 516 | 517 | Version: 1.8.2 518 | Date : 19/06/2009 519 | Author : Ian Ventura-Whiting (Fizz) 520 | Changes: The following are a list of changes 521 | since the previous version: 522 | > Fixed output with HTML disabled 523 | > Fixed XML critical 524 | 525 | Version: 1.8.1 526 | Date : 25/05/2009 527 | Author : Ian Ventura-Whiting (Fizz) 528 | Changes: The following are a list of changes 529 | since the previous version: 530 | > Fixed some compiler warnings. 531 | 532 | Version: 1.8.0 533 | Date : 19/05/2009 534 | Author : Ian Ventura-Whiting (Fizz) 535 | Thanks : John Nichols 536 | Changes: The following are a list of changes 537 | since the previous version: 538 | > Added SSL implementation workaround 539 | option. 540 | > Added HTTP connection testing. 541 | > Fixed Certification validation XML 542 | output. 543 | 544 | Version: 1.7.1 545 | Date : 20/04/2008 546 | Author : Ian Ventura-Whiting (Fizz) 547 | Thanks : Mark Lowe 548 | Changes: The following are a list of changes 549 | since the previous version: 550 | > Added HELO for SMTP checks 551 | > Increased read buffer size 552 | 553 | 554 | Version: 1.7 555 | Date : 18/04/2008 556 | Author : Ian Ventura-Whiting (Fizz) 557 | Changes: The following are a list of changes 558 | since the previous version: 559 | > Added STARTTLS SMTP capability 560 | > Fixed XML output format bug 561 | 562 | Version: 1.6 563 | Date : 30/12/2007 564 | Author : Ian Ventura-Whiting (Fizz) 565 | Changes: The following are a list of changes 566 | since the previous version: 567 | > Added man page. 568 | > Improved certificate checking 569 | > Added Makefile 570 | 571 | Version: 1.5 572 | Date : 25/09/2007 573 | Author : Ian Ventura-Whiting (Fizz) 574 | Changes: The following are a list of changes 575 | since the previous version: 576 | > Update to the license to make it 577 | BINARY compatible with OpenSSL. Its 578 | then easier for the packagers. 579 | 580 | Version: 1.4 581 | Date : 03/09/2007 582 | Author : Ian Ventura-Whiting (Fizz) 583 | Changes: The following are a list of changes 584 | since the previous version: 585 | > Added Server Certificate ouput. 586 | > Added support for client certs. 587 | > Added support for private keys 588 | and password. 589 | > Added support for PKCS#12. 590 | > Fixed xml output. 591 | 592 | Version: 1.3 593 | Date : 06/08/2007 594 | Author : Ian Ventura-Whiting (Fizz) 595 | Changes: The following are a list of changes 596 | since the previous version: 597 | > Added XML file output option. 598 | > Improved help text. 599 | > Added program URL. 600 | 601 | Version: 1.2 602 | Date : 16/07/2007 603 | Author : Ian Ventura-Whiting (Fizz) 604 | Changes: The following are a list of changes 605 | since the previous version: 606 | > Removed unused variable 607 | > Other minor changes. 608 | 609 | Version: 1.1 610 | Date : 13/07/2007 611 | Author : Ian Ventura-Whiting (Fizz) 612 | Changes: The following are a list of changes 613 | since the previous version: 614 | > Correction in banner text 615 | > Host:Port now directly from the 616 | command-line. 617 | 618 | Version: 1.0 619 | Date : 13/07/2007 620 | Author : Ian Ventura-Whiting (Fizz) 621 | Notes : Initial version of sslscan 622 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest as builder 2 | 3 | # Ensure no packages are cached before we try to do an update. 4 | RUN apk cache clean 2> /dev/null || exit 0 5 | 6 | RUN apk update && apk add gcc make ca-certificates git libc-dev linux-headers openssl perl zlib-dev 7 | RUN update-ca-certificates 8 | 9 | ADD . builddir 10 | 11 | # Make a static build of sslscan, then strip it of debugging symbols. 12 | RUN cd builddir && make static 13 | RUN strip --strip-all /builddir/sslscan 14 | 15 | # Print the output of ldd so we can see what dynamic libraries that sslscan is still dependent upon. 16 | RUN echo "ldd output:" && ldd /builddir/sslscan 17 | RUN echo "ls -al output:" && ls -al /builddir/sslscan 18 | 19 | 20 | # Start with an empty container for our final build. 21 | FROM scratch 22 | 23 | # Copy over the sslscan executable from the intermediate build container, along with the dynamic libraries it is dependent upon (see output of ldd, above). 24 | COPY --from=builder /builddir/sslscan /sslscan 25 | COPY --from=builder /usr/lib/libz.so.1 /lib/libz.so.1 26 | COPY --from=builder /lib/ld-musl-*.so.1 /lib/ 27 | 28 | # Drop root privileges. 29 | USER 65535:65535 30 | 31 | ENTRYPOINT ["/sslscan"] 32 | -------------------------------------------------------------------------------- /INSTALL: -------------------------------------------------------------------------------- 1 | Requirements: 2 | OpenSSL 0.9.8o or better 3 | 4 | Makefile build: 5 | make 6 | make install (as root) 7 | 8 | Manual Build: 9 | sslscan can be built manually using the following 10 | commands: 11 | 12 | gcc -lssl -o sslscan sslscan.c 13 | clang -lssl -o sslscan sslscan.c 14 | 15 | ---- 16 | 17 | There are two ways to build a Windows executable: 18 | 19 | 1.) By cross-compiling on a Linux build machine using MinGW or Mingw-w64. 20 | 21 | 2.) By compiling on a Windows build machine using Visual Studio 2013 22 | (other versions may also work, but are untested). 23 | 24 | If you have a Debian-like Linux machine (such as Ubuntu or Kali), option 25 | #1 is BY FAR the easiest. Note that installing Visual Studio and additional 26 | tools requires downloading gigabytes of data! 27 | 28 | In any case, it is necessary to compile OpenSSL to ensure that all 29 | protocols and algorithms are enabled (note that some systems that package 30 | OpenSSL have some deprecated features such as SSLv2 turned off for safety 31 | reasons; we actually need those to test with). 32 | 33 | Please note that building on Windows (especially x86) is not supported, and 34 | you may well encounter issues when trying to do so. Cross-compiling for x86 35 | from Debian Buster (10) is reported to work, but your mileage may vary. 36 | 37 | 38 | I. Cross-compiling from Linux 39 | 40 | A. Building a 64-bit Windows executable 41 | 42 | 0.) Install Mingw-w64. On Debian-like systems, this can be done with: 43 | apt-get install mingw-w64 44 | 45 | 1.) Compile sslscan. It will download the OpenSSL sources from GitHub 46 | automatically: 47 | make -f Makefile.mingw 48 | 49 | 50 | B. Building a 32-bit Windows executable 51 | 52 | 0.) Install MinGW. On Debian-like systems, this can be done with: 53 | apt-get install mingw32 54 | 55 | 1.) Compile sslscan. It will download the OpenSSL sources from GitHub 56 | automatically: 57 | make -f Makefile.mingw BUILD_32BIT=1 58 | 59 | 60 | II. Compiling on Windows using Visual Studio 2013 Express for Windows Desktop 61 | 62 | A. Install Visual Studio 2013 Express for Windows Desktop: 63 | http://go.microsoft.com/?linkid=9832280 64 | 65 | B. Install the Windows Driver Kit 8.1: 66 | http://go.microsoft.com/fwlink/p/?linkid=393659 67 | 68 | C. Install ActivePerl Community Edition: 69 | http://www.activestate.com/activeperl/downloads 70 | 71 | D. In the VS2013 x64 Cross Tools Command Prompt, compile OpenSSL with: 72 | perl Configure VC-WIN64A 73 | ms\do_win64a 74 | nmake -f ms\nt.mak 75 | 76 | E. Inside the sslscan folder, compile sslscan with: 77 | nmake -f Makefile.vs OPENSSL_PATH=path/to/openssl 78 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # set gcc as default if CC is not set 2 | 3 | GIT_VERSION = $(shell git describe --tags --always --dirty=-wip) 4 | 5 | # Ugly hack to get version if git isn't installed 6 | ifeq ($(GIT_VERSION),) 7 | GIT_VERSION = $(shell grep -E -o -m 1 "[0-9]+\.[0-9]+\.[0-9]+" Changelog) 8 | endif 9 | 10 | # Detect OS 11 | OS := $(shell uname) 12 | ARCH := $(shell uname -m) 13 | 14 | # Handle different version of Make 15 | ifeq ($(OS), SunOS) 16 | ifndef $(CC) 17 | CC=gcc 18 | endif 19 | ifndef $(PREFIX) 20 | PREFIX = /usr 21 | endif 22 | else 23 | CC ?= gcc 24 | PREFIX ?= /usr 25 | endif 26 | 27 | SRCS = sslscan.c 28 | BINDIR = $(PREFIX)/bin 29 | MANDIR = $(PREFIX)/share/man 30 | MAN1DIR = $(MANDIR)/man1 31 | 32 | WARNINGS = -Wall -Wformat=2 -Wformat-security -Wno-deprecated-declarations 33 | DEFINES = -DVERSION=\"$(GIT_VERSION)\" 34 | 35 | # for dynamic linking 36 | LIBS = -lssl -lcrypto 37 | ifneq ($(OS), FreeBSD) 38 | ifneq ($(findstring MINGW64,$(OS)),MINGW64) 39 | LIBS += -ldl 40 | else 41 | LIBS += -lwsock32 -lWs2_32 42 | endif 43 | endif 44 | ifeq ($(OS), SunOS) 45 | CFLAGS += -m64 46 | LIBS += -lsocket -lnsl 47 | endif 48 | 49 | # Enable checks for buffer overflows, add stack protectors, generate position 50 | # independent code, mark the relocation table read-only, and mark the global 51 | # offset table read-only. 52 | CFLAGS += -D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIE 53 | 54 | # Don't enable some hardening flags on OS X because it uses an old version of Clang 55 | ifneq ($(OS), Darwin) 56 | ifneq ($(OS), SunOS) 57 | ifneq ($(findstring CYGWIN,$(OS)),CYGWIN) 58 | ifneq ($(findstring MINGW64,$(OS)),MINGW64) 59 | LDFLAGS += -pie -z relro -z now 60 | else 61 | LDFLAGS += -pie 62 | endif 63 | endif 64 | endif 65 | endif 66 | 67 | # Force C11 mode to fix the build on very old version of GCC 68 | CFLAGS += -std=gnu11 69 | 70 | # for static linking 71 | ifeq ($(STATIC_BUILD), TRUE) 72 | PWD = $(shell pwd)/openssl 73 | LDFLAGS += -L${PWD}/ 74 | CFLAGS += -I${PWD}/include/ -I${PWD}/ 75 | ifeq ($(OS), Darwin) 76 | LIBS = ./openssl/libssl.a ./openssl/libcrypto.a -lz -lpthread 77 | else 78 | LIBS = -lssl -lcrypto -lz -lpthread 79 | endif 80 | ifneq ($(OS), FreeBSD) 81 | ifneq ($(findstring CYGWIN,$(OS)),CYGWIN) 82 | LIBS += -ldl 83 | endif 84 | endif 85 | ifeq ($(OS), SunOS) 86 | LIBS += -lsocket -lnsl 87 | endif 88 | GIT_VERSION := $(GIT_VERSION)-static 89 | else 90 | # for dynamic linking 91 | LDFLAGS += -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/opt/openssl/lib -L/opt/local/lib 92 | CFLAGS += -I/usr/local/include -I/usr/local/ssl/include -I/usr/local/ssl/include/openssl -I/usr/local/opt/openssl/include -I/opt/local/include -I/opt/local/include/openssl 93 | endif 94 | 95 | # Find the number of processors on the system (used in -j option in building OpenSSL). 96 | # Uses /usr/bin/nproc if available, otherwise defaults to 1. 97 | NUM_PROCS = 1 98 | ifneq (,$(wildcard /usr/bin/nproc)) 99 | NUM_PROCS = `/usr/bin/nproc --all` 100 | endif 101 | ifeq ($(OS), Darwin) 102 | NUM_PROCS = `sysctl -n hw.ncpu` 103 | endif 104 | 105 | .PHONY: all sslscan clean realclean install uninstall static opensslpull 106 | 107 | all: sslscan 108 | @echo 109 | @echo "===========" 110 | @echo "| WARNING |" 111 | @echo "===========" 112 | @echo 113 | @echo "Building against system OpenSSL. Compression and other checks may not be possible." 114 | @echo "It is recommended that you statically build sslscan with \`make static\`." 115 | @echo 116 | 117 | sslscan: $(SRCS) 118 | $(CC) -o $@ ${WARNINGS} ${LDFLAGS} ${CFLAGS} ${CPPFLAGS} ${DEFINES} ${SRCS} ${LIBS} 119 | 120 | install: 121 | @if [ ! -f sslscan ] ; then \ 122 | echo "\n=========\n| ERROR |\n========="; \ 123 | echo "Before installing you need to build sslscan with either \`make\` or \`make static\`\n"; \ 124 | exit 1; \ 125 | fi 126 | ifeq ($(OS), Darwin) 127 | install -d $(DESTDIR)$(BINDIR)/; 128 | install sslscan $(DESTDIR)$(BINDIR)/sslscan; 129 | install -d $(DESTDIR)$(MAN1DIR)/; 130 | install sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1; 131 | else 132 | install -D sslscan $(DESTDIR)$(BINDIR)/sslscan; 133 | install -D sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1; 134 | endif 135 | 136 | uninstall: 137 | rm -f $(DESTDIR)$(BINDIR)/sslscan 138 | rm -f $(DESTDIR)$(MAN1DIR)/sslscan.1 139 | 140 | .openssl.is.fresh: opensslpull 141 | @true 142 | 143 | opensslpull: 144 | upstream=`git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.5\.[0-9]+)' | sort -V | tail -n 1` ; \ 145 | if [ -d openssl -a -d openssl/.git ]; then \ 146 | if [ "$$upstream" != "`cd ./openssl && git describe --exact-match --tags`" ]; then \ 147 | cd ./openssl && git fetch --depth 1 origin refs/tags/$$upstream:refs/tags/$$upstream && git checkout $$upstream && touch ../.openssl.is.fresh ; \ 148 | fi \ 149 | else \ 150 | git clone --depth 1 -b $$upstream https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \ 151 | fi 152 | 153 | openssl/Makefile: .openssl.is.fresh 154 | cd ./openssl; ./Configure -v -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC no-shared enable-weak-ssl-ciphers zlib 155 | 156 | openssl/libcrypto.a: openssl/Makefile 157 | $(MAKE) -j $(NUM_PROCS) -C openssl depend 158 | $(MAKE) -j $(NUM_PROCS) -C openssl build_libs 159 | # $(MAKE) -j $(NUM_PROCS) -C openssl test # Disabled because this takes 45+ minutes for OpenSSL v1.1.1. 160 | 161 | static: openssl/libcrypto.a 162 | $(MAKE) -j $(NUM_PROCS) sslscan STATIC_BUILD=TRUE 163 | 164 | docker: 165 | docker build -t sslscan:sslscan . 166 | 167 | test: static 168 | ./docker_test.sh 169 | 170 | clean: 171 | rm -f sslscan 172 | 173 | realclean: clean 174 | if [ -d openssl ]; then ( rm -rf openssl ); fi; 175 | rm -f .openssl.is.fresh 176 | -------------------------------------------------------------------------------- /Makefile.mingw: -------------------------------------------------------------------------------- 1 | # 2 | # To build a 64-bit executable: make -f Makefile.mingw 3 | # To build a 32-bit executable: make -f Makefile.mingw BUILD_32BIT=1 4 | # 5 | 6 | 7 | # Enable to echo commands for debugging. 8 | #SHELL = sh -xv 9 | 10 | # If we're in Linux, lets see if we can find the path to Mingw automatically... 11 | ARCHITECTURE= 12 | CC_PREFIX= 13 | OPENSSL_TARGET= 14 | ifneq ($(BUILD_32BIT),) 15 | DEFINES=-DBUILD_32BIT=1 16 | endif 17 | 18 | ifeq ($(shell uname), Linux) 19 | MINGW32=$(shell which i686-w64-mingw32-gcc) 20 | ifneq ($(MINGW32),) 21 | CC=$(MINGW32) 22 | ARCHITECTURE=32-bit 23 | CC_PREFIX=i686-w64-mingw32- 24 | OPENSSL_TARGET=mingw 25 | endif 26 | 27 | MINGW64=$(shell which x86_64-w64-mingw32-gcc) 28 | ifneq ($(MINGW64),) 29 | ifeq ($(BUILD_32BIT),) 30 | CC=$(MINGW64) 31 | ARCHITECTURE=64-bit 32 | CC_PREFIX=x86_64-w64-mingw32- 33 | OPENSSL_TARGET=mingw64 34 | endif 35 | endif 36 | endif 37 | 38 | ifndef CC 39 | $(error "Failed to determine the compiler!") 40 | endif 41 | 42 | .PHONY: clean 43 | 44 | # Enable security options like stack protectors and variable formatting checks. 45 | # Sadly, we can't use -pie, because MinGW produces a broken executable when 46 | # enabled. 47 | SECURITY_OPTIONS=-fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security 48 | 49 | # Turn on linker optimizations, and DEP support (--nxcompat) 50 | LINK_OPTIONS=-Wl,-O1 -Wl,--discard-all -Wl,--no-undefined -Wl,--dynamicbase -Wl,--nxcompat -static 51 | 52 | CFLAGS += -Iopenssl_mingw/include -D__USE_GNU -DOPENSSL_NO_SSL2 -Wno-deprecated-declarations 53 | LDFLAGS += -lws2_32 -lgdi32 -lcrypt32 54 | 55 | # Set the version string for the program. 56 | VERSION = "$(shell grep -E -o -m 1 '[0-9]+\.[0-9]+\.[0-9]+(\-[a-z]+[0-9]+)?' Changelog) Windows $(ARCHITECTURE) (Mingw)" 57 | 58 | 59 | all: sslscan 60 | 61 | .openssl_mingw.is.fresh: opensslpull 62 | true 63 | 64 | zlibpull: 65 | # If the zlib dir already exists, issue a pull, otherwise clone it from GitHub. Either way, check out the latest tag. 66 | if [ -d zlib_mingw -a -d zlib_mingw/.git ]; then \ 67 | cd ./zlib_mingw && git pull && git checkout tags/`git describe --abbrev=0 --tags` ; \ 68 | else \ 69 | git clone -b master --depth 1 https://github.com/madler/zlib ./zlib_mingw && cd ./zlib_mingw && git checkout tags/`git describe --abbrev=0` ; \ 70 | fi 71 | 72 | opensslpull: 73 | upstream=`git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.5\.[0-9]+)' | sort -V | tail -n 1` ; \ 74 | if [ -d openssl_mingw -a -d openssl_mingw/.git ]; then \ 75 | if [ "$$upstream" != "`cd ./openssl_mingw && git describe --exact-match --tags`" ]; then \ 76 | cd ./openssl_mingw && git fetch --depth 1 origin refs/tags/$$upstream:refs/tags/$$upstream && git checkout $$upstream && touch ../.openssl_mingw.is.fresh ; \ 77 | fi \ 78 | else \ 79 | git clone --depth 1 -b $$upstream https://github.com/openssl/openssl ./openssl_mingw && cd ./openssl_mingw && touch ../.openssl_mingw.is.fresh ; \ 80 | fi 81 | 82 | zlib_mingw/libz.a: zlibpull 83 | cd ./zlib_mingw; make -f win32/Makefile.gcc PREFIX=$(CC_PREFIX) 84 | 85 | openssl_mingw/Makefile: .openssl_mingw.is.fresh zlib_mingw/libz.a 86 | cd ./openssl_mingw; ./Configure --cross-compile-prefix=$(CC_PREFIX) --with-zlib-include=`pwd`/../zlib_mingw --with-zlib-lib=`pwd`/../zlib_mingw -fstack-protector-all -D_FORTIFY_SOURCE=2 $(OPENSSL_TARGET) no-shared enable-weak-ssl-ciphers enable-ssl2 zlib 87 | 88 | openssl_mingw/libcrypto.a: openssl_mingw/Makefile 89 | $(MAKE) -C openssl_mingw depend CC=$(CC) 90 | $(MAKE) -j 10 -C openssl_mingw all CC=$(CC) 91 | 92 | sslscan: openssl_mingw/libcrypto.a sslscan.c 93 | $(CC) $(CFLAGS) -DVERSION=\"$(VERSION)\" $(DEFINES) $(SECURITY_OPTIONS) $(LINK_OPTIONS) -o sslscan.exe sslscan.c openssl_mingw/libssl.a openssl_mingw/libcrypto.a zlib_mingw/libz.a $(LDFLAGS) 94 | $(CC_PREFIX)strip sslscan.exe 95 | 96 | clean: 97 | rm -f *.o sslscan.exe .openssl_mingw.is.fresh 98 | if [ -f openssl_mingw/Makefile ]; then $(MAKE) -C openssl_mingw clean; fi 99 | if [ -f zlib_mingw/win32/Makefile.gcc ]; then $(MAKE) -C zlib_mingw -f win32/Makefile.gcc clean; fi 100 | -------------------------------------------------------------------------------- /Makefile.vs: -------------------------------------------------------------------------------- 1 | LFLAGS=/nologo /dynamicbase /highentropyva /nxcompat /opt:ref /subsystem:console /ltcg 2 | CFLAGS=/nologo /GL /GS /Gs0 /Gw /MT /Ox -DVERSION="\"1.9.8 Windows 64-bit (VS)\"" 3 | 4 | all: sslscan.exe 5 | 6 | sslscan.obj: sslscan.c 7 | cl.exe $(CFLAGS) /I $(OPENSSL_PATH)/include /c sslscan.c 8 | 9 | sslscan.exe: sslscan.obj 10 | link.exe $(LFLAGS) /out:sslscan.exe sslscan.obj $(OPENSSL_PATH)/out32/libeay32.lib $(OPENSSL_PATH)/out32/ssleay32.lib advapi32.lib gdi32.lib user32.lib ws2_32.lib 11 | 12 | clean: 13 | del sslscan.obj sslscan.exe 14 | 15 | rebuild: clean all 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sslscan2 2 | 3 | sslscan version 2 has now been released. This includes a major rewrite of the backend scanning code, which means that it is no longer reliant on the version of OpenSSL for many checks. This means that it is possible to support legacy protocols (SSLv2 and SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL that it has been compiled against. 4 | 5 | This has been made possible largely by the work of [jtesta](https://github.com/jtesta), who has been responsible for most of the backend rewrite. 6 | 7 | Other key changes include: 8 | 9 | * Enumeration of server key exchange groups. 10 | * Enumeration of server signature algorithms. 11 | * SSLv2 and SSLv3 protocol support is scanned, but individual ciphers are not. 12 | * A test suite is included using Docker, to verify that sslscan is functionality correctly. 13 | * Removed the `--http` option, as it was broken and had very little use in the first place. 14 | 15 | ## XML Output Changes 16 | A potentially breaking change has been made to the XML output in version **2.0.0-beta4**. Previously, multiple `` elements could be returned (one by default, and a second one if `--show-certificate` was used). 17 | 18 | The key changes are: 19 | 20 | * A new parent `` element that will contain the `` elements. 21 | * `` elements have a new `type` attribute, which can either be: 22 | * `short` for the default output. 23 | * `full` for when `--show-certificate` is used. 24 | * There will potentially be more than one certificate of each type returned on servers that have multiple certificates with different signature algorithms (see discussion in issue [#208](https://github.com/rbsec/sslscan/issues/208)). 25 | * The `` element in a `` no longer contains the "Signature Algorithm:" prefix, or the spacing and newline. 26 | 27 | If you are using the XML output, then you may need to make changes to your parser. 28 | 29 | # README 30 | 31 | [![ci](https://github.com/rbsec/sslscan/actions/workflows/ci.yml/badge.svg)](https://github.com/rbsec/sslscan/actions/workflows/ci.yml) 32 | 33 | This is a fork of ioerror's version of sslscan (the original readme of which is included below) by rbsec (robin@rbsec.net). 34 | 35 | Key changes are as follows: 36 | 37 | * Highlight SSLv2 and SSLv3 ciphers in output. 38 | * Highlight CBC ciphers on SSLv3 (POODLE). 39 | * Highlight 3DES and RC4 ciphers in output. 40 | * Highlight PFS+GCM ciphers as good in output. 41 | * Highlight NULL (0 bit), weak (<40 bit) and medium (40 < n <= 56) ciphers in output. 42 | * Highlight anonymous (ADH and AECDH) ciphers in output (purple). 43 | * Hide certificate information by default (display with `--show-certificate`). 44 | * Hide rejected ciphers by default (display with `--failed`). 45 | * Added TLSv1.1, TLSv1.2 and TLSv1.3 support. 46 | * Supports IPv6 (can be forced with `--ipv6`). 47 | * Check for TLS compression (CRIME, disable with `--no-compression`). 48 | * Disable cipher suite checking `--no-ciphersuites`. 49 | * Disable coloured output `--no-colour`. 50 | * Removed undocumented -p output option. 51 | * Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with `--no-heartbleed`). 52 | * Flag certificates signed with MD5 or SHA-1, or with short (<2048 bit) RSA keys. 53 | * Support scanning RDP servers with `--rdp` (credit skettler). 54 | * Added option to specify socket timeout. 55 | * Added option for static compilation (credit dmke). 56 | * Added `--sleep` option to pause between requests. 57 | * Disable output for anything than specified checks `--no-preferred`. 58 | * Determine the list of CAs acceptable for client certificates `--show-client-cas`. 59 | * Experimental build support on OS X (credit MikeSchroll). 60 | * Flag some self-signed SSL certificates. 61 | * Experimental Windows support (credit jtesta). 62 | * Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 `--no-cipher-details`. 63 | * Flag weak DHE keys with OpenSSL >= 1.0.2 `--cipher-details`. 64 | * Flag expired certificates. 65 | * Flag TLSv1.0 and TLSv1.1 protocols in output as weak. 66 | * Experimental OS X support (static building only). 67 | * Support for scanning PostgreSQL servers (credit nuxi). 68 | * Check for TLS Fallback SCSV support. 69 | * Added StartTLS support for LDAP `--starttls-ldap`. 70 | * Added SNI support `--sni-name` (credit Ken). 71 | * Support STARTTLS for MySQL (credit bk2017). 72 | * Check for supported key exchange groups. 73 | * Check for supported server signature algorithms. 74 | * Display IANA/RFC cipher names `--iana-names` 75 | * Display the full certifiate chain `--show-certificates` 76 | 77 | ### Building on Linux 78 | 79 | It is possible to ignore the OpenSSL system installation and ship your own version. Although this results in a more resource-heavy `sslscan` binary (file size, memory consumption, etc.), this allows some additional checks such as TLS compression. 80 | 81 | To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies. The commands below can be used to do this on Debian. 82 | 83 | apt install git zlib1g-dev make gcc 84 | 85 | Then run 86 | 87 | make static 88 | 89 | This will clone the [OpenSSL repository](https://github.com/openssl/openssl), and configure/compile/test OpenSSL prior to compiling `sslscan`. 90 | 91 | **Please note:** By default, OpenSSL is compiled with `gcc` without further customization. To compile with `clang`, install build dependencies using the commands below. 92 | 93 | apt install git zlib1g-dev make clang 94 | 95 | Then run 96 | 97 | make static CC=clang 98 | 99 | You can verify whether you have a statically linked OpenSSL version, by checking whether the version listed by `sslscan --version` has the `-static` suffix. 100 | 101 | ### Building with Docker 102 | 103 | Ensure that you local Docker installation is functional, and the build the container with: 104 | 105 | make docker 106 | 107 | Or manually with: 108 | 109 | docker build -t sslscan:sslscan . 110 | 111 | You can then run sslscan with: 112 | 113 | docker run --rm -ti sslscan:sslscan --help 114 | 115 | ### Building on Windows 116 | 117 | Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions. 118 | 119 | Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental. 120 | 121 | Pre-build cross-compiled Windows binaries are available on the [GitHub Releases Page](https://github.com/rbsec/sslscan/releases). 122 | 123 | ### Building on macOS (formerly named OS X) 124 | There is experimental support for statically building on macOS (formerly named OS X), however this should be considered unsupported. You may need to install any dependencies required to compile OpenSSL from source on macOS (formerly named OS X). Once you have, just run: 125 | 126 | make static 127 | 128 | # Original (ioerror) README 129 | This is a fork of sslscan.c to better support STARTTLS. 130 | 131 | The original home page of sslscan is: 132 | 133 | http://www.titania.co.uk 134 | 135 | sslscan was originally written by: 136 | 137 | Ian Ventura-Whiting 138 | 139 | The current home page of this fork (until upstream merges a finished patch) is: 140 | 141 | http://www.github.com/ioerror/sslscan 142 | 143 | Most of the pre-TLS protocol setup was inspired by the OpenSSL s_client.c 144 | program. The goal of this fork is to eventually merge with the original 145 | project after the STARTTLS setup is polished. 146 | 147 | Some of the OpenSSL setup code was borrowed from The Tor Project's Tor program. 148 | Thus it is likely proper to comply with the BSD license by saying: 149 | Copyright (c) 2007-2010, The Tor Project, Inc. 150 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | Fix session resumption test 2 | We have a false positive for session resumption 3 | IDs are assigned but not accepted for resumption 4 | Fix the certificate formatting (prefix it with whitespace) 5 | Add support for SOCKS5 proxy (or audit for 'usewithtor') 6 | It seems to work fine with 'usewithtor' 7 | It still seems prudent to add proper proxy support 8 | Fix XMPP scans that do not support StartTLS: 9 | "" 10 | Add HTML report generation 11 | Add diff between reported and actually supported ciphers 12 | Make a Debian package 13 | We should explicitly check for things that may be NULL; the original author was not very careful. 14 | Perhaps write a GUI for people who are console adverse? 15 | Compare with http://www.thesprawl.org/memdump/?entry=7 16 | Finally, we should send a diff from 1.8.2 to the upstream developer 17 | -------------------------------------------------------------------------------- /docker_test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Copyright (C) 2019-2020 Joe Testa 5 | # 6 | # This script (adapted from the ssh-audit project) will set up a docker image with 7 | # multiple SSL/TLS servers. They are each executed one at a time, and sslscan is run 8 | # against them. The output of sslscan is compared against the expected output. If 9 | # they match, the test passes; otherwise the test fails. 10 | # 11 | # 12 | # For debugging purposes, here is a cheat sheet for manually running the docker image: 13 | # 14 | # docker run -p 4443:443 --security-opt seccomp:unconfined -it sslscan-test:3 /bin/bash 15 | # 16 | 17 | # 18 | # Running this script with no arguments causes it to build the docker image (if it 19 | # doesn't yet exist), then run all tests. 20 | # 21 | # Running the script with a test number argument (i.e.: './docker_test.sh 2') will 22 | # run the docker image for test #2 only (in the background) and do nothing else. This 23 | # allows the test itself to be debugged. 24 | # 25 | 26 | 27 | # This is the docker tag for the image. If this tag doesn't exist, then we assume the 28 | # image is out of date, and generate a new one with this tag. 29 | IMAGE_VERSION=3 30 | 31 | # This is the name of our docker image. 32 | IMAGE_NAME=sslscan-test 33 | 34 | 35 | # Terminal colors. 36 | CLR="\033[0m" 37 | RED="\033[0;31m" 38 | GREEN="\033[0;32m" 39 | REDB="\033[1;31m" # Red + bold 40 | YELLOWB="\033[1;33m" # Yellow + bold 41 | GREENB="\033[1;32m" # Green + bold 42 | 43 | # Set to 0 if any test fails. 44 | all_passed=1 45 | 46 | 47 | # Number of processors on this system (used to compile parallel builds). 48 | NUM_PROCS=`/usr/bin/nproc --all 2> /dev/null` 49 | if [[ $NUM_PROCS == '' ]]; then 50 | NUM_PROCS=4 51 | fi 52 | 53 | 54 | # Returns 0 if current docker image exists. 55 | function check_if_docker_image_exists { 56 | images=`docker image ls | grep -E "$IMAGE_NAME[[:space:]]+$IMAGE_VERSION"` 57 | } 58 | 59 | 60 | # Compile all version of GnuTLS. 61 | function compile_gnutls_all { 62 | compile_gnutls '3.6.11.1' 63 | } 64 | 65 | 66 | # Compile all versions of OpenSSL. 67 | function compile_openssl_all { 68 | compile_openssl '1.0.0' 69 | compile_openssl '1.0.2' 70 | compile_openssl '1.1.1' 71 | } 72 | 73 | 74 | # Compile a specific version of OpenSSL. 75 | function compile_openssl { 76 | version=$1 77 | 78 | git_tag= 79 | compile_args= 80 | precompile_command= 81 | output_dir= 82 | compile_num_procs=$NUM_PROCS 83 | if [[ $version == '1.0.0' ]]; then 84 | git_tag="OpenSSL_1_0_0-stable" 85 | compile_args="enable-weak-ssl-ciphers enable-ssl2 zlib no-shared" 86 | precompile_command="make depend" 87 | output_dir="openssl_v1.0.0_dir" 88 | compile_num_procs=1 # Compilation randomly fails when done in parallel. 89 | elif [[ $version == '1.0.2' ]]; then 90 | git_tag="OpenSSL_1_0_2-stable" 91 | compile_args="enable-weak-ssl-ciphers enable-ssl2 zlib" 92 | precompile_command="make depend" 93 | output_dir="openssl_v1.0.2_dir" 94 | elif [[ $version == '1.1.1' ]]; then 95 | git_tag="OpenSSL_1_1_1-stable" 96 | compile_args="enable-weak-ssl-ciphers no-shared zlib" 97 | output_dir="openssl_v1.1.1_dir" 98 | else 99 | echo -e "${REDB}Error: OpenSSL v${version} is unknown!${CLR}" 100 | exit 1 101 | fi 102 | 103 | # Download OpenSSL from github. 104 | echo -e "\n${YELLOWB}Downloading OpenSSL v${version}...${CLR}\n" 105 | git clone --depth 1 -b $git_tag https://github.com/openssl/openssl/ $output_dir 106 | 107 | # Configure and compile it. 108 | echo -e "\n\n${YELLOWB}Compiling OpenSSL v${version} with \"-j ${compile_num_procs}\"...${CLR}" 109 | pushd $output_dir 110 | ./config $compile_args 111 | if [[ $precompile_command != '' ]]; then $precompile_command; fi 112 | make -j $compile_num_procs 113 | 114 | # Ensure that the 'openssl' command-line tool was built. 115 | if [[ ! -f "apps/openssl" ]]; then 116 | echo -e "${REDB}Error: compilation failed! apps/openssl not found.${CLR}\n\nStrangely, sometimes OpenSSL v1.0.0 fails for no reason; simply running this script again and changing nothing fixes the problem.\n\n" 117 | exit 1 118 | fi 119 | 120 | # Copy the 'openssl' app to the top-level docker building dir as, e.g. 'openssl_prog_v1.0.0'. Then we can delete the source code directory and move on. 121 | cp "apps/openssl" "../openssl_prog_v${version}" 122 | popd 123 | 124 | # Delete the source code directory now that we built the 'openssl' tool and moved it out. 125 | rm -rf $output_dir 126 | echo -e "\n\n${YELLOWB}Compilation of v${version} finished.${CLR}\n\n" 127 | } 128 | 129 | 130 | # Compile a specific version of GnuTLS. 131 | function compile_gnutls { 132 | gnutls_version=$1 133 | 134 | gnutls_url= 135 | nettle_url= 136 | gnutls_expected_sha256= 137 | nettle_expected_sha256= 138 | gnutls_filename= 139 | nettle_filename= 140 | gnutls_source_dir= 141 | nettle_source_dir= 142 | nettle_version= 143 | compile_num_procs=$NUM_PROCS 144 | compile_nettle=0 145 | if [[ $gnutls_version == '3.6.11.1' ]]; then 146 | gnutls_url=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.11.1.tar.xz 147 | gnutls_expected_sha256=fbba12f3db9a55dbf027e14111755817ec44b57eabec3e8089aac8ac6f533cf8 148 | gnutls_filename=gnutls-3.6.11.1.tar.xz 149 | gnutls_source_dir=gnutls-3.6.11.1 150 | nettle_version=3.5.1 151 | nettle_url=https://ftp.gnu.org/gnu/nettle/nettle-3.5.1.tar.gz 152 | nettle_expected_sha256=75cca1998761b02e16f2db56da52992aef622bf55a3b45ec538bc2eedadc9419 153 | nettle_filename=nettle-3.5.1.tar.gz 154 | nettle_source_dir=nettle-3.5.1 155 | compile_nettle=1 156 | else 157 | echo -e "${REDB}Error: GnuTLS v${gnutls_version} is unknown!${CLR}" 158 | exit 1 159 | fi 160 | 161 | # Download GnuTLS. 162 | echo -e "\n${YELLOWB}Downloading GnuTLS v${gnutls_version}...${CLR}\n" 163 | wget $gnutls_url 164 | 165 | # Download nettle. 166 | echo -e "\n${YELLOWB}Downloading nettle library v${nettle_version}...${CLR}\n" 167 | wget $nettle_url 168 | 169 | # Check the SHA256 hashes. 170 | gnutls_actual_sha256=`sha256sum ${gnutls_filename} | cut -f1 -d" "` 171 | nettle_actual_sha256=`sha256sum ${nettle_filename} | cut -f1 -d" "` 172 | 173 | if [[ ($gnutls_actual_sha256 != $gnutls_expected_sha256) || ($nettle_actual_sha256 != $nettle_expected_sha256) ]]; then 174 | echo -e "${REDB}GnuTLS/nettle actual hashes differ from expected hashes! ${CLR}\n" 175 | echo -e "\tGnuTLS expected hash: ${gnutls_expected_sha256}\n" 176 | echo -e "\tGnuTLS actual hash: ${gnutls_actual_sha256}\n" 177 | echo -e "\tnettle expected hash: ${nettle_expected_sha256}\n" 178 | echo -e "\tnettle actual hash: ${nettle_actual_sha256}\n\n" 179 | exit 1 180 | else 181 | echo -e "${GREEN}Hashes verified.${CLR}\n" 182 | fi 183 | 184 | tar xJf $gnutls_filename 185 | 186 | if [[ $compile_nettle == 1 ]]; then 187 | tar xzf $nettle_filename 188 | mv $nettle_source_dir nettle 189 | 190 | # Configure and compile nettle. 191 | echo -e "\n\n${YELLOWB}Compiling nettle v${nettle_version} with \"-j ${compile_num_procs}\"...${CLR}" 192 | pushd nettle 193 | ./configure && make -j $compile_num_procs 194 | 195 | if [[ ! -f libnettle.so || ! -f libhogweed.so ]]; then 196 | echo -e "${REDB}Error: compilation failed! libnettle.so and/or libhogweed.so not found.${CLR}" 197 | exit 1 198 | fi 199 | popd 200 | fi 201 | 202 | # Configure and compile GnuTLS. 203 | echo -e "\n\n${YELLOWB}Compiling GnuTLS v${gnutls_version} with \"-j ${compile_num_procs}\"...${CLR}" 204 | pushd $gnutls_source_dir 205 | nettle_source_dir_abs=`readlink -m ../nettle` 206 | nettle_parent_dir=`readlink -m ..` 207 | NETTLE_CFLAGS=-I${nettle_parent_dir} NETTLE_LIBS="-L${nettle_source_dir_abs} -lnettle" HOGWEED_CFLAGS=-I${nettle_parent_dir} HOGWEED_LIBS="-L${nettle_source_dir_abs} -lhogweed" ./configure --with-included-libtasn1 --with-included-unistring --without-p11-kit --disable-guile 208 | make CFLAGS=-I${nettle_parent_dir} LDFLAGS="-L${nettle_source_dir_abs} -lhogweed -lnettle" -j $compile_num_procs 209 | 210 | # Ensure that the gnutls-serv and gnutls-cli tools were built 211 | if [[ (! -f "src/.libs/gnutls-cli") || (! -f "src/.libs/gnutls-serv") ]]; then 212 | echo -e "${REDB}Error: compilation failed! gnutls-cli and/or gnutls-serv not found.${CLR}\n" 213 | exit 1 214 | fi 215 | 216 | # Copy the gnutls-cli and gnutls-serv apps to the top-level docker building dir as, e.g. 'gnutls-cli-v3.6.11.1'. Then we can delete the source code directory and move on. 217 | cp "lib/.libs/libgnutls.so" "../libgnutls.so.30" 218 | cp "src/.libs/gnutls-cli" "../gnutls-cli-v${gnutls_version}" 219 | cp "src/.libs/gnutls-serv" "../gnutls-serv-v${gnutls_version}" 220 | cp "${nettle_source_dir_abs}/libhogweed.so" "../libhogweed.so.5" 221 | cp "${nettle_source_dir_abs}/libnettle.so" "../libnettle.so.7" 222 | popd 223 | 224 | 225 | # Delete the source code directory now that we built the tools and moved them out. 226 | rm -rf ${gnutls_source_dir} 227 | echo -e "\n\n${YELLOWB}Compilation of GnuTLS v${gnutls_version} finished.${CLR}\n\n" 228 | } 229 | 230 | 231 | # Creates a new docker image. 232 | function create_docker_image { 233 | # Create a new temporary directory. 234 | TMP_DIR=`mktemp -d /tmp/sslscan-docker-XXXXXXXXXX` 235 | 236 | # Copy the Dockerfile and all files in the test/docker/ dir to our new temp directory. 237 | find docker_test -maxdepth 1 -type f | xargs cp -t $TMP_DIR 238 | 239 | # Make the temp directory our working directory for the duration of the build 240 | # process. 241 | pushd $TMP_DIR > /dev/null 242 | 243 | # Compile the versions of OpenSSL. 244 | compile_openssl_all 245 | 246 | # Compile the versions of GnuTLS. 247 | compile_gnutls_all 248 | 249 | # Now build the docker image! 250 | echo -e "${YELLOWB}Creating docker image...$IMAGE_NAME:$IMAGE_VERSION ${CLR}" 251 | docker build --tag $IMAGE_NAME:$IMAGE_VERSION . 252 | echo -e "${YELLOWB}Docker image creation complete.${CLR}" 253 | 254 | popd > /dev/null 255 | rm -rf $TMP_DIR 256 | } 257 | 258 | 259 | # Runs all tests with the debug flag disabled. 260 | function run_tests { 261 | run_test_1 "0" 262 | run_test_2 "0" 263 | run_test_3 "0" 264 | run_test_4 "0" 265 | run_test_5 "0" 266 | run_test_6 "0" 267 | run_test_7 "0" 268 | run_test_8 "0" 269 | run_test_9 "0" 270 | run_test_10 "0" 271 | run_test_11 "0" 272 | run_test_12 "0" 273 | run_test_13 "0" 274 | run_test_14 "0" 275 | run_test_15 "0" 276 | run_test_16 "0" 277 | run_test_17 "0" 278 | run_test_18 "0" 279 | } 280 | 281 | 282 | # Mostly default v1.0.2 (SSLv3, TLSv1.0, TLSv1.1, TLSv1.2) 283 | function run_test_1 { 284 | run_test $1 '1' "/openssl_v1.0.2/openssl s_server -accept 443 -dhparam /etc/ssl/dhparams_2048.pem -key /etc/ssl/key_2048.pem -cert /etc/ssl/cert_2048.crt" "" 285 | } 286 | 287 | 288 | # SSLv2 with 1024-bit certificate & DH parameters. 289 | function run_test_2 { 290 | run_test $1 '2' "/openssl_v1.0.2/openssl s_server -ssl2 -accept 443 -dhparam /etc/ssl/dhparams_1024.pem -key /etc/ssl/key_1024.pem -cert /etc/ssl/cert_1024.crt" "" 291 | } 292 | 293 | 294 | # SSLv3 with 1024-bit certificate & DH parameters. 295 | function run_test_3 { 296 | run_test $1 '3' "/openssl_v1.0.2/openssl s_server -ssl3 -accept 443 -dhparam /etc/ssl/dhparams_1024.pem -key /etc/ssl/key_1024.pem -cert /etc/ssl/cert_1024.crt" "" 297 | } 298 | 299 | 300 | # Mostly default v1.1.1. 301 | function run_test_4 { 302 | run_test $1 '4' "/openssl_v1.1.1/openssl s_server -accept 443 -dhparam /etc/ssl/dhparams_3072.pem -key /etc/ssl/key_3072.pem -cert /etc/ssl/cert_3072.crt" "" 303 | } 304 | 305 | 306 | # All ciphers with SSLv2 through TLSv1.2 with 1024-bit certificate & DH parameters. 307 | function run_test_5 { 308 | run_test $1 '5' "/openssl_v1.0.2/openssl s_server -cipher ALL -accept 443 -dhparam /etc/ssl/dhparams_1024.pem -key /etc/ssl/key_1024.pem -cert /etc/ssl/cert_1024.crt" "" 309 | } 310 | 311 | 312 | # TLSv1.3 with all ciphers. 313 | function run_test_6 { 314 | run_test $1 '6' "/openssl_v1.1.1/openssl s_server -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256 -accept 443 -dhparam /etc/ssl/dhparams_3072.pem -key /etc/ssl/key_3072.pem -cert /etc/ssl/cert_3072.crt" "" 315 | } 316 | 317 | 318 | # Default v1.0.0. 319 | function run_test_7 { 320 | run_test $1 '7' "/openssl_v1.0.0/openssl s_server -accept 443 -key /etc/ssl/key_3072.pem -cert /etc/ssl/cert_3072.crt" "" 321 | } 322 | 323 | 324 | # v1.0.0 with 'ALL:eNULL' ciphers. 325 | function run_test_8 { 326 | run_test $1 '8' "/openssl_v1.0.0/openssl s_server -accept 443 -cipher ALL:eNULL -key /etc/ssl/key_3072.pem -cert /etc/ssl/cert_3072.crt" "" 327 | } 328 | 329 | 330 | # Runs nginx with client certificate checking (signed by the CA in docker_test/ca_cert.pem). sslscan will connect and make an HTTP request (--http). The HTTP response code should be 200 to signify that the certificate was accepted. Otherwise, nginx returns HTTP code 400 if no client certificates were presented. 331 | function run_test_9 { 332 | #run_test $1 '9' "/usr/sbin/nginx -c /etc/nginx/nginx_test9.conf" "--no-fallback --no-renegotiation --no-compression --no-heartbleed --certs=docker_test/cert_3072.crt --pk=docker_test/key_3072.pem --http" 333 | echo "Test #9 skipped." 334 | } 335 | 336 | 337 | # Runs nginx with client certificate checking, just as above. Except this time, we connect with no certificate. The HTTP response code should be "400 Bad Request". 338 | function run_test_10 { 339 | #run_test $1 '10' "/usr/sbin/nginx -c /etc/nginx/nginx_test9.conf" "--no-fallback --no-renegotiation --no-compression --no-heartbleed --http" 340 | echo "Test #10 skipped." 341 | } 342 | 343 | 344 | # Makes an OCSP request to www.amazon.com. The horrible Perl command that comes after it will filter out the timestamps and other variable data from the response, otherwise the diff would fail. 345 | function run_test_11 { 346 | run_test_internet '11' "./sslscan --ocsp --no-ciphersuites --no-fallback --no-renegotiation --no-compression --no-heartbleed --no-check-certificate --no-groups --no-sigs www.amazon.com | perl -pe 'BEGIN{undef $/;} s/Connected to .+?$/Connected to\033[0m/smg; s/Responder Id: .+?$/Responder Id:/smg; s/Produced At: .+?$/Produced At:/smg; s/Hash Algorithm: .+?$/Hash Algorithm:/smg; s/Issuer Name Hash: .+?$/Issuer Name Hash:/smg; s/Issuer Key Hash: .+?$/Issuer Key Hash:/smg; s/Serial Number: .+?$/Serial Number:/smg; s/This Update: .+?$/This Update:/smg; s/Next Update: .+?$/Next Update:/smg; s/Response Single Extensions:.+?\n\n/\n\n/smg;'" 347 | } 348 | 349 | 350 | # 512-bit DH, 512-bit RSA key with MD5 signature. 351 | function run_test_12 { 352 | run_test $1 '12' "/openssl_v1.0.0/openssl s_server -accept 443 -dhparam /etc/ssl/dhparams_512.pem -key /etc/ssl/key_512.pem -cert /etc/ssl/cert_512.crt" "" 353 | } 354 | 355 | 356 | # Default GnuTLS. 357 | function run_test_13 { 358 | run_test $1 '13' "/gnutls-3.6.11.1/gnutls-serv -p 443 --x509certfile=/etc/ssl/cert_3072.crt --x509keyfile=/etc/ssl/key_3072.pem" "" 359 | } 360 | 361 | 362 | # GnuTLS with only TLSv1.2 and TLSv1.3, and secp521r1 and ffdhe8192 groups. 363 | function run_test_14 { 364 | run_test $1 '14' "/gnutls-3.6.11.1/gnutls-serv -p 443 --priority=NORMAL:-VERS-TLS1.1:-VERS-TLS1.0:-GROUP-X25519:-GROUP-SECP256R1:-GROUP-SECP384R1:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-GROUP-FFDHE4096:-GROUP-FFDHE6144 --x509certfile=/etc/ssl/cert_3072.crt --x509keyfile=/etc/ssl/key_3072.pem" "" 365 | } 366 | 367 | 368 | # GnuTLS with an ECDSA certificate (secp256r1 / NIST P-256). 369 | function run_test_15 { 370 | run_test $1 '15' "/gnutls-3.6.11.1/gnutls-serv -p 443 --x509certfile=/etc/ssl/cert_ecdsa_prime256v1.crt --x509keyfile=/etc/ssl/key_ecdsa_prime256v1.pem" "" 371 | } 372 | 373 | 374 | # OpenSSL v1.0.2, TLSv1.2 with sect163k1 curve only. 375 | function run_test_16 { 376 | run_test $1 '16' "/openssl_v1.0.2/openssl s_server -accept 443 -tls1_2 -named_curve sect163k1 -cert /etc/ssl/cert_1024.crt -key /etc/ssl/key_1024.pem" "" 377 | } 378 | 379 | 380 | # OpenSSL v1.1.1, TLSv1.2 with brainpoolP512r1 curve only. 381 | function run_test_17 { 382 | run_test $1 '17' "/openssl_v1.1.1/openssl s_server -accept 443 -tls1_2 -named_curve brainpoolP512r1 -cert /etc/ssl/cert_1024.crt -key /etc/ssl/key_1024.pem" "" 383 | } 384 | 385 | 386 | # TLSv1.2 with ECDSA-SHA1 signature only. 387 | function run_test_18 { 388 | run_test $1 '18' "/gnutls-3.6.11.1/gnutls-serv -p 443 --x509certfile=/etc/ssl/cert_ecdsa_prime256v1.crt --x509keyfile=/etc/ssl/key_ecdsa_prime256v1.pem --priority=NONE:-VERS-TLS1.0:-VERS-TLS1.1:+VERS-TLS1.2:-VERS-TLS1.3:+MAC-ALL:+GROUP-ALL:+SIGN-ECDSA-SHA1:+COMP-NULL:+CTYPE-SRV-ALL:+KX-ALL:+CHACHA20-POLY1305:+CAMELLIA-128-GCM:+AES-128-GCM" "" 389 | } 390 | 391 | 392 | # Run a test. Set the first argument to '1' to enable test debugging. 393 | # Second argument is the test number to run. Third argument is the executable and 394 | # its args to be run inside the container.. 395 | function run_test { 396 | debug=$1 397 | test_number=$2 398 | server_exec=$3 399 | sslscan_additional_args=$4 400 | 401 | test_result_stdout="${TEST_RESULT_DIR}/test_${test_number}.txt" 402 | expected_result_stdout="docker_test/expected_output/test_${test_number}.txt" 403 | 404 | # Run the container in the background. Route port 4443 on the outside to port 443 on the inside. 405 | cid=`docker run -d -p 4443:443 -t ${IMAGE_NAME}:${IMAGE_VERSION} ${server_exec}` 406 | if [[ $? != 0 ]]; then 407 | echo -e "${REDB}Failed to run docker image! (exit code: $?)${CLR}" 408 | exit 1 409 | fi 410 | 411 | # If debugging is enabled, just run the container. Don't do any output comparison. 412 | if [[ $debug == 1 ]]; then 413 | echo -e "\nExecuted in container: ${server_exec}\n\nTerminate container with: docker container stop -t 0 ${cid}\n\nHint: run sslscan against localhost on port 4443, not 443.\n" 414 | return 415 | fi 416 | 417 | # Wait 250ms to ensure that the services in the container are fully initialized. 418 | sleep 0.25 419 | 420 | # Run sslscan and cut out the first two lines. Those contain the version number 421 | # and local version of OpenSSL, which can change over time (and when they do, this 422 | # would break the test if they were left in). 423 | ./sslscan $sslscan_additional_args 127.0.0.1:4443 | tail -n +3 > $test_result_stdout 424 | if [[ $? != 0 ]]; then 425 | echo -e "${REDB}Failed to run sslscan! (exit code: $?)${CLR}" 426 | docker container stop -t 0 $cid > /dev/null 427 | exit 1 428 | fi 429 | 430 | # Stop the container now that we captured the sslscan output. 431 | docker container stop -t 0 $cid > /dev/null 432 | if [[ $? != 0 ]]; then 433 | echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}" 434 | exit 1 435 | fi 436 | 437 | # If the expected output file doesn't exist, give the user all the info we have so they can fix this. 438 | if [[ ! -f ${expected_result_stdout} ]]; then 439 | test_result_stdout_actual=`cat ${test_result_stdout}` 440 | echo -e "\n${REDB}Error:${CLR} expected output file for test #${test_number} not found (${expected_result_stdout}). Actual test result is below. Manually verify that this output is correct; if so, then copy it to the expected test file path with:\n\n $ cp ${test_result_stdout} ${expected_result_stdout}\n\n------\n${test_result_stdout_actual}\n" 441 | all_passed=0 442 | return 443 | fi 444 | 445 | # Compare the actual output to the expected output. Any discrepency results in test failure. 446 | diff=`diff -u ${expected_result_stdout} ${test_result_stdout}` 447 | if [[ $? != 0 ]]; then 448 | echo -e "Test #${test_number} ${REDB}FAILED${CLR}.\n\n${diff}\n" 449 | all_passed=0 450 | return 451 | fi 452 | 453 | echo -e "Test #${test_number} ${GREEN}passed${CLR}." 454 | } 455 | 456 | 457 | # Instead of spinning up a docker instance, this will run a test using a host on the 458 | # public Internet. 459 | function run_test_internet { 460 | test_number=$1 461 | command=$2 462 | 463 | test_result_stdout="${TEST_RESULT_DIR}/test_${test_number}.txt" 464 | expected_result_stdout="docker_test/expected_output/test_${test_number}.txt" 465 | 466 | `/bin/bash -c "${command} | tail -n +3 > ${test_result_stdout}"` 467 | if [[ $? != 0 ]]; then 468 | echo -e "${REDB}Failed to run sslscan! (exit code: $?)${CLR}" 469 | docker container stop -t 0 $cid > /dev/null 470 | exit 1 471 | fi 472 | 473 | # If the expected output file doesn't exist, give the user all the info we have so they can fix this. 474 | if [[ ! -f ${expected_result_stdout} ]]; then 475 | test_result_stdout_actual=`cat ${test_result_stdout}` 476 | echo -e "\n${REDB}Error:${CLR} expected output file for test #${test_number} not found (${expected_result_stdout}). Actual test result is below. Manually verify that this output is correct; if so, then copy it to the expected test file path with:\n\n $ cp ${test_result_stdout} ${expected_result_stdout}\n\n------\n${test_result_stdout_actual}\n" 477 | exit 1 478 | fi 479 | 480 | # Compare the actual output to the expected output. Any discrepency results in test failure. 481 | diff=`diff -u ${expected_result_stdout} ${test_result_stdout}` 482 | if [[ $? != 0 ]]; then 483 | echo -e "Test #${test_number} ${REDB}FAILED${CLR}.\n\n${diff}\n" 484 | exit 1 485 | fi 486 | 487 | echo -e "Test #${test_number} ${GREEN}passed${CLR}." 488 | } 489 | 490 | 491 | # First check if docker is functional. 492 | docker version > /dev/null 493 | if [[ $? != 0 ]]; then 494 | echo -e "${REDB}Error: 'docker version' command failed (error code: $?). Is docker installed and functioning?${CLR}" 495 | exit 1 496 | fi 497 | 498 | is_debian=0 499 | is_arch=0 500 | 501 | # If dpkg exists, assume this is a Debian-based system. 502 | dpkg --version > /dev/null 2>&1 503 | if [[ $? == 0 ]]; then 504 | is_debian=1 505 | fi 506 | 507 | # If pacman exists, assume this is an Arch system. 508 | pacman --version > /dev/null 2>&1 509 | if [[ ($is_debian == 0) && ($? == 0) ]]; then 510 | is_arch=1 511 | fi 512 | 513 | # Ensure that the libgmp-dev, m4, and wget packages are installed. Use dpkg on Debian, or pacman on Arch. 514 | if [[ $is_debian == 1 ]]; then 515 | dpkg -l libgmp-dev m4 perl wget > /dev/null 2>&1 516 | if [[ $? != 0 ]]; then 517 | echo -e "${REDB}Error: libgmp-dev, m4, perl and/or wget packages not installed. Fix with: apt install libgmp-dev m4 perl wget${CLR}" 518 | exit 1 519 | fi 520 | elif [[ $is_arch == 1 ]]; then 521 | pacman -Qi gmp m4 perl wget > /dev/null 2>&1 522 | if [[ $? != 0 ]]; then 523 | echo -e "${REDB}Error: gmp, m4, perl and/or wget packages not installed. Fix with: pacman -S gmp m4 perl wget${CLR}" 524 | exit 1 525 | fi 526 | fi 527 | 528 | # Make sure sslscan has been built. 529 | if [[ ! -f sslscan ]]; then 530 | echo -e "${REDB}Error: sslscan executable not found. Build it first!${CLR}" 531 | exit 1 532 | fi 533 | 534 | # If the user specified a test number to debug... 535 | debug_test_number=0 536 | if [[ $# == 1 ]]; then 537 | debug_test_number=$1 538 | debug_test_number=$((debug_test_number + 0)) # Effectively, convert this to a number. 539 | fi 540 | 541 | # Check if the docker image is the most up-to-date version. If not, create it. 542 | check_if_docker_image_exists 543 | if [[ $? == 0 ]]; then 544 | echo -e "\n${GREEN}Docker image $IMAGE_NAME:$IMAGE_VERSION already exists.${CLR}" 545 | else 546 | echo -e "\nCreating docker image $IMAGE_NAME:$IMAGE_VERSION..." 547 | create_docker_image 548 | echo -e "\n${GREEN}Done creating docker image!${CLR}" 549 | fi 550 | 551 | # Create a temporary directory to write test results to. 552 | TEST_RESULT_DIR=`mktemp -d /tmp/sslscan_test-results_XXXXXXXXXX` 553 | 554 | # If the user wants to run a specific test with debugging enabled, do that then exit. 555 | if [[ $debug_test_number > 0 ]]; then 556 | eval "run_test_${debug_test_number} 1" 557 | exit 0 558 | fi 559 | 560 | # Now run all the tests. 561 | echo -e "\nRunning all tests..." 562 | run_tests 563 | 564 | if [[ $all_passed == 1 ]]; then 565 | echo -e "\n${GREENB}ALL TESTS PASS!${CLR}\n" 566 | rm -rf $TEST_RESULT_DIR 567 | exit 0 568 | else 569 | echo -e "\n\n${YELLOWB}!! SOME TESTS FAILED !!${CLR}\n\n" 570 | exit 1 571 | fi 572 | -------------------------------------------------------------------------------- /docker_test/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | # Copy OpenSSL's 'openssl' tools. 4 | COPY openssl_prog_v1.0.0 /openssl_v1.0.0/openssl 5 | COPY openssl_prog_v1.0.2 /openssl_v1.0.2/openssl 6 | COPY openssl_prog_v1.1.1 /openssl_v1.1.1/openssl 7 | 8 | # Copy GnuTLS client & server tools, along with their required libraries. 9 | COPY gnutls-cli-v3.6.11.1 /gnutls-3.6.11.1/gnutls-cli 10 | COPY gnutls-serv-v3.6.11.1 /gnutls-3.6.11.1/gnutls-serv 11 | COPY libhogweed.so.5 /usr/lib/ 12 | COPY libnettle.so.7 /usr/lib/ 13 | COPY libgnutls.so.30 /usr/lib/x86_64-linux-gnu/ 14 | 15 | # Copy certificates, keys, and DH parameters. 16 | COPY *.pem /etc/ssl/ 17 | COPY *.crt /etc/ssl/ 18 | 19 | # Copy nginx site configurations & modules. 20 | COPY nginx_site_client_cert_required /etc/nginx/sites-available/ 21 | COPY nginx_test9.conf /etc/nginx/ 22 | 23 | # Install nginx for some tests. 24 | # Install strace for potential debugging, and rsyslog to enable system log gathering. 25 | RUN apt update 2> /dev/null 26 | RUN apt install -y nginx strace rsyslog ca-certificates 2> /dev/null 27 | RUN apt clean 2> /dev/null 28 | 29 | RUN update-ca-certificates 30 | 31 | EXPOSE 443 32 | -------------------------------------------------------------------------------- /docker_test/ca_cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFUTCCAzmgAwIBAgIJAI+xjVeRdKcWMA0GCSqGSIb3DQEBCwUAMD8xCzAJBgNV 3 | BAYTAlhYMR4wHAYDVQQIDBVOb3doZXJlIGluIHBhcnRpY3VsYXIxEDAOBgNVBAcM 4 | B05vd2hlcmUwHhcNMTkxMjAzMDIxNjUzWhcNMjkxMjAzMDIxNjUzWjA/MQswCQYD 5 | VQQGEwJYWDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQH 6 | DAdOb3doZXJlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAze8SR6JK 7 | HTftNJrZdnvzE5LlpU6hCVGr1aIhx1nWae7crLRRB7xAc9T+YIMUhMazKwbMJBIx 8 | 7I6rYeU+FWJBkcc5AREk0C1sM6vlM001kpcYs3amib1DTJkORdQTJlh5+bPlnupa 9 | YJQIqAVKqnEYUJuOblpeUqz2LteVLlV1hycznrvkmywU72AtzaOTx1hrgH7FjpVz 10 | 2M2KJ3zDFO8NfDtqx67fbM8Z/QL+/67tfSFwRKdPU4u38IlushoYbQ/8Y81Hw1tQ 11 | 2px08q2awgtFljHl2cDLsDB8bAsQ+AiU9/3trbTid1U48Q8Uk0BBJ+TXio5qDg+n 12 | bPw0gcXlq+Rj8CBADPzWaBZdAtH1kVlSwJ2PZ5xwi0LKNsJN2wbfJIc6WjA/pL5p 13 | VjS+Yx5X8rhGqWAJDrbLoVoTg/bEy8RPPorxBspFe8jPRoSIWsmDZn+SL0SbgnxV 14 | eZG0tVn6nbWepSUOq23Gc9E6sfMsMR3WxBBIchoWCkPB8Y/X0YeT0V3kGql2fVsT 15 | 6mMTTDvcc4RORikH+wg0EOmzn+WA0I5BzR2zYANfga+cPuowO+U6qf85wzeO6eDp 16 | x49GAyTCGMYlhZd/hWEXD+Q2bZRy2j8osTRe270MKyYiMuP0eB7VZx7pr1zb8fTE 17 | BAh4JI6xUqCG8isoTyEKDdLrX4ilW+ZN2tkCAwEAAaNQME4wHQYDVR0OBBYEFDTe 18 | OueTIjWF4f771PS5kGNY28BLMB8GA1UdIwQYMBaAFDTeOueTIjWF4f771PS5kGNY 19 | 28BLMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBALnZCFWzH3n0GFpO 20 | fYxALeoyrwYia4HrGGQ9JOwQJEHH1sUL3TwvGVoLtSB8962loGakvhtwvtr6XDyk 21 | wqsAF9J1j7PKzXvlVt3MAGDupDMTgOvX9D7GY/MYhteB2ExckmDXGyq/Ustm877S 22 | XaEkwiwCs2Jrm9T6ksZIcFd0OwpzfY+sEBjmKKTKo6n0xOmUEvlIsJ8AHZg0cOsj 23 | LD0hdcdwQ6gtvX+LrjrCWk1OzjHlGWLpDuPhDlhYFidBoRH65SWjUzqH6jmaUjEi 24 | pwO3wmPfaXAkSqVw1O+Pkc0BThpSbPCwnn5J6VuAJQN65pLD1vRh0UfpLI8TeOQe 25 | dDDIoiRjRCrBfSmrzZ5uj18fC/MB/6x5jfyPzMMlJCSmpWcuz65imP8VVn8V8M9b 26 | vGM+hgP66xEO4UwBGbKiIWh8Hb0Jqo+vV6AObdpncOmWxnFU891NbyLjgkRfmTMq 27 | dH3q71sarOmvv2aHcZTWwj46mzPoJHViS0lT3XYURTKar16RgMihUmKcMyPdVj75 28 | JDZyvJwpis3zSPTERmYjeuqY3Lb/hXIWHMg3v6+xWrHunj7aFuugCtyl2qm6uHGh 29 | 5uBjZfocr+ZrT4YItUZGsSw4zfkJMIWVuHuX30Q2Gtrkt25IlYCKHZGpb49KyWub 30 | wS03DVRaHGOd/8zksngsXzReZeor 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /docker_test/ca_key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDN7xJHokodN+00 3 | mtl2e/MTkuWlTqEJUavVoiHHWdZp7tystFEHvEBz1P5ggxSExrMrBswkEjHsjqth 4 | 5T4VYkGRxzkBESTQLWwzq+UzTTWSlxizdqaJvUNMmQ5F1BMmWHn5s+We6lpglAio 5 | BUqqcRhQm45uWl5SrPYu15UuVXWHJzOeu+SbLBTvYC3No5PHWGuAfsWOlXPYzYon 6 | fMMU7w18O2rHrt9szxn9Av7/ru19IXBEp09Ti7fwiW6yGhhtD/xjzUfDW1DanHTy 7 | rZrCC0WWMeXZwMuwMHxsCxD4CJT3/e2ttOJ3VTjxDxSTQEEn5NeKjmoOD6ds/DSB 8 | xeWr5GPwIEAM/NZoFl0C0fWRWVLAnY9nnHCLQso2wk3bBt8khzpaMD+kvmlWNL5j 9 | HlfyuEapYAkOtsuhWhOD9sTLxE8+ivEGykV7yM9GhIhayYNmf5IvRJuCfFV5kbS1 10 | WfqdtZ6lJQ6rbcZz0Tqx8ywxHdbEEEhyGhYKQ8Hxj9fRh5PRXeQaqXZ9WxPqYxNM 11 | O9xzhE5GKQf7CDQQ6bOf5YDQjkHNHbNgA1+Br5w+6jA75Tqp/znDN47p4OnHj0YD 12 | JMIYxiWFl3+FYRcP5DZtlHLaPyixNF7bvQwrJiIy4/R4HtVnHumvXNvx9MQECHgk 13 | jrFSoIbyKyhPIQoN0utfiKVb5k3a2QIDAQABAoICAGMM1HwEASXgmoUs3d/xak9F 14 | 3pMOKMK0t7O/kgOyoEC/lQC0kizoTQ/pqJh/M8VRVSgi0tmersibLq+ddakPY35c 15 | lnx+5HgFAQAxc8KjJltltYnMTfn+QHp9O7I2eSd+cty5vH4dNm8xhKBcOzeTwiAz 16 | UeSeLrQRYS/SnXx1ulvRbTCyKxi/sSoZ1q4MOa4uRza8wwT7uYbUBdlMVwCgopnY 17 | clmtMOXDDzr0z/XnC2+eP8Olva/vif91+vpLNuhuQfU27Yd3SoJ7snxvJ/qhNU0y 18 | nt2Hr/EEwTOudvD2H8DQMBvW3v6KzSKVIE5bH3uyxEFuknBE80CmZhLtPrTY23/s 19 | 97/ncS+tY3mxr8hOBRyiz7o2zDvPcbSq56jt2JkUUS4mwk2uVzpO9uKhrDY9CkkS 20 | Iq5UjV0gtjQ8092Mp83Bazy0q7fTKdwgvsoorbdKMZP4GZ0EPIGJC9r8IH9UD7Cl 21 | 1YVGj1qBXUFznbJmFtNGofvc/8PzZ6TMNscEVOcjy8vrqmhKGcdXMoMl1LxDl/4g 22 | mN26n9uKfatCeRN9qyxOsts3+QEqJq+rKn2odQlCNfpezxNh8uauAx8ZxQ4HXirW 23 | O+CZS5JAlNWK5qp27pGq7JNKy5xyaU8PkC5G/A8Fi35iF1o0j2ICSWkCY3cTd73W 24 | /TvzsGNsbrJLTIFfo1ghAoIBAQDqOp7LfXLZct17TdpBSwq+2IzSN/H6ozKcyXSf 25 | Nnx56Avy1OZkU3ELMN+/zZp9X91dhR+PpXJfcbufiuJIUq0L34ow8X+cnw66hUur 26 | ig9rzs7o1Ak6PZcrVINOjZ5Sn6gzuDMZgH5PzFNjXxZto1KjDLCnf5adoYEUfjJZ 27 | r85ZN9/NlUW/PhZzuyRUW0ouRDsjjnLQouomCrFbva2tvpPggCcRlizHg6ReyX1S 28 | LfozmQbfvI4e60cbRj5MuouJbbvMicecRT5R00HhTfHTj5MMqf5DRToS2ir/QYw6 29 | kZQWHdFih+eDQcZFiPILUxq89OSBJy2UtrfgaFxGiPBdgm5lAoIBAQDhEy5NBB0X 30 | udTc9BJlL/ROp84/ER/OTd4eG57FVXhv/kuC+v2gv/M+PHc7RVSZCh+sEvqs2Dzd 31 | qRms57zQGJ2zbSzhgcCzghpNx+mNXe5UScAUM4sDONOGeeQc15HkAMCz4/umcInc 32 | IcM1zsbxa+AG8YGv9JHuknYBZ2bbaUlsoltQ57sa2h7Wht3ql3IRYSu2hwsWiGlb 33 | MZlozaEXpqH4+LvBfs0gCXNmqMOV72MnEFWFVooSzISi5KakPysH5TNypJpE6FWn 34 | 1ccUMTFFkNRFgn64qUXHyaKQlaMl0UPb3XVcyxB4Wamde8yXoo4trdFRGY1kRLl9 35 | 31zFeZDoT8llAoIBAQDGV61wE2LVz/bNGzfeYnVO9oEI4mb+HoQVUGJ5D+KIOH8l 36 | ujL+ccof99sAyFIyKKODNd9r/GXFfMGscCb9p0Tx8PFMULQHJImMWKOjNt2oJRAB 37 | CMxnjRAdmQs30aRnwtrkMO7UgYJ0gEl8tGCBpvOrLmvI6rnX8ZMkj1iDqePKmQ3j 38 | QKw3LZRFnAs/g65lT1Hk4hNHqS0t2ZAmZ5BSuDbwvJRYyBpTOJ5Pxb9hf52HY+X2 39 | P+z5MbKc3faTcsQGM+37XhCxu9Dx6Tq4VxCYXdPfvXOZ810h6azPSeo9DlmgAM/1 40 | 56+b7m6/IyAThuP1bkqxM0Pd0nwSg0zgTcV86Z4hAoIBAELgYSSPMVnIZMBWYVTh 41 | n9TzNWw12V6Ccpo9mLqHv+Z/B87eZxgpkMwQSVk6K33hrTGC3isXgVZXlYJzxP2M 42 | Iueaa/iBhlGQOeKcoP/ZRiSTWVhnTEnjy64sb6RGRVobAycweailzcCz434Md75q 43 | UEGf5unyYJ4jtJ6MK9rL+P4na7ypbkX3Q6x4nF3FLCaP2d49WAUU+UEYhr3GQ7R0 44 | VbJVrew7khWP2VNKl/roC20jBFY/NX2KeWqxR/aLsmyBJP1OfWw2IKVi9ulACKTj 45 | +L7CnIaf/VT0y7HsVHK7ME+XCPVOfRFVivl5PHxd16Mo/4X6crG1XexRvw4KJg1x 46 | D6UCggEAT+eKtfA0EkA4zQKAC15KZSTxrpYK0phQX6dBTgwXlwoczInlX7HjtQb9 47 | 7G9OzRFZvenzXsBfT+av1ilSjEPo6l/bL664qJY4hzG+5Tq1NC0YA+2Ihb9/wQP/ 48 | yXp/tnn27XZChm/wxdGG+s7wpWaZ9LQj/80pbMbH/DoMGlaFyHF+8RPXbDF6ycJF 49 | kAV9E0PKeVBGaQbvEx1NW093F1Lf2yPhPeEA89qjmOigyZQ7r4tIhJxYgzUo3gqD 50 | b8PbWwbrGPGD5AUu6V4Fv2E86mIgoRlcZFayHGDvGSqM5CZ7VSLLc9pc33WPV55T 51 | IvfsnBvVJ9M2TPyXcd9tejBOzLjOkQ== 52 | -----END PRIVATE KEY----- 53 | -------------------------------------------------------------------------------- /docker_test/cert_1024.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDpDCCAYwCCQCaM8BbiyPRSTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIwMzAzNTY1MloXDTI5MTIwMzAzNTY1MlowbTELMAkGA1UEBhMC 5 | VVMxCzAJBgNVBAgMAk5ZMRIwEAYDVQQHDAlSb2NoZXN0ZXIxGTAXBgNVBAoMEEJh 6 | bWJvb3psZWQsIEluYy4xIjAgBgNVBAMMGWhvd2Z1Y2tlZGlzbXlkYXRhYmFzZS5j 7 | b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOak+uYE1LeCoKAIH2Uq8fhm 8 | lf0W8fPDc/iQ1vI3jn7zKruAFSl/0lgVA7SuqbSFJ5slJBQOSGsV87qidl2wzI3f 9 | aU+VU8WYEgswE+BrElNVQ5r5NbGDJW4+Bp+2sxAyvRa+Fu/7deG3mGo9MQp78YTD 10 | Fcko9KbYXUCACSTCVBHNAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAEh3v+b8P6/g 11 | 3OkAzkNpLJ2yQK1AJ35yd9KtmnTWzAYfWqkowWOZPVQv41VG0LEy8DF/DuBlXLyp 12 | H1HfY7hpJYMmZfs1Mdcr1D7pir1nobG7CFJSiS4/R1Irqb4KQhFaYPEvdy6vEh5s 13 | T+DrF6/rWlE1QnoiAoDxgUn7gYv5LThux/aX2L9ne6YY8mxBZm6AXCjsXGSFZdFY 14 | vAFeQTAVs6/lJ5AXrV9IIO5L9MGozeKVKTwz5MqNlQjr2XkGeCJ/+L40NL91/mTK 15 | xuSIZXP3gCyfL+szN7qQ8NWmrqdFoUkzVyV+SUbXfpuVLf+yC7dZGZx8AktqQERr 16 | esKgd54fIJTpZGRtx/y9UW9OAHugAoAd/6Sd1Pk3B2YH4cJPFQTUkod4OKotWs0f 17 | R4DA+aAf0tqFwKRTGDsny/6+nnGenn75zRunmae0R51vS4vbHgEoMVsGLu/QbSdC 18 | +f9DYXpeH96u/0lKl5ueW/Acoa20ngJFS6IzJiWMTJPxWJYq+gOnSMS2OEakoUKU 19 | UYjZ1VFYJrnXB+cKBksY38c6ryskUP1dfaWICwX9DH2MnD1RuuaKcdmhu+k45ujC 20 | LefUCIQ+2K4jMe/Irvk9yAbKfSBZ7xfRfgNPTdr0jjLfSZHhI5QDUOUsP8SEt1yV 21 | CQx1WMxnRCNtwJVsAhisGWFTA0sDImOX 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /docker_test/cert_2048.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEKTCCAhECCQCaM8BbiyPRSDANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIwMzAzMDEyM1oXDTI5MTIwMzAzMDEyM1owbjELMAkGA1UEBhMC 5 | VVMxCzAJBgNVBAgMAk5ZMRIwEAYDVQQHDAlSb2NoZXN0ZXIxGTAXBgNVBAoMEEJh 6 | bWJvb3psZWQsIEluYy4xIzAhBgNVBAMMGndoeXRoZWZ1Y2t3YXNpYnJlYWNoZWQu 7 | Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywGmJp/AoA4TCs6z 8 | bXuiBOkho35IeVvpsy7RqM3y3KxkEFnk/LM6U/ayL+j2vo4/15WPM0PaAGRRbvnQ 9 | EuI1xvhn/0/T4xP+TBe91pTMo/nKrK/ycvBLBqLPZQK9SJbHk6mwfgpQs5S/+VHl 10 | U9jl7+eQWcR+o3NXtv4XFlQyqx1dcokAJrL4wr2vGPkigUNU2iI6FwRB4f7Wo1rB 11 | NzI49uE97IWuh+VBMPYMp+Zn2Om4ptCyjdvSI7DEYc6jyKlPzH2UOgd0RkcwivaS 12 | pxfXJEBOC8PtOxyLg/KPjUTwUh0nHSpeOIbT3HKnOErEbbiHQmlYbbcOyinv3hIl 13 | Rj+PyQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCYTQPx8JIdeNfov2cSsM/8ByDo 14 | M6DDhW+kAgGdhKdGglDXtrtX4ffPYvG1EjQg7TIZJoXWcwng4XWGFI7lGqyAOQn9 15 | KjDqfFj00udNJq8B57JJK3vq71rppcggt5mJnzTrrMlTZ4z8ZMFLnj6drCEsjZLM 16 | 3oRRcBvtfC4j9xT4ZICt8R3eXw18Ne43PT1wRhFpQAud0Y9zPO/0veyAlf/D0suR 17 | 8Ix8XXRr3PU+c5XZeY2uT50FcHNKLgcSmck+25CPnwSdQtdhhfcXGpBKzczjHHTU 18 | yqIBVf9xwM4sCtg50aWrdYTYgFivMqPy4ieLe/NlhrlmjSJPFR/hw7605mTiu4zG 19 | 9Dlr310eCjL8jiASWpfj27u6QYaxFL5yg1mMfl/mvDr9dLV4LnffdkeE8hk+PVkz 20 | IvHKeLhAu39t1JAs841NwW0WhdxOQkSB+VqDmixy9lmJhM0c8I45S9qERvnKrd9S 21 | kMiVxO0d4Aza1eEt1Kep2tfK2CkAzQD30Tl/v4njPZXR7lU5p4g6pr4EukxBwMrs 22 | t2Hs1Czb9x59HV7FDB0Z8DgrNkysi40lRMMNzNoQ2HaoaLKuotwXZFCs5O5HRnze 23 | iMDS3Jy0gDs53TanmxXC2gE/ODeYOqzkOjvGgPruZOMEZ7bKkLkC/lcUxIYy4xoE 24 | PgE/onpOVIay+K/3dQ== 25 | -----END CERTIFICATE----- 26 | -------------------------------------------------------------------------------- /docker_test/cert_3072.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEmTCCAoECCQCaM8BbiyPRSjANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIwMzA0MDc0M1oXDTI5MTIwMzA0MDc0M1owXjELMAkGA1UEBhMC 5 | VVMxCzAJBgNVBAgMAk5ZMRIwEAYDVQQHDAlSb2NoZXN0ZXIxGTAXBgNVBAoMEEJh 6 | bWJvb3psZWQsIEluYy4xEzARBgNVBAMMCmxtZ3RmeS5jb20wggGiMA0GCSqGSIb3 7 | DQEBAQUAA4IBjwAwggGKAoIBgQDEDVOhDYctVgOYpKM9KUKmixtQxgDfQGVFczN0 8 | l7U5UGD+rASuFRGUUC8YX2WOBcWcxnqhMrXriwlexyM1dL8BupY72sF4xtTEPzn8 9 | 9Gjh6aYFWKh7kD8DjFsC8+3WyfCCNu1k1OzFmiF5SjHbXr81MnbhzdIYQE6UBIEe 10 | 1PpUEk9qbHVoAuVKVLiOq0sCWTHPoz9dQ95ERHoMphdSLfvDRcJlFGTVTa54zad+ 11 | TPjtr8bGh4Baa9Y9VbUG75Vslv0eyH/ai3KEdkBVf39+wpnAd/2pxKu60uTkzSLH 12 | 01QWeryplW5ktNlrv+sLDpieaU6/WYBknyw0m23XDKEwYt5uR9UcoREKqTfstGlL 13 | OWhO73n64+7+r7f3VcwpM6YwerCG9kGkCg683tuzijw3UkXyE+74wEaxlSzw/571 14 | ZMlTb3O85FZ3tn/wrXNqSKEkP0VdwLfw4Y7zyH/slXFhwzJVRlbfNkrEhOUlaXwn 15 | Xw6pClProrhx4s5bVKNEh4cZf1MCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAikFI 16 | 8LMptJKl9L5WmXW3OFS/stc0dxBQ/0/qzPiDWrhINrFkIYeNZ2fi+Cv6mLXil+C1 17 | 72Mu9YsTJ6L6VjHUnIXAhwQC4gjnhjPoZIQ3sdaQl0I5vwPr5xS6wDLoWtUSjcem 18 | x8x+axPEsqw/EIGv55NsY7YezpqFU48rkRrGbJL9jOVbKcIwzbg5ZxqRZ2kmSUD9 19 | Ze56RqXhwZPbdMmcrIk2632RoAh9HXgndL9QCIvypDnK50KpP/b2C/1Amaux//Rs 20 | ro8C55J/x2FWl0iDwHc4gAtsZvn8aznfGnavj4JHq8+3cZBZQ3zfv6ojFvWCBniT 21 | YGb57CJA+s1MW2urF6ldExgsb/adQN7oXW6I0Y9A+zFOdd3epoa+GJZu2FI7kVs3 22 | VViioCRPDCCxgDJ8CnhBvr5ALd+dWDGOpU7+POWqmtscF56tnPgiCK9J8TsT2GkN 23 | S5h/NbTbxEZvFAJS5x4GnwQBW0o0tmnybLzkRUeUucDg3k/jsMsnQIft2kPtcxD8 24 | vEZWKl/jwfX6EMLIXgAHIDK2HiG9301GlksvDTFaZhMNRcH9RYhTwYYsdLjvs5Bj 25 | aY+evRF2E6MQnaLQ7m1Hg8YZZY5O3Z/n6fPUESd3zMSsXtmcyRZ4KP5LSwTy6HuE 26 | +qEu3vdeFaOd+Ii8k8sD/4SuKf7RcXC3OG5Ne0M= 27 | -----END CERTIFICATE----- 28 | -------------------------------------------------------------------------------- /docker_test/cert_512.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDSjCCATICCQC6PCarUG/VGDANBgkqhkiG9w0BAQQFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIxMzAzNTYyMloXDTI5MTIxMzAzNTYyMlowVzELMAkGA1UEBhMC 5 | WFgxHjAcBgNVBAgMFU5vd2hlcmUgaW4gcGFydGljdWxhcjEQMA4GA1UEBwwHTm93 6 | aGVyZTEWMBQGA1UEAwwNZ2VvY2l0aWVzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA 7 | MEgCQQDL3c8fl0i1RqSy1ctDSAWVbOpOy8b4ruQspvuZ9M28LGCrYq2pSL3NBz3p 8 | CYpNaP0C4KnDvN/N+8DkvIT1NJPVAgMBAAEwDQYJKoZIhvcNAQEEBQADggIBADgl 9 | k3V0s2HTPreUrn37fNwj9jYlATJGiQEy8tOoU42j6hK1nhVDq947JCtRXN3ykQkp 10 | bGWcK8TioA+IgPopW8as7rPPzbG330LYUqTub4v3r7b8NqMQBJeRp5EbDj7cvppW 11 | L8Op/pKNJBdFCL+qp4vw+k31ZALcDLfU2evGLD5cq7S/FmzQs7es0c13RICPK3nI 12 | X4AC19isu52zzMXXECPL51nbWbVH7MRQt/UPzfgyDfe+UIAUpR/cvGqree/fWL2D 13 | UQrIOD/k789XzrynRfjlJjxeSWlIyrSYD+zedjxUyn+L6YfcEwUfaqvfYn1YOeKZ 14 | BXNNTxWWZQtdlXif1L/Tk0xHrXlpMNJOmXUnKu9Wb/7ovTfjxiXHnwrhmOHZAn6O 15 | e1Oev5tnMmVWEtp0c1uowX4BTKtl5v/a827cTSJDVm5Va+cfIGL0MkjFcPz4zq04 16 | Ke/22SM4XdEiUvSiiYj/NrTI4txLid0d+gRZZIzoTnybUobBZUFWYvIFqyi990OF 17 | Mnjercyzb5uEpCiq2xZVwAKSUNMzFqzv+zerN3otOwi3lIY1evNkRdGngmmItEUD 18 | wvNgfpQApqAUH81zFKpnCmOIMZ3XDed+xO7JCJKr1zZ6+qyEhtrew8RL2hMHIok0 19 | jQQ3dyi39Ekmfr+CyKvPBQ+F4qtMHgv7VFd73RBf 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /docker_test/cert_ecdsa_prime256v1.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDVjCCAT4CCQDe1MM22vqmNTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJY 3 | WDEeMBwGA1UECAwVTm93aGVyZSBpbiBwYXJ0aWN1bGFyMRAwDgYDVQQHDAdOb3do 4 | ZXJlMB4XDTE5MTIyMjE5MDE1NloXDTI5MTIyMjE5MDE1NlowZjELMAkGA1UEBhMC 5 | WFgxHjAcBgNVBAgMFU5vd2hlcmUgaW4gcGFydGljdWxhcjEQMA4GA1UEBwwHTm93 6 | aGVyZTElMCMGA1UEAwwcaXRzcGVhbnV0YnV0dGVyamVsbHl0aW1lLmNvbTBZMBMG 7 | ByqGSM49AgEGCCqGSM49AwEHA0IABEJG/H34ca87RR7tz4meDGqz8sV+nSSl2+VB 8 | JFW3M3W85C84Tlx5WG5Z16+GtpsK0hBT84wjkUo0KpPfY7/dCFYwDQYJKoZIhvcN 9 | AQELBQADggIBAEATuWgTLHRq3+EDfJj8l5kGhvg8jjAGc/9J1i8oEwJl1Gy8Dv02 10 | jFu67camK09vprZ25EHzyVHUn+1PtZUi1kl/dpnBfFYADHZTOyokhIZ/QWLd1yr4 11 | Oc7ZHcVwODt+S/npfZsga2R66oI+wUQbkF7+/xpFU/DcjevMQkE3Ql5cMaFa5NZf 12 | Z7adpYct7RPTW1aqPVckZbB3FfN85YpTyRVOt3u93/qG73dzIVjVg6YsjZYgtvxD 13 | QhIQotKyAL6lIzA51KtIY0WhE2QmBB4YnIHlK1VkvvTaWk5tcBuY8Se2mBHfAyL5 14 | TESNfxBi884xBoHAJXkV6tZszhEJFgJi7zZS+fpP3kxst+CQBvhSa7gh6hWcqZyL 15 | JGCUTjSUxfZEo97cKqOt8kYMls1eBYuIOUQdmcFbY8ML3O90KpLxosT9cUwsceZc 16 | nBnF1qJwtG0o1RsnAYOLVCuZaimqor7rBGgBwBjkauR58PgQQBvMLtwj59edkkW+ 17 | fAQ/xcI7ofETEKzoxHc1ea6LTE4ELWP58tds5URx0/aGYyMVazKZyhPDk2rh7/r3 18 | uo7rhOrCJBO89u7wRcbSnzxtWxYI3V8+5a/70Eh7ztIUJwOd+XehexJJvqZdeA7p 19 | LBMjnUSNaR1BA4oNXP3vaFUgRFDf8dosmVAstzVDHQlE6l08bFZ0ovpj 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /docker_test/dhparams_1024.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIGHAoGBAOA34y/7fH82VEhOGbr50PFlSTZcVG5+YtJmVsWH+r6Y72UAIyhBbF2D 3 | ll4gK+uYmXam6Uk8Nwf1U4QiLf7H6ZWlk3ynTa0XUWAGDf8Fce/Y9bWaJV+M7Klr 4 | c+WGk/Rt8CySRfB58fzsoGuDEW85tq5rqlkJcIKBr2bgSTtE8kIrAgEC 5 | -----END DH PARAMETERS----- 6 | -------------------------------------------------------------------------------- /docker_test/dhparams_2048.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBCAKCAQEAhmyrz3SekFJY9nkmUt7tKXi/fNfxw3/UZA9+g0SOsvYxMI+vw8XJ 3 | ILm+8HJR5+kvcz6vkxgbxV9IACEdRzf33zBHcRXzA7OifsAy8CN217d8HNHqurGk 4 | ueCLTn2w1SfMy2Do3NB50AOru32xPBQL9hqLLhqEs8IKdAVuNL/OKmuLCovaAck4 5 | YYCT0Phe6VSmOmMP46dFJYuAIoup6J/TsDLqGIG/G8bZPaAn1XtgjJ23Ptoielu1 6 | z7CcvO2Bxv5gDGUnd/oW+rWU1gJ2Aav62564Fy6tNSVnNWzWy3WGuqMjkzJsEy8L 7 | 3sklLhryd4vf1E2vvFRaupMUY9g0oVWB4wIBAg== 8 | -----END DH PARAMETERS----- 9 | -------------------------------------------------------------------------------- /docker_test/dhparams_3072.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBiAKCAYEAjoI7ICm70zsvw1DgmheGKxrpFz31cR2F+b4P5HwFPJ77EZDDNZQ2 3 | rmfJ6B1F4fFZZcGeEzuRvnujzy3grie33zRDvPLAFSzoTWjarh/bEiMcDFz/X2AY 4 | 7TAlC1snEmdcrnar8H7Twg2pWCbUKrwF/wsBsqjzXtokGqhseUTDgTUjP4JW94li 5 | 3SnqBPLGypFPGmwt5rq6IUARilOXHhwDfodV2JHvbdRvbIUivShYT9YpzLwA512s 6 | sz4clyLNjFDpVdX9HtcQoJL7etStC8Jo7qJvpjkQUGxUrbZR7QM12YfHiT7+dOIi 7 | PyLPGrEm11FWLntxyX+RuR8v5wVaXIiRziwRiz/xy4YM5giYXPQFSWNcSp7YlZO2 8 | 8LyTreyWKp9hHPFN0B2PX1G5XU8bEsIeS/gUVorjd/k6/KsQGHhFpUTMAv43CgYI 9 | UVXqw8DPGQKHejfmA5sX3rKTXZlxQjKofxsZUuymuH+Bn9tQKCLzFVWPMScM0Abb 10 | xNG5W9qEvHGDAgEC 11 | -----END DH PARAMETERS----- 12 | -------------------------------------------------------------------------------- /docker_test/dhparams_512.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MEYCQQDGepU1BSbkViIkFsK+7q68p2ISObhxXRf9uZAqi1jfEhuFrE9IXrhs1CFe 3 | QFW4cLx60bJttVU6acun8aaySWSjAgEC 4 | -----END DH PARAMETERS----- 5 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_1.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | TLSv1.1 not vulnerable to heartbleed 26 | TLSv1.0 not vulnerable to heartbleed 27 | 28 | Supported Server Cipher(s): 29 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve P-256 DHE 256 30 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 2048 bits 31 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve P-256 DHE 256 32 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 2048 bits 33 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 34 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits 35 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 36 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits 37 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 38 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits 39 | Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits 40 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 41 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits 42 | Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits 43 | Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 44 | Accepted TLSv1.2 112 bits DHE-RSA-DES-CBC3-SHA  DHE 2048 bits 45 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 46 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 47 | Accepted TLSv1.2 256 bits AES256-SHA256 48 | Accepted TLSv1.2 128 bits AES128-SHA256 49 | Accepted TLSv1.2 256 bits AES256-SHA 50 | Accepted TLSv1.2 256 bits CAMELLIA256-SHA 51 | Accepted TLSv1.2 128 bits AES128-SHA 52 | Accepted TLSv1.2 128 bits CAMELLIA128-SHA 53 | Accepted TLSv1.2 112 bits DES-CBC3-SHA  54 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_MD5  55 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_SHA  56 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 57 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_SEED_CBC_SHA 58 | Accepted TLSv1.2 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 59 | Accepted TLSv1.2 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 60 | Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 61 | Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits 62 | Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits 63 | Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 64 | Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits 65 | Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits 66 | Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 67 | Accepted TLSv1.1 112 bits DHE-RSA-DES-CBC3-SHA  DHE 2048 bits 68 | Accepted TLSv1.1 256 bits AES256-SHA 69 | Accepted TLSv1.1 256 bits CAMELLIA256-SHA 70 | Accepted TLSv1.1 128 bits AES128-SHA 71 | Accepted TLSv1.1 128 bits CAMELLIA128-SHA 72 | Accepted TLSv1.1 112 bits DES-CBC3-SHA  73 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_RC4_128_MD5  74 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_RC4_128_SHA  75 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 76 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_SEED_CBC_SHA 77 | Accepted TLSv1.1 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 78 | Accepted TLSv1.1 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 79 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 80 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits 81 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits 82 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 83 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits 84 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits 85 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 86 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 2048 bits 87 | Accepted TLSv1.0 256 bits AES256-SHA 88 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA 89 | Accepted TLSv1.0 128 bits AES128-SHA 90 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA 91 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  92 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  93 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  94 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 95 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA 96 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 97 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 98 | 99 | Server Key Exchange Group(s): 100 | TLSv1.2 128 bits secp256r1 (NIST P-256) 101 | 102 | SSL Certificate: 103 | Signature Algorithm: sha256WithRSAEncryption 104 | RSA Key Strength: 2048 105 | 106 | Subject: whythefuckwasibreached.com 107 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 108 | Not valid before: Dec 3 03:01:23 2019 GMT 109 | Not valid after: Dec 3 03:01:23 2029 GMT 110 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_10.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | Supported Server Cipher(s): 15 | Preferred 400 Bad Request TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305  Curve 25519 DHE 253 16 | 17 | SSL Certificate: 18 | Signature Algorithm: sha256WithRSAEncryption 19 | RSA Key Strength: 3072 20 | 21 | Subject: lmgtfy.com 22 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 23 | Not valid before: Dec 3 04:07:43 2019 GMT 24 | Not valid after: Dec 3 04:07:43 2029 GMT 25 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_11.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 3 | 4 | Testing SSL server www.amazon.com on port 443 using SNI name www.amazon.com 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | OCSP Stapling Request: 15 | OCSP Response Status: successful (0x0) 16 | Response Type: Basic OCSP Response 17 | Version: 1 (0x0) 18 | Responder Id: 19 | Produced At: 20 | Responses: 21 | Certificate ID: 22 | Hash Algorithm: 23 | Issuer Name Hash: 24 | Issuer Key Hash: 25 | Serial Number: 26 | Cert Status: good 27 | This Update: 28 | Next Update: 29 | 30 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_12.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 enabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server does not support TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.0 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 28 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 512 bits 29 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 512 bits 30 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 31 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 512 bits 32 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 512 bits 33 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 34 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 512 bits 35 | Accepted TLSv1.0 256 bits AES256-SHA 36 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA 37 | Accepted TLSv1.0 128 bits AES128-SHA 38 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA 39 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  40 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  41 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  42 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 43 | Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA  44 | Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  45 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA 46 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 47 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 48 | 49 | Server Key Exchange Group(s): 50 | TLSv1.0 128 bits secp256r1 (NIST P-256) 51 | 52 | SSL Certificate: 53 | Signature Algorithm: md5WithRSAEncryption 54 | RSA Key Strength: 512 55 | 56 | Subject: geocities.com 57 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 58 | Not valid before: Dec 13 03:56:22 2019 GMT 59 | Not valid after: Dec 13 03:56:22 2029 GMT 60 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_13.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | TLSv1.2 not vulnerable to heartbleed 26 | TLSv1.1 not vulnerable to heartbleed 27 | TLSv1.0 not vulnerable to heartbleed 28 | 29 | Supported Server Cipher(s): 30 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 31 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 32 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 33 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 34 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve 25519 DHE 253 35 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 2048 bits 36 | Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305  Curve 25519 DHE 253 37 | Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305  DHE 2048 bits 38 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM DHE 2048 bits 39 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve 25519 DHE 253 40 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 2048 bits 41 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM DHE 2048 bits 42 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 43 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits 44 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 45 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits 46 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 47 | Accepted TLSv1.2 256 bits AES256-CCM 48 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 49 | Accepted TLSv1.2 128 bits AES128-CCM 50 | Accepted TLSv1.2 256 bits AES256-SHA 51 | Accepted TLSv1.2 128 bits AES128-SHA 52 | Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 53 | Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits 54 | Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 55 | Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits 56 | Accepted TLSv1.1 256 bits AES256-SHA 57 | Accepted TLSv1.1 128 bits AES128-SHA 58 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 59 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits 60 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 61 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits 62 | Accepted TLSv1.0 256 bits AES256-SHA 63 | Accepted TLSv1.0 128 bits AES128-SHA 64 | 65 | Server Key Exchange Group(s): 66 | TLSv1.3 128 bits secp256r1 (NIST P-256) 67 | TLSv1.3 192 bits secp384r1 (NIST P-384) 68 | TLSv1.3 260 bits secp521r1 (NIST P-521) 69 | TLSv1.3 128 bits x25519 70 | TLSv1.3 112 bits ffdhe2048 71 | TLSv1.3 128 bits ffdhe3072 72 | TLSv1.3 150 bits ffdhe4096 73 | TLSv1.3 175 bits ffdhe6144 74 | TLSv1.3 192 bits ffdhe8192 75 | TLSv1.2 128 bits secp256r1 (NIST P-256) 76 | TLSv1.2 192 bits secp384r1 (NIST P-384) 77 | TLSv1.2 260 bits secp521r1 (NIST P-521) 78 | TLSv1.2 128 bits x25519 79 | 80 | SSL Certificate: 81 | Signature Algorithm: sha256WithRSAEncryption 82 | RSA Key Strength: 3072 83 | 84 | Subject: lmgtfy.com 85 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 86 | Not valid before: Dec 3 04:07:43 2019 GMT 87 | Not valid after: Dec 3 04:07:43 2029 GMT 88 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_14.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | TLSv1.2 not vulnerable to heartbleed 26 | 27 | Supported Server Cipher(s): 28 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve P-521 DHE 521 29 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve P-521 DHE 521 30 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve P-521 DHE 521 31 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve P-521 DHE 521 32 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve P-521 DHE 521 33 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 8192 bits 34 | Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305  Curve P-521 DHE 521 35 | Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305  DHE 8192 bits 36 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-CCM DHE 8192 bits 37 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve P-521 DHE 521 38 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 8192 bits 39 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-CCM DHE 8192 bits 40 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-521 DHE 521 41 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 8192 bits 42 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-521 DHE 521 43 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 8192 bits 44 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 45 | Accepted TLSv1.2 256 bits AES256-CCM 46 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 47 | Accepted TLSv1.2 128 bits AES128-CCM 48 | Accepted TLSv1.2 256 bits AES256-SHA 49 | Accepted TLSv1.2 128 bits AES128-SHA 50 | 51 | Server Key Exchange Group(s): 52 | TLSv1.3 260 bits secp521r1 (NIST P-521) 53 | TLSv1.3 192 bits ffdhe8192 54 | TLSv1.2 260 bits secp521r1 (NIST P-521) 55 | 56 | SSL Certificate: 57 | Signature Algorithm: sha256WithRSAEncryption 58 | RSA Key Strength: 3072 59 | 60 | Subject: lmgtfy.com 61 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 62 | Not valid before: Dec 3 04:07:43 2019 GMT 63 | Not valid after: Dec 3 04:07:43 2029 GMT 64 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_15.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | TLSv1.2 not vulnerable to heartbleed 26 | TLSv1.1 not vulnerable to heartbleed 27 | TLSv1.0 not vulnerable to heartbleed 28 | 29 | Supported Server Cipher(s): 30 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 31 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 32 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 33 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 34 | Preferred TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253 35 | Accepted TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253 36 | Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-CCM Curve 25519 DHE 253 37 | Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253 38 | Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-CCM Curve 25519 DHE 253 39 | Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA Curve 25519 DHE 253 40 | Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA Curve 25519 DHE 253 41 | Preferred TLSv1.1 256 bits ECDHE-ECDSA-AES256-SHA Curve 25519 DHE 253 42 | Accepted TLSv1.1 128 bits ECDHE-ECDSA-AES128-SHA Curve 25519 DHE 253 43 | Preferred TLSv1.0 256 bits ECDHE-ECDSA-AES256-SHA Curve 25519 DHE 253 44 | Accepted TLSv1.0 128 bits ECDHE-ECDSA-AES128-SHA Curve 25519 DHE 253 45 | 46 | Server Key Exchange Group(s): 47 | TLSv1.3 128 bits secp256r1 (NIST P-256) 48 | TLSv1.3 192 bits secp384r1 (NIST P-384) 49 | TLSv1.3 260 bits secp521r1 (NIST P-521) 50 | TLSv1.3 128 bits x25519 51 | TLSv1.3 112 bits ffdhe2048 52 | TLSv1.3 128 bits ffdhe3072 53 | TLSv1.3 150 bits ffdhe4096 54 | TLSv1.3 175 bits ffdhe6144 55 | TLSv1.3 192 bits ffdhe8192 56 | TLSv1.2 128 bits secp256r1 (NIST P-256) 57 | TLSv1.2 192 bits secp384r1 (NIST P-384) 58 | TLSv1.2 260 bits secp521r1 (NIST P-521) 59 | TLSv1.2 128 bits x25519 60 | 61 | SSL Certificate: 62 | Signature Algorithm: sha256WithRSAEncryption 63 | ECC Curve Name: prime256v1 64 | ECC Key Strength: 128 65 | 66 | Subject: itspeanutbutterjellytime.com 67 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 68 | Not valid before: Dec 22 19:01:56 2019 GMT 69 | Not valid after: Dec 22 19:01:56 2029 GMT 70 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_16.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 2048 bits 28 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 2048 bits 29 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits 30 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits 31 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits 32 | Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits 33 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits 34 | Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits 35 | Accepted TLSv1.2 112 bits DHE-RSA-DES-CBC3-SHA  DHE 2048 bits 36 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 37 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 38 | Accepted TLSv1.2 256 bits AES256-SHA256 39 | Accepted TLSv1.2 128 bits AES128-SHA256 40 | Accepted TLSv1.2 256 bits AES256-SHA 41 | Accepted TLSv1.2 256 bits CAMELLIA256-SHA 42 | Accepted TLSv1.2 128 bits AES128-SHA 43 | Accepted TLSv1.2 128 bits CAMELLIA128-SHA 44 | Accepted TLSv1.2 112 bits DES-CBC3-SHA  45 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_MD5  46 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_SHA  47 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 48 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_SEED_CBC_SHA 49 | Accepted TLSv1.2 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 50 | 51 | Server Key Exchange Group(s): 52 | TLSv1.2 81 bits sect163k1 53 | 54 | SSL Certificate: 55 | Signature Algorithm: sha256WithRSAEncryption 56 | RSA Key Strength: 1024 57 | 58 | Subject: howfuckedismydatabase.com 59 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 60 | Not valid before: Dec 3 03:56:52 2019 GMT 61 | Not valid after: Dec 3 03:56:52 2029 GMT 62 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_17.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 1024 bits 28 | Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305  DHE 1024 bits 29 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 1024 bits 30 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits 31 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits 32 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits 33 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits 34 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 35 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 36 | Accepted TLSv1.2 256 bits AES256-SHA256 37 | Accepted TLSv1.2 128 bits AES128-SHA256 38 | Accepted TLSv1.2 256 bits AES256-SHA 39 | Accepted TLSv1.2 128 bits AES128-SHA 40 | 41 | Server Key Exchange Group(s): 42 | TLSv1.2 256 bits brainpoolP512r1 43 | 44 | SSL Certificate: 45 | Signature Algorithm: sha256WithRSAEncryption 46 | RSA Key Strength: 1024 47 | 48 | Subject: howfuckedismydatabase.com 49 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 50 | Not valid before: Dec 3 03:56:52 2019 GMT 51 | Not valid after: Dec 3 03:56:52 2029 GMT 52 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_18.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253 28 | Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253 29 | Accepted TLSv1.2 128 bits TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 30 | 31 | Server Key Exchange Group(s): 32 | TLSv1.2 128 bits secp256r1 (NIST P-256) 33 | TLSv1.2 192 bits secp384r1 (NIST P-384) 34 | TLSv1.2 260 bits secp521r1 (NIST P-521) 35 | TLSv1.2 128 bits x25519 36 | 37 | SSL Certificate: 38 | Signature Algorithm: sha256WithRSAEncryption 39 | ECC Curve Name: prime256v1 40 | ECC Key Strength: 128 41 | 42 | Subject: itspeanutbutterjellytime.com 43 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 44 | Not valid before: Dec 22 19:01:56 2019 GMT 45 | Not valid after: Dec 22 19:01:56 2029 GMT 46 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_2.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 enabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Connection failed - unable to determine TLS Fallback SCSV support 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | 25 | Supported Server Cipher(s): 26 | Unable to parse certificate 27 | Unable to parse certificate 28 | Unable to parse certificate 29 | Unable to parse certificate 30 | Certificate information cannot be retrieved. 31 | 32 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_3.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 enabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Connection failed - unable to determine TLS Fallback SCSV support 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | 25 | Supported Server Cipher(s): 26 | Unable to parse certificate 27 | Unable to parse certificate 28 | Unable to parse certificate 29 | Unable to parse certificate 30 | Certificate information cannot be retrieved. 31 | 32 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_4.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | TLSv1.2 not vulnerable to heartbleed 26 | TLSv1.1 not vulnerable to heartbleed 27 | TLSv1.0 not vulnerable to heartbleed 28 | 29 | Supported Server Cipher(s): 30 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 31 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 32 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 33 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve 25519 DHE 253 34 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 3072 bits 35 | Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305  Curve 25519 DHE 253 36 | Accepted TLSv1.2 256 bits DHE-RSA-CHACHA20-POLY1305  DHE 3072 bits 37 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve 25519 DHE 253 38 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 3072 bits 39 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253 40 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 3072 bits 41 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253 42 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 3072 bits 43 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 44 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 3072 bits 45 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 46 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 3072 bits 47 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 48 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 49 | Accepted TLSv1.2 256 bits AES256-SHA256 50 | Accepted TLSv1.2 128 bits AES128-SHA256 51 | Accepted TLSv1.2 256 bits AES256-SHA 52 | Accepted TLSv1.2 128 bits AES128-SHA 53 | Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 54 | Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 3072 bits 55 | Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 56 | Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 3072 bits 57 | Accepted TLSv1.1 256 bits AES256-SHA 58 | Accepted TLSv1.1 128 bits AES128-SHA 59 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 60 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 3072 bits 61 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 62 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 3072 bits 63 | Accepted TLSv1.0 256 bits AES256-SHA 64 | Accepted TLSv1.0 128 bits AES128-SHA 65 | 66 | Server Key Exchange Group(s): 67 | TLSv1.3 128 bits secp256r1 (NIST P-256) 68 | TLSv1.3 192 bits secp384r1 (NIST P-384) 69 | TLSv1.3 260 bits secp521r1 (NIST P-521) 70 | TLSv1.3 128 bits x25519 71 | TLSv1.3 224 bits x448 72 | TLSv1.2 128 bits secp256r1 (NIST P-256) 73 | TLSv1.2 192 bits secp384r1 (NIST P-384) 74 | TLSv1.2 260 bits secp521r1 (NIST P-521) 75 | TLSv1.2 128 bits x25519 76 | TLSv1.2 224 bits x448 77 | 78 | SSL Certificate: 79 | Signature Algorithm: sha256WithRSAEncryption 80 | RSA Key Strength: 3072 81 | 82 | Subject: lmgtfy.com 83 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 84 | Not valid before: Dec 3 04:07:43 2019 GMT 85 | Not valid after: Dec 3 04:07:43 2029 GMT 86 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_5.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 enabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.2 not vulnerable to heartbleed 25 | TLSv1.1 not vulnerable to heartbleed 26 | TLSv1.0 not vulnerable to heartbleed 27 | 28 | Supported Server Cipher(s): 29 | Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384  Curve P-256 DHE 256 30 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384  DHE 1024 bits 31 | Accepted TLSv1.2 256 bits ADH-AES256-GCM-SHA384  DHE 1024 bits 32 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256  Curve P-256 DHE 256 33 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256  DHE 1024 bits 34 | Accepted TLSv1.2 128 bits ADH-AES128-GCM-SHA256  DHE 1024 bits 35 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 36 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits 37 | Accepted TLSv1.2 256 bits ADH-AES256-SHA256  DHE 1024 bits 38 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 39 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits 40 | Accepted TLSv1.2 128 bits ADH-AES128-SHA256  DHE 1024 bits 41 | Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 42 | Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits 43 | Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits 44 | Accepted TLSv1.2 256 bits AECDH-AES256-SHA  Curve P-256 DHE 256 45 | Accepted TLSv1.2 256 bits ADH-AES256-SHA  DHE 1024 bits 46 | Accepted TLSv1.2 256 bits ADH-CAMELLIA256-SHA  DHE 1024 bits 47 | Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 48 | Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits 49 | Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits 50 | Accepted TLSv1.2 128 bits AECDH-AES128-SHA  Curve P-256 DHE 256 51 | Accepted TLSv1.2 128 bits ADH-AES128-SHA  DHE 1024 bits 52 | Accepted TLSv1.2 128 bits ADH-CAMELLIA128-SHA  DHE 1024 bits 53 | Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 54 | Accepted TLSv1.2 112 bits DHE-RSA-DES-CBC3-SHA  DHE 1024 bits 55 | Accepted TLSv1.2 112 bits AECDH-DES-CBC3-SHA  Curve P-256 DHE 256 56 | Accepted TLSv1.2 112 bits ADH-DES-CBC3-SHA  DHE 1024 bits 57 | Accepted TLSv1.2 256 bits AES256-GCM-SHA384 58 | Accepted TLSv1.2 128 bits AES128-GCM-SHA256 59 | Accepted TLSv1.2 256 bits AES256-SHA256 60 | Accepted TLSv1.2 128 bits AES128-SHA256 61 | Accepted TLSv1.2 256 bits AES256-SHA 62 | Accepted TLSv1.2 256 bits CAMELLIA256-SHA 63 | Accepted TLSv1.2 128 bits AES128-SHA 64 | Accepted TLSv1.2 128 bits CAMELLIA128-SHA 65 | Accepted TLSv1.2 112 bits DES-CBC3-SHA  66 | Accepted TLSv1.2 40 bits TLS_RSA_EXPORT_WITH_RC4_40_MD5 67 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_MD5  68 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_RC4_128_SHA  69 | Accepted TLSv1.2 40 bits TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 70 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 71 | Accepted TLSv1.2 40 bits TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 72 | Accepted TLSv1.2 56 bits TLS_RSA_WITH_DES_CBC_SHA  73 | Accepted TLSv1.2 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  74 | Accepted TLSv1.2 128 bits TLS_DH_anon_WITH_RC4_128_MD5  75 | Accepted TLSv1.2 56 bits TLS_DH_anon_WITH_DES_CBC_SHA  76 | Accepted TLSv1.2 128 bits TLS_RSA_WITH_SEED_CBC_SHA 77 | Accepted TLSv1.2 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 78 | Accepted TLSv1.2 128 bits TLS_DH_anon_WITH_SEED_CBC_SHA 79 | Accepted TLSv1.2 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 80 | Accepted TLSv1.2 128 bits TLS_ECDH_anon_WITH_RC4_128_SHA 81 | Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 82 | Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 1024 bits 83 | Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits 84 | Accepted TLSv1.1 256 bits AECDH-AES256-SHA  Curve P-256 DHE 256 85 | Accepted TLSv1.1 256 bits ADH-AES256-SHA  DHE 1024 bits 86 | Accepted TLSv1.1 256 bits ADH-CAMELLIA256-SHA  DHE 1024 bits 87 | Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 88 | Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 1024 bits 89 | Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits 90 | Accepted TLSv1.1 128 bits AECDH-AES128-SHA  Curve P-256 DHE 256 91 | Accepted TLSv1.1 128 bits ADH-AES128-SHA  DHE 1024 bits 92 | Accepted TLSv1.1 128 bits ADH-CAMELLIA128-SHA  DHE 1024 bits 93 | Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 94 | Accepted TLSv1.1 112 bits DHE-RSA-DES-CBC3-SHA  DHE 1024 bits 95 | Accepted TLSv1.1 112 bits AECDH-DES-CBC3-SHA  Curve P-256 DHE 256 96 | Accepted TLSv1.1 112 bits ADH-DES-CBC3-SHA  DHE 1024 bits 97 | Accepted TLSv1.1 256 bits AES256-SHA 98 | Accepted TLSv1.1 256 bits CAMELLIA256-SHA 99 | Accepted TLSv1.1 128 bits AES128-SHA 100 | Accepted TLSv1.1 128 bits CAMELLIA128-SHA 101 | Accepted TLSv1.1 112 bits DES-CBC3-SHA  102 | Accepted TLSv1.1 40 bits TLS_RSA_EXPORT_WITH_RC4_40_MD5 103 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_RC4_128_MD5  104 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_RC4_128_SHA  105 | Accepted TLSv1.1 40 bits TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 106 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 107 | Accepted TLSv1.1 40 bits TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 108 | Accepted TLSv1.1 56 bits TLS_RSA_WITH_DES_CBC_SHA  109 | Accepted TLSv1.1 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  110 | Accepted TLSv1.1 128 bits TLS_DH_anon_WITH_RC4_128_MD5  111 | Accepted TLSv1.1 56 bits TLS_DH_anon_WITH_DES_CBC_SHA  112 | Accepted TLSv1.1 128 bits TLS_RSA_WITH_SEED_CBC_SHA 113 | Accepted TLSv1.1 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 114 | Accepted TLSv1.1 128 bits TLS_DH_anon_WITH_SEED_CBC_SHA 115 | Accepted TLSv1.1 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 116 | Accepted TLSv1.1 128 bits TLS_ECDH_anon_WITH_RC4_128_SHA 117 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 118 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits 119 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits 120 | Accepted TLSv1.0 256 bits AECDH-AES256-SHA  Curve P-256 DHE 256 121 | Accepted TLSv1.0 256 bits ADH-AES256-SHA  DHE 1024 bits 122 | Accepted TLSv1.0 256 bits ADH-CAMELLIA256-SHA  DHE 1024 bits 123 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 124 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits 125 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits 126 | Accepted TLSv1.0 128 bits AECDH-AES128-SHA  Curve P-256 DHE 256 127 | Accepted TLSv1.0 128 bits ADH-AES128-SHA  DHE 1024 bits 128 | Accepted TLSv1.0 128 bits ADH-CAMELLIA128-SHA  DHE 1024 bits 129 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 130 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 1024 bits 131 | Accepted TLSv1.0 112 bits AECDH-DES-CBC3-SHA  Curve P-256 DHE 256 132 | Accepted TLSv1.0 112 bits ADH-DES-CBC3-SHA  DHE 1024 bits 133 | Accepted TLSv1.0 256 bits AES256-SHA 134 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA 135 | Accepted TLSv1.0 128 bits AES128-SHA 136 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA 137 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  138 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC4_40_MD5 139 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  140 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  141 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 142 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 143 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 144 | Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA  145 | Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  146 | Accepted TLSv1.0 128 bits TLS_DH_anon_WITH_RC4_128_MD5  147 | Accepted TLSv1.0 56 bits TLS_DH_anon_WITH_DES_CBC_SHA  148 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA 149 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 150 | Accepted TLSv1.0 128 bits TLS_DH_anon_WITH_SEED_CBC_SHA 151 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 152 | Accepted TLSv1.0 128 bits TLS_ECDH_anon_WITH_RC4_128_SHA 153 | 154 | Server Key Exchange Group(s): 155 | TLSv1.2 128 bits secp256r1 (NIST P-256) 156 | 157 | SSL Certificate: 158 | Signature Algorithm: sha256WithRSAEncryption 159 | RSA Key Strength: 1024 160 | 161 | Subject: howfuckedismydatabase.com 162 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 163 | Not valid before: Dec 3 03:56:52 2019 GMT 164 | Not valid after: Dec 3 03:56:52 2029 GMT 165 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_6.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 enabled 13 | 14 | TLS Fallback SCSV: 15 | Server supports TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Session renegotiation not supported 19 | 20 | TLS Compression: 21 | Compression disabled 22 | 23 | Heartbleed: 24 | TLSv1.3 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256  Curve 25519 DHE 253 28 | Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384  Curve 25519 DHE 253 29 | Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253 30 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 31 | Accepted TLSv1.3 128 bits TLS_AES_128_CCM_8_SHA256 Curve 25519 DHE 253 32 | 33 | Server Key Exchange Group(s): 34 | TLSv1.3 128 bits secp256r1 (NIST P-256) 35 | TLSv1.3 192 bits secp384r1 (NIST P-384) 36 | TLSv1.3 260 bits secp521r1 (NIST P-521) 37 | TLSv1.3 128 bits x25519 38 | TLSv1.3 224 bits x448 39 | 40 | SSL Certificate: 41 | Signature Algorithm: sha256WithRSAEncryption 42 | RSA Key Strength: 3072 43 | 44 | Subject: lmgtfy.com 45 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 46 | Not valid before: Dec 3 04:07:43 2019 GMT 47 | Not valid after: Dec 3 04:07:43 2029 GMT 48 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_7.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 enabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server does not support TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.0 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 28 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 512 bits 29 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 512 bits 30 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 31 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 512 bits 32 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 512 bits 33 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 34 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 512 bits 35 | Accepted TLSv1.0 256 bits AES256-SHA 36 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA 37 | Accepted TLSv1.0 128 bits AES128-SHA 38 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA 39 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  40 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  41 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  42 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 43 | Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA  44 | Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  45 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA 46 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 47 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 48 | 49 | Server Key Exchange Group(s): 50 | TLSv1.0 128 bits secp256r1 (NIST P-256) 51 | 52 | SSL Certificate: 53 | Signature Algorithm: sha256WithRSAEncryption 54 | RSA Key Strength: 3072 55 | 56 | Subject: lmgtfy.com 57 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 58 | Not valid before: Dec 3 04:07:43 2019 GMT 59 | Not valid after: Dec 3 04:07:43 2029 GMT 60 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_8.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 enabled 8 | SSLv3 enabled 9 | TLSv1.0 enabled 10 | TLSv1.1 disabled 11 | TLSv1.2 disabled 12 | TLSv1.3 disabled 13 | 14 | TLS Fallback SCSV: 15 | Server does not support TLS Fallback SCSV 16 | 17 | TLS renegotiation: 18 | Secure session renegotiation supported 19 | 20 | TLS Compression: 21 | Compression enabled (CRIME) 22 | 23 | Heartbleed: 24 | TLSv1.0 not vulnerable to heartbleed 25 | 26 | Supported Server Cipher(s): 27 | Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 28 | Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 512 bits 29 | Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 512 bits 30 | Accepted TLSv1.0 256 bits AECDH-AES256-SHA  Curve P-256 DHE 256 31 | Accepted TLSv1.0 256 bits ADH-AES256-SHA  DHE 512 bits 32 | Accepted TLSv1.0 256 bits ADH-CAMELLIA256-SHA  DHE 512 bits 33 | Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 34 | Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 512 bits 35 | Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 512 bits 36 | Accepted TLSv1.0 128 bits AECDH-AES128-SHA  Curve P-256 DHE 256 37 | Accepted TLSv1.0 128 bits ADH-AES128-SHA  DHE 512 bits 38 | Accepted TLSv1.0 128 bits ADH-CAMELLIA128-SHA  DHE 512 bits 39 | Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA  Curve P-256 DHE 256 40 | Accepted TLSv1.0 112 bits DHE-RSA-DES-CBC3-SHA  DHE 512 bits 41 | Accepted TLSv1.0 112 bits AECDH-DES-CBC3-SHA  Curve P-256 DHE 256 42 | Accepted TLSv1.0 112 bits ADH-DES-CBC3-SHA  DHE 512 bits 43 | Accepted TLSv1.0 256 bits AES256-SHA 44 | Accepted TLSv1.0 256 bits CAMELLIA256-SHA 45 | Accepted TLSv1.0 128 bits AES128-SHA 46 | Accepted TLSv1.0 128 bits CAMELLIA128-SHA 47 | Accepted TLSv1.0 112 bits DES-CBC3-SHA  48 | Accepted TLSv1.0 0 bits ECDHE-RSA-NULL-SHA  Curve P-256 DHE 256 49 | Accepted TLSv1.0 0 bits AECDH-NULL-SHA  Curve P-256 DHE 256 50 | Accepted TLSv1.0 0 bits NULL-SHA  51 | Accepted TLSv1.0 0 bits NULL-MD5  52 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC4_40_MD5 53 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_MD5  54 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_RC4_128_SHA  55 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 56 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_IDEA_CBC_SHA 57 | Accepted TLSv1.0 40 bits TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 58 | Accepted TLSv1.0 56 bits TLS_RSA_WITH_DES_CBC_SHA  59 | Accepted TLSv1.0 40 bits TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 60 | Accepted TLSv1.0 56 bits TLS_DHE_RSA_WITH_DES_CBC_SHA  61 | Accepted TLSv1.0 40 bits TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 62 | Accepted TLSv1.0 128 bits TLS_DH_anon_WITH_RC4_128_MD5  63 | Accepted TLSv1.0 40 bits TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 64 | Accepted TLSv1.0 56 bits TLS_DH_anon_WITH_DES_CBC_SHA  65 | Accepted TLSv1.0 128 bits TLS_RSA_WITH_SEED_CBC_SHA 66 | Accepted TLSv1.0 128 bits TLS_DHE_RSA_WITH_SEED_CBC_SHA 67 | Accepted TLSv1.0 128 bits TLS_DH_anon_WITH_SEED_CBC_SHA 68 | Accepted TLSv1.0 128 bits TLS_ECDHE_RSA_WITH_RC4_128_SHA 69 | Accepted TLSv1.0 128 bits TLS_ECDH_anon_WITH_RC4_128_SHA 70 | 71 | Server Key Exchange Group(s): 72 | TLSv1.0 128 bits secp256r1 (NIST P-256) 73 | 74 | SSL Certificate: 75 | Signature Algorithm: sha256WithRSAEncryption 76 | RSA Key Strength: 3072 77 | 78 | Subject: lmgtfy.com 79 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 80 | Not valid before: Dec 3 04:07:43 2019 GMT 81 | Not valid after: Dec 3 04:07:43 2029 GMT 82 | -------------------------------------------------------------------------------- /docker_test/expected_output/test_9.txt: -------------------------------------------------------------------------------- 1 |  2 | Connected to 127.0.0.1 3 | 4 | Testing SSL server 127.0.0.1 on port 4443 using SNI name 127.0.0.1 5 | 6 | SSL/TLS Protocols: 7 | SSLv2 disabled 8 | SSLv3 disabled 9 | TLSv1.0 disabled 10 | TLSv1.1 disabled 11 | TLSv1.2 enabled 12 | TLSv1.3 disabled 13 | 14 | Supported Server Cipher(s): 15 | Preferred 200 OK TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305  Curve 25519 DHE 253 16 | 17 | SSL Certificate: 18 | Signature Algorithm: sha256WithRSAEncryption 19 | RSA Key Strength: 3072 20 | 21 | Subject: lmgtfy.com 22 | Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere 23 | Not valid before: Dec 3 04:07:43 2019 GMT 24 | Not valid after: Dec 3 04:07:43 2029 GMT 25 | -------------------------------------------------------------------------------- /docker_test/key_1024.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIICXgIBAAKBgQDmpPrmBNS3gqCgCB9lKvH4ZpX9FvHzw3P4kNbyN45+8yq7gBUp 3 | f9JYFQO0rqm0hSebJSQUDkhrFfO6onZdsMyN32lPlVPFmBILMBPgaxJTVUOa+TWx 4 | gyVuPgaftrMQMr0Wvhbv+3Xht5hqPTEKe/GEwxXJKPSm2F1AgAkkwlQRzQIDAQAB 5 | AoGBAJgeR7xdg05lQTtLICnBYUXLozEBaSK0zlAqdxnZuonQJ2by2wI746dkdMU+ 6 | TX9aMv0ISftQUEMQf2egryCr8rx+yq8bI7LVF8H210x+8BT0H+gmd0iIcFNJNL0l 7 | WSSIAmRVTbSK0IwsvEDwR+Egcnd8wA/9s/s9d2GmbChjisIBAkEA/QY1YLKkG+IT 8 | Ad7GaOKv/UFQNLu7yLDtfjJcJ+dpjCWPv1B/orh6dwFJ4F+7MYruu0BAXhnvw70s 9 | uyPH9W290QJBAOlbZEZtl5n5iL+czI0Ibkyn9VlZ44kgVQHs9Y5hFG0Hv1VH66EP 10 | hU7ZeUUfSmiPqnTcVEKQFZjl09FSoVzTJz0CQQDROzsUlWTjsdUp7MCBp0ME1+et 11 | U7j7QmOBwb83OEOtorn16GlDc+3BTw16P2+ajlrP+VfA+Q2t/VdqATKvH2qhAkBk 12 | zLJ67Zn/y9czFbMR9KNYf3CuwPJVaF7v7wB/GRYuppsSZne04bRuw+frYMHOeshh 13 | pE7NVdnOavBdSfkj1J3tAkEAjQ/+3cGCBiv9lnDdlszKW/Zq4Uu19znfQSbSbI8L 14 | JezLQJbSlVDPG3W3NSNkLizrOg1H6AG2pnnVq2q++Lt5tQ== 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /docker_test/key_2048.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpQIBAAKCAQEAywGmJp/AoA4TCs6zbXuiBOkho35IeVvpsy7RqM3y3KxkEFnk 3 | /LM6U/ayL+j2vo4/15WPM0PaAGRRbvnQEuI1xvhn/0/T4xP+TBe91pTMo/nKrK/y 4 | cvBLBqLPZQK9SJbHk6mwfgpQs5S/+VHlU9jl7+eQWcR+o3NXtv4XFlQyqx1dcokA 5 | JrL4wr2vGPkigUNU2iI6FwRB4f7Wo1rBNzI49uE97IWuh+VBMPYMp+Zn2Om4ptCy 6 | jdvSI7DEYc6jyKlPzH2UOgd0RkcwivaSpxfXJEBOC8PtOxyLg/KPjUTwUh0nHSpe 7 | OIbT3HKnOErEbbiHQmlYbbcOyinv3hIlRj+PyQIDAQABAoIBAGiA09BkQpviQuk4 8 | WOOOVmxiut9YHeTjbN3Bx0o3osL4t5Y3QIrZlLgucbH6IjMcNT88jXgdgLbc7ZLM 9 | ZNGjw31G2Pp0VKY735e6TQ6OkP4Ek9HrzUpf6q9i1pKwI1Kf0+Nu4h0wIDUh6OVm 10 | xEAyksO6F/QuE+b+dHQOP0JOW7r7uxTMB/tbs1U+idcIRVrPTlO9Ixuaolmd/flz 11 | jmcwwTtwBe+mA53IywCOV6ZxO3lMKzDkSvViRam37fmSh9JJyPEa6KpPTR5ps3w8 12 | 7eG0u9nsEf1wYVA2u575iH4+uM6250bRuw3icZxTU2FPuMOtzJPnxY+A6q13bteW 13 | h0zdzbUCgYEA6ryUy+BSOIFzX4e6dB2gwmn2PUEF1rO9dOG8H0YktOGHnHFDXECy 14 | FYHf6njWEzwztd9ZiE8YQYjAjn829Gr4e45H6rEPAMzSpOJ/ZoLd6PG8d5L6A7AD 15 | RtMS8KzG2fAMwvd0HJ0N4SwuwhFmq6/TLHB9vstwo0myyYqH2qWIOAcCgYEA3WVC 16 | 2VnrcuMZngYpXP+gWQDhkIxI7yqUhTB+OZGxHMMjfJ72JHKOI3StnQWSqhxmFtWF 17 | x+XtnihcaWG+G7Po6TmW75oazoitqXjiixJOXGrN3jcmFj97nIh3NlhG2mskP9Ut 18 | 5iDE2w2nDRk1eI+13c7j12/bJy7kdi70gr0l5a8CgYEA03V6nYbAysJiyqYco0ml 19 | bj3CYz/WIKnefBJ2Q74Ohxu77IRj6BEn3BQZQMIGJ2HOO4KuxwppkW+99yBGwzwy 20 | CCwOQS+rkk7xWzPnDNPLUHOkEhvHOdcvvHec0k7y+5UyCdidMsGQpU4F+TFvyi4k 21 | EB5uSJhAKfjUJJa095Sy97UCgYEAlOLpPtP6w+s3qg7IuFLsWY5/Ir9EuRowgRVo 22 | fXyd2BLfBYq9SyuCrRNlQeiihiXM/eQgMJtO3gKUiwYBXA30PwvMlltTVbuS1hqG 23 | dzIbYoks4xjBU0rj7RPU38Yj9/T/jrHlSRKWcB3RTry6OdajXoQosxP1FHezikrv 24 | ghCDsN8CgYEA4JuCSuOxmP5/4MTl9oLUDHDbUBGPZICR+2Y0I76kRISQbHT+oidz 25 | /ceQpOP20fBQquVhMrHmKthyN13TvBSn5SaNIa5SVIIGhVZJQPU1/Udfox1gx7iF 26 | TcFx7dbMIh7byuVRy8iIyaVYr9ZtSX+6mYWFUXVrzF9LTGyDVta6YQA= 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /docker_test/key_3072.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIG4gIBAAKCAYEAxA1ToQ2HLVYDmKSjPSlCposbUMYA30BlRXMzdJe1OVBg/qwE 3 | rhURlFAvGF9ljgXFnMZ6oTK164sJXscjNXS/AbqWO9rBeMbUxD85/PRo4emmBVio 4 | e5A/A4xbAvPt1snwgjbtZNTsxZoheUox216/NTJ24c3SGEBOlASBHtT6VBJPamx1 5 | aALlSlS4jqtLAlkxz6M/XUPeRER6DKYXUi37w0XCZRRk1U2ueM2nfkz47a/GxoeA 6 | WmvWPVW1Bu+VbJb9Hsh/2otyhHZAVX9/fsKZwHf9qcSrutLk5M0ix9NUFnq8qZVu 7 | ZLTZa7/rCw6YnmlOv1mAZJ8sNJtt1wyhMGLebkfVHKERCqk37LRpSzloTu95+uPu 8 | /q+391XMKTOmMHqwhvZBpAoOvN7bs4o8N1JF8hPu+MBGsZUs8P+e9WTJU29zvORW 9 | d7Z/8K1zakihJD9FXcC38OGO88h/7JVxYcMyVUZW3zZKxITlJWl8J18OqQpT66K4 10 | ceLOW1SjRIeHGX9TAgMBAAECggF/D1D7N5nW9bPClCpIln6itmAnwie16bseLk7R 11 | tkoj3lZpPXwy4WbD+NJK25yYUoAg8B6RdgaAL+as1Lq6BXMZeQkas5Jjiwv9k1dd 12 | MGXny751OfWzM/QQ+DX+5jwoWJ9uKr4fzcDUvptMAi3Jt1mvlnha0UlDIKHlgarY 13 | a5A3/llv2uCeS4HuZ+A2iu7W7VgKjC40xRSISM0Qu+w95i2xfY/1n+/38LIg708h 14 | xrw8tlUFMn1jiazjD+eiPOh6xAEHojAGu1actfW+jg8NySpTGWAUPfTxXV9J6r/c 15 | BdCldXP5lQHfWKBIAKUK9MZyrFFQnZZMdPDXyyKsfbO04gVW5BsEK9Br5dnGbFGu 16 | e+Ve4jOCAC9//wLqgLDL2t3CCnnPU1bGFnqLqzwtEKrEP3XeK1CFLYCwOZ2tUH9h 17 | IbQRZKbEMlsXR4XvplmwjNqRb/uHSIVmPJ1DVXbFZy/2j7i59+Kl+JqINHEPvGc1 18 | tfLOFvOHYRWRONkylj3O+qH6lyECgcEA+CErcMNYkM7Y2uRRB2UhQQ96NDoflQmg 19 | uObO0XTnhMbRFrRRrgEr0POOo4oCqDSVQk/vJjmB1ugo/IKxGphnAOmi1xDpSXqo 20 | UWnUR34nrqL76ZdV1R3FZX0b4iO9X1R/P9sNl4S0+XCDyAMlcaXroPoUIo9mzxbX 21 | vIAk6lMiJijfzLt7RssVCfgCfHZ9srBMG5oaEfTbFImc9fwjNoJdLTDopEQzA1X5 22 | AjVa8VhIGyE+uoLkPsy9jBNF9asEEdc/AoHBAMpFSKUdTIXuYOOGltr1qFAMofUU 23 | +ztagHg1/UdV3EOhkYZOfpa4clu++x0MNp+bRySxEK6IOpEtSaKHaJlHnvR4+4e7 24 | xQp/jBoWCrxWtqXHe3ufyglsq/1ID7HIEGfBs9IAVPx9PkY9IOC8cXX3q9uRB7xM 25 | MCtl/H8QMf01f4p3vEgx+XXb2+MKsjOqOVDpAqfqrcUmTiK9ixC7BJWwWSBAvN4e 26 | 2jS4UEOoBiczX6qhKo+tUEddfnAJGnxp2cZG7QKBwHwU8klIltCLb+w+grrE+tUz 27 | LTRS4JpCH0p3uXMLF//RAJxu/e2bDlNGiM0FZgDBkuZ/XKNr3J8gp+ZmYLRhBBlz 28 | vIf6H/8rxGI6HvrFfoiZXopYsIaLhbwTzU7P+pJiiePf4jMkHPAkMPJjiGUFyQhO 29 | JqWFuq7SyH2uQ0ee3RPiGtCh7KrhQZsjl/KvunoSKW0gKetS2/+wNXrZZK6MkJXZ 30 | wGzs4enII2bUUa8hK6XNgTX54LP65MrYlIKey8E0NwKBwHBb3kfCJ8D6Mx4QpHoL 31 | Hi0hZ1ISDqDg3B5qt0BKJKn49TKrJcyptvTZ+Pogz7MHeZSbO04IZKhChPXgzCzh 32 | SR46mlbC6mizg2r2NY57iMg8MI7yqzNjB4MR5Y33OY25Xx9Xid4b4Fz6FephI5HJ 33 | O9EjFi32EIf7BjC7GVmzvx529sMP56gdsl7DkUv70gzs8sm+Jjsu1RadPcPUb26L 34 | YGb3LzMf5kyE2ilLC+f4tLq+/jqDpuWNvO+VTv4veoaW3QKBwQDQlmXDJ+4SdYnD 35 | QkHis9G5AnyXkUHhBFTWLyhsJMrt3CZyVp8L7xXgEJTsSVoyvURimeBmua4LEqci 36 | 5PPo1fOfyEqUIrHIJVR26ATeMsxC3icV6kna7cD0K1BILtAGTJeO7sWceFhl2QJb 37 | E4wio0Vljyt+foytCL/KV3bIj/OYGk8bUp1OMzEIXot4kx3l2SOf+cYE5UDca9Ey 38 | Z/6IvSvAP/JSqo2pk4azaqxSuZIMQnZB2YlFxllCZ6ce/Z6YcSs= 39 | -----END RSA PRIVATE KEY----- 40 | -------------------------------------------------------------------------------- /docker_test/key_512.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIBPQIBAAJBAMvdzx+XSLVGpLLVy0NIBZVs6k7Lxviu5Cym+5n0zbwsYKtiralI 3 | vc0HPekJik1o/QLgqcO83837wOS8hPU0k9UCAwEAAQJBAJP8Vj7TXZchSar7oMod 4 | PNhkMI20RKH+qmlzaU4vsyx1Kqcv2uTkAPMugNZZtRP7bOYU9inbH8LUIrHJIpZP 5 | /H0CIQDliBIQF6c7uaVbjCZ4iki9wnGZ5JA8hFZDoREgJCsHxwIhAONgFmVUzsUw 6 | Z/hjjodDMMX9KgZ0pYHSfbKoNRuJzZ+DAiEAp9ooC2igvUZ3rEkDYScPJuXpGXdS 7 | G09TnkVNNsn8RcUCIQCQ2ERMFwOFgHmrNRi1uCrY5Zag+Cv7ELE8X4U9XsLbqwIh 8 | ALM7UlYJ1ZKAFlK2cnqUCiLoD7Ah9eVfg+rOTUVMOa3v 9 | -----END RSA PRIVATE KEY----- 10 | -------------------------------------------------------------------------------- /docker_test/key_ecdsa_prime256v1.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN EC PRIVATE KEY----- 2 | MHcCAQEEIP5zy1nQDeAkFKDZ1F/ur26G7SBeu1HbCgbNLwFVUzrroAoGCCqGSM49 3 | AwEHoUQDQgAEQkb8ffhxrztFHu3PiZ4MarPyxX6dJKXb5UEkVbczdbzkLzhOXHlY 4 | blnXr4a2mwrSEFPzjCORSjQqk99jv90IVg== 5 | -----END EC PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /docker_test/key_notes.txt: -------------------------------------------------------------------------------- 1 | There is one Certificate Authority in this directory: ca_cert.pem / ca_key.pem. 2 | 3 | This CA directly signed these certificates (with their corresponding keys): 4 | * cert_512.crt / key_512.pem 5 | * cert_1024.crt / key_3072.pem 6 | * cert_2048.crt / key_2048.pem 7 | * cert_3072.crt / key_3072.pem 8 | 9 | The 512, 1024, 2048, and 3072 refer to the RSA key size. 10 | 11 | --- 12 | 13 | To generate new keys, and sign them by the CA: 14 | 15 | 1.) Generate the key. 16 | 17 | * For RSA keys: openssl genrsa -out key.pem 1024 18 | * For ECDSA keys: openssl ecparam -name prime256v1 -genkey -noout -out key.pem 19 | 20 | 2.) Make CSR: openssl req -new -key key.pem -out new.csr 21 | 22 | 3.) Sign with CA: openssl x509 -req -days 3653 -in new.csr -CA path/to/ca_cert.pem -CAkey path/to/ca_key.pem -CAcreateserial -out new.crt [-md5|-sha1|-sha256] 23 | -------------------------------------------------------------------------------- /docker_test/nginx_site_client_cert_required: -------------------------------------------------------------------------------- 1 | server { 2 | listen 443 ssl default_server; 3 | listen [::]:443 ssl default_server; 4 | gzip off; 5 | root /var/www/html; 6 | index index.html index.nginx-debian.html; 7 | server_name _; 8 | location / { 9 | try_files $uri $uri/ =404; 10 | } 11 | # Only TLSv1.2 with one cipher is specified, so the test that runs against this 12 | # finishes quicker (all that's needed is the HTTP response of one successful 13 | # TLS connection). 14 | ssl_protocols TLSv1.2; 15 | ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305; 16 | ssl_prefer_server_ciphers on; 17 | ssl_certificate /etc/ssl/cert_3072.crt; 18 | ssl_certificate_key /etc/ssl/key_3072.pem; 19 | ssl_client_certificate /etc/ssl/ca_cert.pem; 20 | ssl_verify_client on; 21 | } 22 | -------------------------------------------------------------------------------- /docker_test/nginx_test9.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | daemon off; 5 | 6 | events { 7 | worker_connections 768; 8 | } 9 | 10 | http { 11 | sendfile on; 12 | tcp_nopush on; 13 | tcp_nodelay on; 14 | keepalive_timeout 65; 15 | types_hash_max_size 2048; 16 | include /etc/nginx/mime.types; 17 | default_type application/octet-stream; 18 | access_log /var/log/nginx/access.log; 19 | error_log /var/log/nginx/error.log; 20 | include /etc/nginx/sites-available/nginx_site_client_cert_required; 21 | } 22 | -------------------------------------------------------------------------------- /sslscan.1: -------------------------------------------------------------------------------- 1 | .TH SSLSCAN 1 "March 19, 2020" 2 | .SH NAME 3 | sslscan \- Fast SSL/TLS scanner 4 | .SH SYNOPSIS 5 | .B sslscan 6 | .RI [ options ] " [host:port | host]" 7 | .SH DESCRIPTION 8 | .PP 9 | \fBsslscan\fP queries SSL/TLS services (such as HTTPS) and reports the protocol versions, cipher suites, key exchanges, signature algorithms, and certificates in use. This helps the user understand which parameters are weak from a security standpoint. 10 | 11 | Terminal output is thus colour-coded as follows: 12 | 13 | Red Background NULL cipher (no encryption) 14 | .br 15 | Red Broken cipher (<= 40 bit), broken protocol (SSLv2 or SSLv3) or broken certificate signing algorithm (MD5) 16 | .br 17 | Yellow Weak cipher (<= 56 bit or RC4) or weak certificate signing algorithm (SHA-1) 18 | .br 19 | Purple Anonymous cipher (ADH or AECDH) 20 | 21 | \fBsslscan\fP can also output results into an XML file for easy consumption by external programs. 22 | 23 | .SH OPTIONS 24 | .TP 25 | .B \-\-help 26 | .br 27 | Show summary of options 28 | .TP 29 | .B \-\-targets= 30 | A file containing a list of hosts to 31 | check. Hosts can be supplied with 32 | ports (i.e. host:port). One target per line 33 | .TP 34 | .B \-\-sni\-name= 35 | Use a different hostname for SNI 36 | .br 37 | .TP 38 | .B \-\-ipv4, \-4 39 | .br 40 | Force IPv4 DNS resolution. 41 | Default is to try IPv4, and if that fails then fall back to IPv6. 42 | .TP 43 | .B \-\-ipv6, \-6 44 | .br 45 | Force IPv6 DNS resolution. 46 | Default is to try IPv4, and if that fails then fall back to IPv6. 47 | .TP 48 | .B \-\-show\-certificate 49 | Display certificate information. 50 | .TP 51 | .B \-\-show\-certificates 52 | Display the full certificate chain. 53 | .TP 54 | .B \-\-no\-check\-certificate 55 | .B \-\-no\-check\-certificate 56 | Don't flag certificates signed with weak algorithms (MD5 and SHA-1) or short (<2048 bit) RSA keys 57 | .TP 58 | .B \-\-show\-client\-cas 59 | Show a list of CAs that the server allows for client authentication. Will be blank for IIS/Schannel servers. 60 | .TP 61 | .B \-\-show\-ciphers 62 | Show a complete list of ciphers supported by sslscan 63 | .TP 64 | .B \-\-show\-cipher-ids 65 | Print the hexadecimal cipher IDs 66 | .TP 67 | .B \-\-iana\-names 68 | Use IANA/RFC cipher names rather than OpenSSL ones 69 | .TP 70 | .B \-\-show\-times 71 | Show the time taken for each handshake in milliseconds. Note that only a single request is made with each cipher, and that the size of the ClientHello is not constant, so this should not be used for proper benchmarking or performance testing. 72 | 73 | You might want to also use \-\-no\-cipher\-details to make the output a bit clearer. 74 | .TP 75 | .B \-\-ssl2 76 | .br 77 | Only check if SSLv2 is enabled 78 | .TP 79 | .B \-\-ssl3 80 | .br 81 | Only check if SSLv3 is enabled 82 | .TP 83 | .B \-\-tls10 84 | .br 85 | Only check TLS 1.0 ciphers 86 | .TP 87 | .B \-\-tls11 88 | .br 89 | Only check TLS 1.1 ciphers 90 | .TP 91 | .B \-\-tls12 92 | .br 93 | Only check TLS 1.2 ciphers 94 | .TP 95 | .B \-\-tls13 96 | .br 97 | Only check TLS 1.3 ciphers 98 | .TP 99 | .B \-\-tlsall 100 | .br 101 | Only check TLS ciphers (versions 1.0, 1.1, 1.2, and 1.3) 102 | .TP 103 | .B \-\-ocsp 104 | .br 105 | Display OCSP status 106 | .TP 107 | .B \-\-pk= 108 | A file containing the private key or 109 | a PKCS#12 file containing a private 110 | key/certificate pair (as produced by 111 | MSIE and Netscape) 112 | .TP 113 | .B \-\-pkpass= 114 | The password for the private key or PKCS#12 file 115 | .TP 116 | .B \-\-certs= 117 | A file containing PEM/ASN1 formatted client certificates 118 | .TP 119 | .B \-\-no\-ciphersuites 120 | Do not scan for supported ciphersuites. 121 | .TP 122 | .B \-\-no\-fallback 123 | Do not check for TLS Fallback Signaling Cipher Suite Value (fallback) 124 | .TP 125 | .B \-\-no\-renegotiation 126 | Do not check for secure TLS renegotiation 127 | .TP 128 | .B \-\-no\-compression 129 | Do not check for TLS compression (CRIME) 130 | .TP 131 | .B \-\-no\-heartbleed 132 | Do not check for OpenSSL Heartbleed (CVE-2014-0160) 133 | .TP 134 | .B \-\-no\-groups 135 | Do not enumerate key exchange groups 136 | .TP 137 | .B \-\-show\-sigs 138 | Enumerate signature algorithms 139 | .TP 140 | .B \-\-starttls\-ftp 141 | STARTTLS setup for FTP 142 | .TP 143 | .B \-\-starttls\-imap 144 | STARTTLS setup for IMAP 145 | .TP 146 | .B \-\-starttls\-irc 147 | STARTTLS setup for IRC 148 | .TP 149 | .B \-\-starttls\-ldap 150 | STARTTLS setup for LDAP 151 | .TP 152 | .B \-\-starttls\-pop3 153 | STARTTLS setup for POP3 154 | .TP 155 | .B \-\-starttls\-smtp 156 | STARTTLS setup for SMTP 157 | .TP 158 | .B \-\-starttls\-mysql 159 | STARTTLS setup for MySQL 160 | .TP 161 | .B \-\-starttls\-xmpp 162 | STARTTLS setup for XMPP 163 | .TP 164 | .B \-\-starttls\-psql 165 | STARTTLS setup for PostgreSQL 166 | .TP 167 | .B \-\-xmpp-server 168 | Perform a server-to-server XMPP connection. Try this if --starttls-xmpp is failing. 169 | .TP 170 | .B \-\-rdp 171 | .br 172 | Send RDP preamble before starting scan. 173 | .TP 174 | .B \-\-bugs 175 | .br 176 | Enables workarounds for SSL bugs 177 | .TP 178 | .B \-\-timeout= 179 | .br 180 | Set socket timeout. Useful for hosts that fail to respond to ciphers they don't understand. Default is 3s. 181 | .TP 182 | .B \-\-connect\-timeout= 183 | .br 184 | Set initial connection timeout. Useful for hosts that are slow to respond to the initial connect(). Default is 75s. 185 | .TP 186 | .B \-\-sleep= 187 | .br 188 | Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Default is disabled. 189 | .TP 190 | .B \-\-xml= 191 | .br 192 | Output results to an XML file. - can be used to mean stdout. 193 | .br 194 | .TP 195 | .B \-\-version 196 | Show version of program 197 | .TP 198 | .B \-\-verbose 199 | Display verbose output 200 | .TP 201 | .B \-\-no\-cipher\-details 202 | .br 203 | Hide NIST EC curve name and EDH/RSA key length. 204 | .TP 205 | .B \-\-no-colour 206 | .br 207 | Disable coloured output. 208 | .SH EXAMPLES 209 | .LP 210 | Scan a local HTTPS server 211 | .RS 212 | .nf 213 | sslscan localhost 214 | sslscan 127.0.0.1 215 | sslscan 127.0.0.1:443 216 | sslscan [::1] 217 | sslscan [::1]:443 218 | .SH AUTHOR 219 | sslscan was originally written by Ian Ventura-Whiting . 220 | .br 221 | sslscan was extended by Jacob Appelbaum . 222 | .br 223 | sslscan was extended by rbsec . 224 | .br 225 | This manual page was originally written by Marvin Stark . 226 | -------------------------------------------------------------------------------- /sslscan.h: -------------------------------------------------------------------------------- 1 | /*************************************************************************** 2 | * sslscan - A SSL cipher scanning tool * 3 | * Copyright 2007-2009 by Ian Ventura-Whiting (Fizz) * 4 | * fizz@titania.co.uk * 5 | * Copyright 2010 by Michael Boman (michael@michaelboman.org) * 6 | * Copyleft 2010 by Jacob Appelbaum * 7 | * Copyleft 2013 by rbsec * 8 | * Copyleft 2014 by Julian Kornberger * 9 | * * 10 | * This program is free software; you can redistribute it and/or modify * 11 | * it under the terms of the GNU General Public License as published by * 12 | * the Free Software Foundation; either version 3 of the License, or * 13 | * (at your option) any later version. * 14 | * * 15 | * This program is distributed in the hope that it will be useful, * 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * 18 | * GNU General Public License for more details. * 19 | * * 20 | * You should have received a copy of the GNU General Public License * 21 | * along with this program. If not, see . * 22 | * * 23 | * In addition, as a special exception, the copyright holders give * 24 | * permission to link the code of portions of this program with the * 25 | * OpenSSL library under certain conditions as described in each * 26 | * individual source file, and distribute linked combinations * 27 | * including the two. * 28 | * You must obey the GNU General Public License in all respects * 29 | * for all of the code used other than OpenSSL. If you modify * 30 | * file(s) with this exception, you may extend this exception to your * 31 | * version of the file(s), but you are not obligated to do so. If you * 32 | * do not wish to do so, delete this exception statement from your * 33 | * version. If you delete this exception statement from all source * 34 | * files in the program, then also delete it here. * 35 | ***************************************************************************/ 36 | 37 | #ifndef HAVE_SSLSCAN_H_ 38 | #define HAVE_SSLSCAN_H_ 39 | 40 | #include "missing_ciphersuites.h" 41 | 42 | // Defines... 43 | #define false 0 44 | #define true 1 45 | 46 | #define mode_help 0 47 | #define mode_version 1 48 | #define mode_single 2 49 | #define mode_multiple 3 50 | 51 | #define BUFFERSIZE 1024 52 | 53 | // For options.sslVersion field. 54 | #define ssl_all 0 55 | #define ssl_v2 1 56 | #define ssl_v3 2 57 | #define tls_all 3 58 | #define tls_v10 4 59 | #define tls_v11 5 60 | #define tls_v12 6 61 | #define tls_v13 7 62 | 63 | // For functions that take a tls_version argument. 64 | #define TLSv1_0 0 65 | #define TLSv1_1 1 66 | #define TLSv1_2 2 67 | #define TLSv1_3 3 68 | 69 | /* We must maintain our own list of TLSv1.3-specific ciphersuites here, because SSL_CTX_get_ciphers() will *always* return TLSv1.2 ciphersuites, even when SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() are used. This is confirmed by an OpenSSL developer here: https://github.com/openssl/openssl/issues/7196#issuecomment-420575202 */ 70 | #define TLSV13_CIPHERSUITES "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256" 71 | 72 | /* Cipherlist for TLSv1.2 and below that corresponds to all available ciphersuites. */ 73 | #define CIPHERSUITE_LIST_ALL "ALL:COMPLEMENTOFALL" 74 | 75 | // Macros for various outputs 76 | #define printf(format, ...) if (!xml_to_stdout) fprintf(stdout, format, ##__VA_ARGS__) 77 | #define printf_xml(format, ...) if (options->xmlOutput) fprintf(options->xmlOutput, format, ##__VA_ARGS__) 78 | #define printf_verbose(format, ...) if (options->verbose) printf(format, ##__VA_ARGS__) 79 | 80 | #define printf_error(format, ...) \ 81 | if (!xml_to_stdout) fprintf(stderr, "%sERROR: " format "%s\n", COL_RED, ##__VA_ARGS__, RESET); \ 82 | printf_xml(" \n", ##__VA_ARGS__) 83 | 84 | /* Calls close() on a file descriptor, then sets it to zero to prevent accidental re-use. */ 85 | #define CLOSE(fd) { if ((fd) != -1) { close((fd)); (fd) = -1; } } 86 | 87 | /* Calls free() on a pointer, then explicitly sets it to NULL to avoid use-after-free. */ 88 | #define FREE(ptr) { free((ptr)); (ptr) = NULL; } 89 | 90 | /* Frees an SSL pointer, and explicitly sets it to NULL to avoid use-after-free. */ 91 | #define FREE_SSL(ssl) { if ((ssl) != NULL) { SSL_free((ssl)); (ssl) = NULL; } } 92 | 93 | /* Frees a SSL_CTX pointer, and explicitly sets it to NULL to avoid use-after-free. */ 94 | #define FREE_CTX(ctx) { if ((ctx) != NULL) { SSL_CTX_free((ctx)); (ctx) = NULL; } } 95 | 96 | // Colour Console Output... 97 | // Always better to do "const char RESET[] = " because it saves relocation records. 98 | // Default colours were hard to read on Windows, so use lighter ones 99 | #ifdef _WIN32 100 | char *RESET = ""; // DEFAULT 101 | char *COL_RED = ""; 102 | char *COL_YELLOW = ""; 103 | char *COL_BLUE = ""; 104 | char *COL_GREEN = ""; 105 | char *COL_PURPLE = ""; 106 | char *COL_GREY = ""; 107 | char *COL_RED_BG = ""; 108 | #else 109 | char *RESET = ""; // DEFAULT 110 | char *COL_RED = ""; 111 | char *COL_YELLOW = ""; 112 | char *COL_BLUE = ""; 113 | char *COL_GREEN = ""; 114 | char *COL_PURPLE = ""; 115 | char *COL_GREY = ""; 116 | char *COL_RED_BG = ""; 117 | #endif 118 | 119 | #ifdef _WIN32 120 | #define SLEEPMS(ms) Sleep(ms); 121 | #else 122 | #define SLEEPMS(ms) do { \ 123 | struct timeval wait = { 0, ms*1000 }; \ 124 | select(0, NULL, NULL, NULL, &wait); \ 125 | } while(0) 126 | #endif 127 | 128 | const char *program_banner = " _\n" 129 | " ___ ___| |___ ___ __ _ _ __\n" 130 | " / __/ __| / __|/ __/ _` | '_ \\\n" 131 | " \\__ \\__ \\ \\__ \\ (_| (_| | | | |\n" 132 | " |___/___/_|___/\\___\\__,_|_| |_|\n\n"; 133 | 134 | struct sslCipher 135 | { 136 | // Cipher Properties... 137 | const char *name; 138 | const char *version; 139 | int bits; 140 | char description[512]; 141 | const SSL_METHOD *sslMethod; 142 | struct sslCipher *next; 143 | }; 144 | 145 | struct sslCheckOptions 146 | { 147 | // Program Options... 148 | char host[512]; 149 | char sniname[512]; 150 | int sni_set; 151 | char addrstr[INET6_ADDRSTRLEN]; 152 | int port; 153 | int showCertificate; 154 | int showCertificates; 155 | int checkCertificate; 156 | int showTrustedCAs; 157 | int showClientCiphers; 158 | int showCipherIds; 159 | int showTimes; 160 | int ciphersuites; 161 | int reneg; 162 | int fallback; 163 | int compression; 164 | int heartbleed; 165 | int groups; 166 | int signature_algorithms; 167 | int starttls_ftp; 168 | int starttls_imap; 169 | int starttls_irc; 170 | int starttls_ldap; 171 | int starttls_pop3; 172 | int starttls_smtp; 173 | int starttls_mysql; 174 | int starttls_xmpp; 175 | int starttls_psql; 176 | int xmpp_server; 177 | int sslVersion; 178 | int targets; 179 | int sslbugs; 180 | int rdp; 181 | int verbose; 182 | int cipher_details; 183 | int ipv4; 184 | int ipv6; 185 | int ocspStatus; 186 | int ianaNames; 187 | char cipherstring[65536]; 188 | 189 | // File Handles... 190 | FILE *xmlOutput; 191 | 192 | // TCP Connection Variables... 193 | short h_addrtype; 194 | struct sockaddr_in serverAddress; 195 | struct sockaddr_in6 serverAddress6; 196 | struct timeval timeout; 197 | int connect_timeout; 198 | unsigned int sleep; 199 | 200 | // SSL Variables... 201 | SSL_CTX *ctx; 202 | struct sslCipher *ciphers; 203 | char *clientCertsFile; 204 | char *privateKeyFile; 205 | char *privateKeyPassword; 206 | 207 | // TLS versions supported by the server. 208 | unsigned int tls10_supported; 209 | unsigned int tls11_supported; 210 | unsigned int tls12_supported; 211 | unsigned int tls13_supported; 212 | }; 213 | 214 | // store renegotiation test data 215 | struct renegotiationOutput 216 | { 217 | int supported; 218 | int secure; 219 | }; 220 | 221 | /* For OCSP processing. Taken from crypto/ocsp/ocsp_local.h in OpenSSL, which does not seem to be normally exposed externally. */ 222 | struct ocsp_response_st { 223 | ASN1_ENUMERATED *responseStatus; 224 | OCSP_RESPBYTES *responseBytes; 225 | }; 226 | 227 | struct ocsp_resp_bytes_st { 228 | ASN1_OBJECT *responseType; 229 | ASN1_OCTET_STRING *response; 230 | }; 231 | 232 | struct ocsp_responder_id_st { 233 | int type; 234 | union { 235 | X509_NAME *byName; 236 | ASN1_OCTET_STRING *byKey; 237 | } value; 238 | }; 239 | typedef struct ocsp_responder_id_st OCSP_RESPID; 240 | 241 | struct ocsp_response_data_st { 242 | ASN1_INTEGER *version; 243 | OCSP_RESPID responderId; 244 | ASN1_GENERALIZEDTIME *producedAt; 245 | STACK_OF(OCSP_SINGLERESP) *responses; 246 | STACK_OF(X509_EXTENSION) *responseExtensions; 247 | }; 248 | typedef struct ocsp_response_data_st OCSP_RESPDATA; 249 | 250 | struct ocsp_basic_response_st { 251 | OCSP_RESPDATA tbsResponseData; 252 | X509_ALGOR signatureAlgorithm; 253 | ASN1_BIT_STRING *signature; 254 | STACK_OF(X509) *certs; 255 | }; 256 | 257 | struct ocsp_single_response_st { 258 | OCSP_CERTID *certId; 259 | OCSP_CERTSTATUS *certStatus; 260 | ASN1_GENERALIZEDTIME *thisUpdate; 261 | ASN1_GENERALIZEDTIME *nextUpdate; 262 | STACK_OF(X509_EXTENSION) *singleExtensions; 263 | }; 264 | 265 | struct ocsp_cert_status_st { 266 | int type; 267 | union { 268 | ASN1_NULL *good; 269 | OCSP_REVOKEDINFO *revoked; 270 | ASN1_NULL *unknown; 271 | } value; 272 | }; 273 | 274 | struct ocsp_revoked_info_st { 275 | ASN1_GENERALIZEDTIME *revocationTime; 276 | ASN1_ENUMERATED *revocationReason; 277 | }; 278 | 279 | struct ocsp_cert_id_st { 280 | X509_ALGOR hashAlgorithm; 281 | ASN1_OCTET_STRING issuerNameHash; 282 | ASN1_OCTET_STRING issuerKeyHash; 283 | ASN1_INTEGER serialNumber; 284 | }; 285 | 286 | #define BS_DEFAULT_NEW_SIZE 256 /* The starting size of the buffer when bs_new() is used. */ 287 | struct _bs { 288 | unsigned char *buf; 289 | size_t size; /* The size of the allocated buffer. */ 290 | size_t len; /* The number of bytes currently in the buffer. */ 291 | }; 292 | typedef struct _bs bs; /* Stands for 'byte string'. */ 293 | 294 | /* We redefine these so that we can run correctly even if the vendor gives us 295 | * a version of OpenSSL that does not match its header files. (Apple: I am 296 | * looking at you.) 297 | */ 298 | #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 299 | # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L 300 | #endif 301 | #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 302 | # define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010 303 | #endif 304 | 305 | // Utilities 306 | void bs_new(bs **); 307 | void bs_new_size(bs **, size_t); 308 | void bs_free(bs **); 309 | void bs_append_bytes(bs *, unsigned char *, size_t); 310 | void bs_append_uint32_t(bs *, uint32_t); 311 | void bs_append_ushort(bs *, unsigned short); 312 | void bs_append_bs(bs *, bs *); 313 | size_t bs_get_len(bs *); 314 | size_t bs_get_size(bs *); 315 | unsigned char *bs_get_bytes(bs *); 316 | unsigned char bs_get_byte(bs *, size_t); 317 | void bs_set_byte(bs *, size_t, unsigned char); 318 | void bs_set_ushort(bs *b, size_t offset, unsigned short length); 319 | int bs_read_socket(bs *b, int s, size_t num_bytes); 320 | unsigned int checkIfTLSVersionIsSupported(struct sslCheckOptions *options, unsigned int tls_version); 321 | unsigned int checkIfTLSVersionIsSupported_Backup(struct sslCheckOptions *options, unsigned int tls_version); 322 | SSL_CTX *CTX_new(const SSL_METHOD *method); 323 | int fileExists(char *); 324 | void findMissingCiphers(); 325 | char *getPrintableTLSName(unsigned int tls_version); 326 | bs *getServerHello(int s); 327 | bs *makeCiphersuiteListAll(unsigned int tls_version); 328 | bs *makeCiphersuiteListTLS13All(); 329 | bs *makeCiphersuiteListMissing(unsigned int tls_version); 330 | bs *makeClientHello(struct sslCheckOptions *options, unsigned int version, bs *ciphersuite_list, bs *tls_extensions); 331 | bs *makeTLSExtensions(struct sslCheckOptions *options, unsigned int include_signature_algorithms); 332 | void markFoundCiphersuite(unsigned short server_cipher_id, unsigned int tls_version); 333 | int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent); 334 | static int ocsp_resp_cb(SSL *s, void *arg); 335 | void readLine(FILE *, char *, int); 336 | int readOrLogAndClose(int, void *, size_t, const struct sslCheckOptions *); 337 | char *resolveCipherID(unsigned short cipher_id, int *cipher_bits); 338 | static int password_callback(char *, int, int, void *); 339 | const char *printableSslMethod(const SSL_METHOD *); 340 | ssize_t sendString(int, const char[]); 341 | int ssl_print_tmp_key(struct sslCheckOptions *, SSL *s); 342 | void tlsExtensionAddDefaultKeyShare(bs *tls_extensions); 343 | void tlsExtensionAddTLSv1_3(bs *tls_extensions); 344 | void tlsExtensionUpdateLength(bs *tls_extensions); 345 | int tcpConnect(struct sslCheckOptions *); 346 | 347 | // Tests 348 | void tls_reneg_init(struct sslCheckOptions *); 349 | int outputRenegotiation(struct sslCheckOptions *, struct renegotiationOutput *); 350 | struct renegotiationOutput *newRenegotiationOutput(void); 351 | int freeRenegotiationOutput(struct renegotiationOutput *); 352 | 353 | int testCompression(struct sslCheckOptions *, const SSL_METHOD *); 354 | int testRenegotiation(struct sslCheckOptions *, const SSL_METHOD *); 355 | #ifdef SSL_MODE_SEND_FALLBACK_SCSV 356 | int testfallback(struct sslCheckOptions *, const SSL_METHOD *); 357 | #endif 358 | int testHeartbleed(struct sslCheckOptions *, const SSL_METHOD *); 359 | int testSupportedGroups(struct sslCheckOptions *options); 360 | int testSignatureAlgorithms(struct sslCheckOptions *options); 361 | int testCipher(struct sslCheckOptions *, const SSL_METHOD *); 362 | int testMissingCiphers(struct sslCheckOptions *options, unsigned int version); 363 | int testProtocolCiphers(struct sslCheckOptions *, const SSL_METHOD *); 364 | int testConnection(struct sslCheckOptions *); 365 | int testHost(struct sslCheckOptions *); 366 | int loadCerts(struct sslCheckOptions *); 367 | int checkCertificateProtocols(struct sslCheckOptions *, const SSL_METHOD *); 368 | int checkCertificate(struct sslCheckOptions *, const SSL_METHOD *); 369 | int showCertificate(struct sslCheckOptions *); 370 | 371 | int runSSLv2Test(struct sslCheckOptions *options); 372 | int runSSLv3Test(struct sslCheckOptions *options); 373 | #endif 374 | 375 | /* vim :set ts=4 sw=4 sts=4 et : */ 376 | -------------------------------------------------------------------------------- /tags: -------------------------------------------------------------------------------- 1 | !_TAG_FILE_FORMAT 2 /extended format; --format=1 will not append ;" to lines/ 2 | !_TAG_FILE_SORTED 1 /0=unsorted, 1=sorted, 2=foldcase/ 3 | !_TAG_OUTPUT_FILESEP slash /slash or backslash/ 4 | !_TAG_OUTPUT_MODE u-ctags /u-ctags or e-ctags/ 5 | !_TAG_PROGRAM_AUTHOR Universal Ctags Team // 6 | !_TAG_PROGRAM_NAME Universal Ctags /Derived from Exuberant Ctags/ 7 | !_TAG_PROGRAM_URL https://ctags.io/ /official site/ 8 | !_TAG_PROGRAM_VERSION 0.0.0 /a3c87ab5/ 9 | BOGUS_SIG_ALG_ID sslscan.c /^#define BOGUS_SIG_ALG_ID /;" d file: 10 | BS_DEFAULT_NEW_SIZE sslscan.h /^#define BS_DEFAULT_NEW_SIZE /;" d 11 | BUFFERSIZE sslscan.h /^#define BUFFERSIZE /;" d 12 | CIPHERSUITE_LIST_ALL sslscan.h /^#define CIPHERSUITE_LIST_ALL /;" d 13 | CLOSE sslscan.h /^#define CLOSE(/;" d 14 | COL_BLUE sslscan.h /^char *COL_BLUE = "";$/;" v typeref:typename:char * 15 | COL_BLUE sslscan.h /^char *COL_BLUE = "";$/;" v typeref:typename:char * 16 | COL_GREEN sslscan.h /^char *COL_GREEN = "";$/;" v typeref:typename:char * 17 | COL_GREEN sslscan.h /^char *COL_GREEN = "";$/;" v typeref:typename:char * 18 | COL_GREY sslscan.h /^char *COL_GREY = "";$/;" v typeref:typename:char * 19 | COL_PLAIN sslscan.c /^#define COL_PLAIN /;" d file: 20 | COL_PURPLE sslscan.h /^char *COL_PURPLE = "";$/;" v typeref:typename:char * 21 | COL_PURPLE sslscan.h /^char *COL_PURPLE = "";$/;" v typeref:typename:char * 22 | COL_RED sslscan.h /^char *COL_RED = "";$/;" v typeref:typename:char * 23 | COL_RED sslscan.h /^char *COL_RED = "";$/;" v typeref:typename:char * 24 | COL_RED_BG sslscan.h /^char *COL_RED_BG = "";$/;" v typeref:typename:char * 25 | COL_YELLOW sslscan.h /^char *COL_YELLOW = "";$/;" v typeref:typename:char * 26 | COL_YELLOW sslscan.h /^char *COL_YELLOW = "";$/;" v typeref:typename:char * 27 | ENABLE_VIRTUAL_TERMINAL_PROCESSING sslscan.c /^ #define ENABLE_VIRTUAL_TERMINAL_PROCESSING /;" d file: 28 | FREE sslscan.h /^#define FREE(/;" d 29 | FREE_CTX sslscan.h /^#define FREE_CTX(/;" d 30 | FREE_SSL sslscan.h /^#define FREE_SSL(/;" d 31 | HAVE_SSLSCAN_H_ sslscan.h /^#define HAVE_SSLSCAN_H_$/;" d 32 | NID_TYPE_DHE sslscan.c /^#define NID_TYPE_DHE /;" d file: 33 | NID_TYPE_ECDHE sslscan.c /^#define NID_TYPE_ECDHE /;" d file: 34 | NID_TYPE_NA sslscan.c /^#define NID_TYPE_NA /;" d file: 35 | OCSP_RESPDATA sslscan.h /^typedef struct ocsp_response_data_st OCSP_RESPDATA;$/;" t typeref:struct:ocsp_response_data_st 36 | OCSP_RESPID sslscan.h /^typedef struct ocsp_responder_id_st OCSP_RESPID;$/;" t typeref:struct:ocsp_responder_id_st 37 | OVERFLOW_MESSAGE sslscan.c /^#define OVERFLOW_MESSAGE /;" d file: 38 | RESET sslscan.h /^char *RESET = ""; \/\/ DEFAULT$/;" v typeref:typename:char * 39 | R_OK sslscan.c /^ #define R_OK /;" d file: 40 | SIZE_T_FMT sslscan.c /^ #define SIZE_T_FMT /;" d file: 41 | SLEEPMS sslscan.h /^ #define SLEEPMS(/;" d 42 | SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION sslscan.h /^# define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION /;" d 43 | SSL_CIPHER_get_id sslscan.c /^unsigned long SSL_CIPHER_get_id(const SSL_CIPHER* cipher) { return cipher->id; }$/;" f typeref:typename:unsigned long 44 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION sslscan.h /^# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION /;" d 45 | TLSV13_CIPHERSUITES sslscan.h /^#define TLSV13_CIPHERSUITES /;" d 46 | TLSv1_0 sslscan.h /^#define TLSv1_0 /;" d 47 | TLSv1_1 sslscan.h /^#define TLSv1_1 /;" d 48 | TLSv1_2 sslscan.h /^#define TLSv1_2 /;" d 49 | TLSv1_3 sslscan.h /^#define TLSv1_3 /;" d 50 | TLSv1_3_client_method sslscan.c /^const SSL_METHOD *TLSv1_3_client_method(void)$/;" f typeref:typename:const SSL_METHOD * 51 | TLSv1_3_method sslscan.c /^const SSL_METHOD *TLSv1_3_method(void)$/;" f typeref:typename:const SSL_METHOD * 52 | VC_EXTRALEAN sslscan.c /^ #define VC_EXTRALEAN$/;" d file: 53 | WIN32_LEAN_AND_MEAN sslscan.c /^ #define WIN32_LEAN_AND_MEAN$/;" d file: 54 | _GNU_SOURCE sslscan.c /^#define _GNU_SOURCE$/;" d file: 55 | _WIN32_WINNT sslscan.c /^ #define _WIN32_WINNT /;" d file: 56 | __anonf49f55d2010a sslscan.h /^ union {$/;" u struct:ocsp_responder_id_st 57 | __anonf49f55d2020a sslscan.h /^ union {$/;" u struct:ocsp_cert_status_st 58 | _bs sslscan.h /^struct _bs {$/;" s 59 | access sslscan.c /^ #define access /;" d file: 60 | addrstr sslscan.h /^ char addrstr[INET6_ADDRSTRLEN];$/;" m struct:sslCheckOptions typeref:typename:char[] 61 | bits sslscan.h /^ int bits;$/;" m struct:sslCipher typeref:typename:int 62 | bs sslscan.h /^typedef struct _bs bs; \/* Stands for 'byte string'. *\/$/;" t typeref:struct:_bs 63 | bs_append_bs sslscan.c /^void bs_append_bs(bs *dst, bs *src) {$/;" f typeref:typename:void 64 | bs_append_bytes sslscan.c /^void bs_append_bytes(bs *b, unsigned char *bytes, size_t bytes_len) {$/;" f typeref:typename:void 65 | bs_append_uint32_t sslscan.c /^void bs_append_uint32_t(bs *b, uint32_t u) {$/;" f typeref:typename:void 66 | bs_append_ushort sslscan.c /^void bs_append_ushort(bs *b, unsigned short us) {$/;" f typeref:typename:void 67 | bs_free sslscan.c /^void bs_free(bs **b) {$/;" f typeref:typename:void 68 | bs_get_byte sslscan.c /^unsigned char bs_get_byte(bs *b, size_t offset) {$/;" f typeref:typename:unsigned char 69 | bs_get_bytes sslscan.c /^unsigned char *bs_get_bytes(bs *b) {$/;" f typeref:typename:unsigned char * 70 | bs_get_len sslscan.c /^size_t bs_get_len(bs *b) {$/;" f typeref:typename:size_t 71 | bs_get_size sslscan.c /^size_t bs_get_size(bs *b) {$/;" f typeref:typename:size_t 72 | bs_new sslscan.c /^void bs_new(bs **b) {$/;" f typeref:typename:void 73 | bs_new_size sslscan.c /^void bs_new_size(bs **b, size_t new_size) {$/;" f typeref:typename:void 74 | bs_read_socket sslscan.c /^int bs_read_socket(bs *b, int s, size_t num_bytes) {$/;" f typeref:typename:int 75 | bs_set_byte sslscan.c /^void bs_set_byte(bs *b, size_t offset, unsigned char byte) {$/;" f typeref:typename:void 76 | bs_set_ushort sslscan.c /^void bs_set_ushort(bs *b, size_t offset, unsigned short length) {$/;" f typeref:typename:void 77 | buf sslscan.h /^ unsigned char *buf;$/;" m struct:_bs typeref:typename:unsigned char * 78 | byKey sslscan.h /^ ASN1_OCTET_STRING *byKey;$/;" m union:ocsp_responder_id_st::__anonf49f55d2010a typeref:typename:ASN1_OCTET_STRING * 79 | byName sslscan.h /^ X509_NAME *byName;$/;" m union:ocsp_responder_id_st::__anonf49f55d2010a typeref:typename:X509_NAME * 80 | certId sslscan.h /^ OCSP_CERTID *certId;$/;" m struct:ocsp_single_response_st typeref:typename:OCSP_CERTID * 81 | certStatus sslscan.h /^ OCSP_CERTSTATUS *certStatus;$/;" m struct:ocsp_single_response_st typeref:typename:OCSP_CERTSTATUS * 82 | checkCertificate sslscan.c /^int checkCertificate(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)$/;" f typeref:typename:int 83 | checkCertificate sslscan.h /^ int checkCertificate;$/;" m struct:sslCheckOptions typeref:typename:int 84 | checkCertificateProtocol sslscan.c /^int checkCertificateProtocol(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)$/;" f typeref:typename:int 85 | checkIfTLSVersionIsSupported sslscan.c /^unsigned int checkIfTLSVersionIsSupported(struct sslCheckOptions *options, unsigned int tls_vers/;" f typeref:typename:unsigned int 86 | cipherRemove sslscan.c /^char *cipherRemove(char *str, const char *sub) {$/;" f typeref:typename:char * 87 | cipher_details sslscan.h /^ int cipher_details;$/;" m struct:sslCheckOptions typeref:typename:int 88 | ciphers sslscan.h /^ struct sslCipher *ciphers;$/;" m struct:sslCheckOptions typeref:struct:sslCipher * 89 | cipherstring sslscan.h /^ char cipherstring[65536];$/;" m struct:sslCheckOptions typeref:typename:char[65536] 90 | ciphersuites sslscan.h /^ int ciphersuites;$/;" m struct:sslCheckOptions typeref:typename:int 91 | clientCertsFile sslscan.h /^ char *clientCertsFile;$/;" m struct:sslCheckOptions typeref:typename:char * 92 | close sslscan.c /^ #define close /;" d file: 93 | color sslscan.c /^ char *color;$/;" m struct:testSignatureAlgorithms::signature_algorithm typeref:typename:char * file: 94 | color sslscan.c /^ char *color;$/;" m struct:testSupportedGroups::group_key_exchange typeref:typename:char * file: 95 | compression sslscan.h /^ int compression;$/;" m struct:sslCheckOptions typeref:typename:int 96 | ctx sslscan.h /^ SSL_CTX *ctx;$/;" m struct:sslCheckOptions typeref:typename:SSL_CTX * 97 | description sslscan.h /^ char description[512];$/;" m struct:sslCipher typeref:typename:char[512] 98 | fallback sslscan.h /^ int fallback;$/;" m struct:sslCheckOptions typeref:typename:int 99 | false sslscan.h /^#define false /;" d 100 | fileExists sslscan.c /^int fileExists(char *fileName)$/;" f typeref:typename:int 101 | findMissingCiphers sslscan.c /^void findMissingCiphers() {$/;" f typeref:typename:void 102 | freeRenegotiationOutput sslscan.c /^int freeRenegotiationOutput( struct renegotiationOutput *myRenOut )$/;" f typeref:typename:int 103 | getPrintableTLSName sslscan.c /^char *getPrintableTLSName(unsigned int tls_version) {$/;" f typeref:typename:char * 104 | getServerHello sslscan.c /^bs *getServerHello(int s) {$/;" f typeref:typename:bs * 105 | getTLSHandshakeRecord sslscan.c /^bs *getTLSHandshakeRecord(int s) {$/;" f typeref:typename:bs * 106 | good sslscan.h /^ ASN1_NULL *good;$/;" m union:ocsp_cert_status_st::__anonf49f55d2020a typeref:typename:ASN1_NULL * 107 | group_bit_strength sslscan.c /^ unsigned int group_bit_strength; \/* The bit strength equivalent of this group. *\/$/;" m struct:testSupportedGroups::group_key_exchange typeref:typename:unsigned int file: 108 | group_id sslscan.c /^ uint16_t group_id;$/;" m struct:testSupportedGroups::group_key_exchange typeref:typename:uint16_t file: 109 | group_key_exchange sslscan.c /^ struct group_key_exchange {$/;" s function:testSupportedGroups file: 110 | group_name sslscan.c /^ char *group_name;$/;" m struct:testSupportedGroups::group_key_exchange typeref:typename:char * file: 111 | groups sslscan.h /^ int groups;$/;" m struct:sslCheckOptions typeref:typename:int 112 | h_addrtype sslscan.h /^ short h_addrtype;$/;" m struct:sslCheckOptions typeref:typename:short 113 | hashAlgorithm sslscan.h /^ X509_ALGOR hashAlgorithm;$/;" m struct:ocsp_cert_id_st typeref:typename:X509_ALGOR 114 | heartbleed sslscan.h /^ int heartbleed;$/;" m struct:sslCheckOptions typeref:typename:int 115 | host sslscan.h /^ char host[512];$/;" m struct:sslCheckOptions typeref:typename:char[512] 116 | http sslscan.h /^ int http;$/;" m struct:sslCheckOptions typeref:typename:int 117 | ipv4 sslscan.h /^ int ipv4;$/;" m struct:sslCheckOptions typeref:typename:int 118 | ipv6 sslscan.h /^ int ipv6;$/;" m struct:sslCheckOptions typeref:typename:int 119 | issuerKeyHash sslscan.h /^ ASN1_OCTET_STRING issuerKeyHash;$/;" m struct:ocsp_cert_id_st typeref:typename:ASN1_OCTET_STRING 120 | issuerNameHash sslscan.h /^ ASN1_OCTET_STRING issuerNameHash;$/;" m struct:ocsp_cert_id_st typeref:typename:ASN1_OCTET_STRING 121 | key_exchange_len sslscan.c /^ uint16_t key_exchange_len;$/;" m struct:testSupportedGroups::group_key_exchange typeref:typename:uint16_t file: 122 | len sslscan.h /^ size_t len; \/* The number of bytes currently in the buffer. *\/$/;" m struct:_bs typeref:typename:size_t 123 | loadCerts sslscan.c /^int loadCerts(struct sslCheckOptions *options)$/;" f typeref:typename:int 124 | main sslscan.c /^int main(int argc, char *argv[])$/;" f typeref:typename:int 125 | makeCiphersuiteListAll sslscan.c /^bs *makeCiphersuiteListAll(unsigned int tls_version) {$/;" f typeref:typename:bs * 126 | makeCiphersuiteListMissing sslscan.c /^bs *makeCiphersuiteListMissing(unsigned int tls_version) {$/;" f typeref:typename:bs * 127 | makeCiphersuiteListTLS13All sslscan.c /^bs *makeCiphersuiteListTLS13All() {$/;" f typeref:typename:bs * 128 | makeClientHello sslscan.c /^bs *makeClientHello(struct sslCheckOptions *options, unsigned int tls_version, bs *ciphersuite_l/;" f typeref:typename:bs * 129 | makeTLSExtensions sslscan.c /^bs *makeTLSExtensions(struct sslCheckOptions *options, unsigned int include_signature_algorithms/;" f typeref:typename:bs * 130 | markFoundCiphersuite sslscan.c /^void markFoundCiphersuite(unsigned short server_cipher_id, unsigned int tls_version) {$/;" f typeref:typename:void 131 | memmem sslscan.c /^void *memmem(const void *haystack_start, size_t haystack_len, const void *needle, size_t needle_/;" f typeref:typename:void * 132 | mode_help sslscan.h /^#define mode_help /;" d 133 | mode_multiple sslscan.h /^#define mode_multiple /;" d 134 | mode_single sslscan.h /^#define mode_single /;" d 135 | mode_version sslscan.h /^#define mode_version /;" d 136 | name sslscan.h /^ const char *name;$/;" m struct:sslCipher typeref:typename:const char * 137 | newRenegotiationOutput sslscan.c /^struct renegotiationOutput * newRenegotiationOutput( void )$/;" f typeref:struct:renegotiationOutput * 138 | new_CTX sslscan.c /^SSL_CTX *new_CTX(const SSL_METHOD *method) {$/;" f typeref:typename:SSL_CTX * 139 | new_SSL sslscan.c /^SSL *new_SSL(SSL_CTX *ctx) {$/;" f typeref:typename:SSL * 140 | next sslscan.h /^ struct sslCipher *next;$/;" m struct:sslCipher typeref:struct:sslCipher * 141 | nextUpdate sslscan.h /^ ASN1_GENERALIZEDTIME *nextUpdate;$/;" m struct:ocsp_single_response_st typeref:typename:ASN1_GENERALIZEDTIME * 142 | nid sslscan.c /^ int nid; \/* NID for group, or -1 for X25519\/X448. *\/$/;" m struct:testSupportedGroups::group_key_exchange typeref:typename:int file: 143 | nid_type sslscan.c /^ unsigned int nid_type; \/* One of the NID_TYPE_* flags. *\/$/;" m struct:testSupportedGroups::group_key_exchange typeref:typename:unsigned int file: 144 | ocspRequest sslscan.c /^int ocspRequest(struct sslCheckOptions *options)$/;" f typeref:typename:int 145 | ocspStatus sslscan.h /^ int ocspStatus;$/;" m struct:sslCheckOptions typeref:typename:int 146 | ocsp_basic_response_st sslscan.h /^struct ocsp_basic_response_st {$/;" s 147 | ocsp_cert_id_st sslscan.h /^struct ocsp_cert_id_st {$/;" s 148 | ocsp_cert_status_st sslscan.h /^struct ocsp_cert_status_st {$/;" s 149 | ocsp_certid_print sslscan.c /^int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent)$/;" f typeref:typename:int 150 | ocsp_resp_bytes_st sslscan.h /^struct ocsp_resp_bytes_st {$/;" s 151 | ocsp_resp_cb sslscan.c /^static int ocsp_resp_cb(SSL *s, void *unused) {$/;" f typeref:typename:int file: 152 | ocsp_responder_id_st sslscan.h /^struct ocsp_responder_id_st {$/;" s 153 | ocsp_response_data_st sslscan.h /^struct ocsp_response_data_st {$/;" s 154 | ocsp_response_st sslscan.h /^struct ocsp_response_st {$/;" s 155 | ocsp_revoked_info_st sslscan.h /^struct ocsp_revoked_info_st {$/;" s 156 | ocsp_single_response_st sslscan.h /^struct ocsp_single_response_st {$/;" s 157 | outputCipher sslscan.c /^void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSslMethod, uint32_/;" f typeref:typename:void 158 | outputRenegotiation sslscan.c /^int outputRenegotiation( struct sslCheckOptions *options, struct renegotiationOutput *outputData/;" f typeref:typename:int 159 | password_callback sslscan.c /^static int password_callback(char *buf, int size, int rwflag, void *userdata)$/;" f typeref:typename:int file: 160 | populateCipherList sslscan.c /^int populateCipherList(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)$/;" f typeref:typename:int 161 | port sslscan.h /^ int port;$/;" m struct:sslCheckOptions typeref:typename:int 162 | printableSslMethod sslscan.c /^const char* printableSslMethod(const SSL_METHOD *sslMethod)$/;" f typeref:typename:const char * 163 | printf sslscan.h /^#define printf(/;" d 164 | printf_error sslscan.h /^#define printf_error(/;" d 165 | printf_verbose sslscan.h /^#define printf_verbose(/;" d 166 | printf_xml sslscan.h /^#define printf_xml(/;" d 167 | privateKeyFile sslscan.h /^ char *privateKeyFile;$/;" m struct:sslCheckOptions typeref:typename:char * 168 | privateKeyPassword sslscan.h /^ char *privateKeyPassword;$/;" m struct:sslCheckOptions typeref:typename:char * 169 | producedAt sslscan.h /^ ASN1_GENERALIZEDTIME *producedAt;$/;" m struct:ocsp_response_data_st typeref:typename:ASN1_GENERALIZEDTIME * 170 | program_banner sslscan.h /^const char *program_banner = " _\\n"$/;" v typeref:typename:const char * 171 | rdp sslscan.h /^ int rdp;$/;" m struct:sslCheckOptions typeref:typename:int 172 | readLine sslscan.c /^void readLine(FILE *input, char *lineFromFile, int maxSize)$/;" f typeref:typename:void 173 | readOrLogAndClose sslscan.c /^int readOrLogAndClose(int fd, void* buffer, size_t len, const struct sslCheckOptions *options)$/;" f typeref:typename:int 174 | reneg sslscan.h /^ int reneg;$/;" m struct:sslCheckOptions typeref:typename:int 175 | renegotiationOutput sslscan.h /^struct renegotiationOutput$/;" s 176 | resolveCipherID sslscan.c /^char *resolveCipherID(unsigned short cipher_id, int *cipher_bits) {$/;" f typeref:typename:char * 177 | responderId sslscan.h /^ OCSP_RESPID responderId;$/;" m struct:ocsp_response_data_st typeref:typename:OCSP_RESPID 178 | response sslscan.h /^ ASN1_OCTET_STRING *response;$/;" m struct:ocsp_resp_bytes_st typeref:typename:ASN1_OCTET_STRING * 179 | responseBytes sslscan.h /^ OCSP_RESPBYTES *responseBytes;$/;" m struct:ocsp_response_st typeref:typename:OCSP_RESPBYTES * 180 | responseStatus sslscan.h /^ ASN1_ENUMERATED *responseStatus;$/;" m struct:ocsp_response_st typeref:typename:ASN1_ENUMERATED * 181 | responseType sslscan.h /^ ASN1_OBJECT *responseType;$/;" m struct:ocsp_resp_bytes_st typeref:typename:ASN1_OBJECT * 182 | revocationReason sslscan.h /^ ASN1_ENUMERATED *revocationReason;$/;" m struct:ocsp_revoked_info_st typeref:typename:ASN1_ENUMERATED * 183 | revocationTime sslscan.h /^ ASN1_GENERALIZEDTIME *revocationTime;$/;" m struct:ocsp_revoked_info_st typeref:typename:ASN1_GENERALIZEDTIME * 184 | revoked sslscan.h /^ OCSP_REVOKEDINFO *revoked;$/;" m union:ocsp_cert_status_st::__anonf49f55d2020a typeref:typename:OCSP_REVOKEDINFO * 185 | runSSLv2Test sslscan.c /^int runSSLv2Test(struct sslCheckOptions *options) {$/;" f typeref:typename:int 186 | runSSLv3Test sslscan.c /^int runSSLv3Test(struct sslCheckOptions *options) {$/;" f typeref:typename:int 187 | secure sslscan.h /^ int secure;$/;" m struct:renegotiationOutput typeref:typename:int 188 | security_callback_allow_all sslscan.c /^static int security_callback_allow_all(const SSL *s, const SSL_CTX *ctx, int op, int bits, int n/;" f typeref:typename:int file: 189 | sendString sslscan.c /^ssize_t sendString(int sockfd, const char str[])$/;" f typeref:typename:ssize_t 190 | serialNumber sslscan.h /^ ASN1_INTEGER serialNumber;$/;" m struct:ocsp_cert_id_st typeref:typename:ASN1_INTEGER 191 | serverAddress sslscan.h /^ struct sockaddr_in serverAddress;$/;" m struct:sslCheckOptions typeref:struct:sockaddr_in 192 | serverAddress6 sslscan.h /^ struct sockaddr_in6 serverAddress6;$/;" m struct:sslCheckOptions typeref:struct:sockaddr_in6 193 | setCipherSuite sslscan.c /^int setCipherSuite(struct sslCheckOptions *options, const SSL_METHOD *sslMethod, const char *str/;" f typeref:typename:int 194 | showCertificate sslscan.c /^int showCertificate(struct sslCheckOptions *options)$/;" f typeref:typename:int 195 | showCertificate sslscan.h /^ int showCertificate;$/;" m struct:sslCheckOptions typeref:typename:int 196 | showCipherIds sslscan.h /^ int showCipherIds;$/;" m struct:sslCheckOptions typeref:typename:int 197 | showClientCiphers sslscan.h /^ int showClientCiphers;$/;" m struct:sslCheckOptions typeref:typename:int 198 | showTimes sslscan.h /^ int showTimes;$/;" m struct:sslCheckOptions typeref:typename:int 199 | showTrustedCAs sslscan.c /^int showTrustedCAs(struct sslCheckOptions *options)$/;" f typeref:typename:int 200 | showTrustedCAs sslscan.h /^ int showTrustedCAs;$/;" m struct:sslCheckOptions typeref:typename:int 201 | sig_id sslscan.c /^ uint16_t sig_id;$/;" m struct:testSignatureAlgorithms::signature_algorithm typeref:typename:uint16_t file: 202 | sig_name sslscan.c /^ char *sig_name;$/;" m struct:testSignatureAlgorithms::signature_algorithm typeref:typename:char * file: 203 | signature sslscan.h /^ ASN1_BIT_STRING *signature;$/;" m struct:ocsp_basic_response_st typeref:typename:ASN1_BIT_STRING * 204 | signatureAlgorithm sslscan.h /^ X509_ALGOR signatureAlgorithm;$/;" m struct:ocsp_basic_response_st typeref:typename:X509_ALGOR 205 | signature_algorithm sslscan.c /^ struct signature_algorithm {$/;" s function:testSignatureAlgorithms file: 206 | signature_algorithms sslscan.h /^ int signature_algorithms;$/;" m struct:sslCheckOptions typeref:typename:int 207 | size sslscan.h /^ size_t size; \/* The size of the allocated buffer. *\/$/;" m struct:_bs typeref:typename:size_t 208 | sleep sslscan.h /^ unsigned int sleep;$/;" m struct:sslCheckOptions typeref:typename:unsigned int 209 | sniname sslscan.h /^ char sniname[512];$/;" m struct:sslCheckOptions typeref:typename:char[512] 210 | snprintf sslscan.c /^ #define snprintf /;" d file: 211 | ssize_t sslscan.c /^ typedef int ssize_t;$/;" t typeref:typename:int file: 212 | sslCheckOptions sslscan.h /^struct sslCheckOptions$/;" s 213 | sslCipher sslscan.h /^struct sslCipher$/;" s 214 | sslMethod sslscan.h /^ const SSL_METHOD *sslMethod;$/;" m struct:sslCipher typeref:typename:const SSL_METHOD * 215 | sslVersion sslscan.h /^ int sslVersion;$/;" m struct:sslCheckOptions typeref:typename:int 216 | ssl_all sslscan.h /^#define ssl_all /;" d 217 | ssl_print_tmp_key sslscan.c /^int ssl_print_tmp_key(struct sslCheckOptions *options, SSL *s)$/;" f typeref:typename:int 218 | ssl_v2 sslscan.h /^#define ssl_v2 /;" d 219 | ssl_v3 sslscan.h /^#define ssl_v3 /;" d 220 | sslbugs sslscan.h /^ int sslbugs;$/;" m struct:sslCheckOptions typeref:typename:int 221 | starttls_ftp sslscan.h /^ int starttls_ftp;$/;" m struct:sslCheckOptions typeref:typename:int 222 | starttls_imap sslscan.h /^ int starttls_imap;$/;" m struct:sslCheckOptions typeref:typename:int 223 | starttls_irc sslscan.h /^ int starttls_irc;$/;" m struct:sslCheckOptions typeref:typename:int 224 | starttls_ldap sslscan.h /^ int starttls_ldap;$/;" m struct:sslCheckOptions typeref:typename:int 225 | starttls_mysql sslscan.h /^ int starttls_mysql;$/;" m struct:sslCheckOptions typeref:typename:int 226 | starttls_pop3 sslscan.h /^ int starttls_pop3;$/;" m struct:sslCheckOptions typeref:typename:int 227 | starttls_psql sslscan.h /^ int starttls_psql;$/;" m struct:sslCheckOptions typeref:typename:int 228 | starttls_smtp sslscan.h /^ int starttls_smtp;$/;" m struct:sslCheckOptions typeref:typename:int 229 | starttls_xmpp sslscan.h /^ int starttls_xmpp;$/;" m struct:sslCheckOptions typeref:typename:int 230 | supported sslscan.h /^ int supported;$/;" m struct:renegotiationOutput typeref:typename:int 231 | targets sslscan.h /^ int targets;$/;" m struct:sslCheckOptions typeref:typename:int 232 | tbsResponseData sslscan.h /^ OCSP_RESPDATA tbsResponseData;$/;" m struct:ocsp_basic_response_st typeref:typename:OCSP_RESPDATA 233 | tcpConnect sslscan.c /^int tcpConnect(struct sslCheckOptions *options)$/;" f typeref:typename:int 234 | testCipher sslscan.c /^int testCipher(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)$/;" f typeref:typename:int 235 | testCompression sslscan.c /^int testCompression(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)$/;" f typeref:typename:int 236 | testConnection sslscan.c /^int testConnection(struct sslCheckOptions *options)$/;" f typeref:typename:int 237 | testFallback sslscan.c /^int testFallback(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)$/;" f typeref:typename:int 238 | testHeartbleed sslscan.c /^int testHeartbleed(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)$/;" f typeref:typename:int 239 | testHost sslscan.c /^int testHost(struct sslCheckOptions *options)$/;" f typeref:typename:int 240 | testMissingCiphers sslscan.c /^int testMissingCiphers(struct sslCheckOptions *options, unsigned int tls_version) {$/;" f typeref:typename:int 241 | testProtocolCiphers sslscan.c /^int testProtocolCiphers(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)$/;" f typeref:typename:int 242 | testRenegotiation sslscan.c /^int testRenegotiation(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)$/;" f typeref:typename:int 243 | testSignatureAlgorithms sslscan.c /^int testSignatureAlgorithms(struct sslCheckOptions *options) {$/;" f typeref:typename:int 244 | testSupportedGroups sslscan.c /^int testSupportedGroups(struct sslCheckOptions *options) {$/;" f typeref:typename:int 245 | thisUpdate sslscan.h /^ ASN1_GENERALIZEDTIME *thisUpdate;$/;" m struct:ocsp_single_response_st typeref:typename:ASN1_GENERALIZEDTIME * 246 | timeout sslscan.h /^ struct timeval timeout;$/;" m struct:sslCheckOptions typeref:struct:timeval 247 | timersub sslscan.c /^ #define timersub(/;" d file: 248 | tls10_supported sslscan.h /^ unsigned int tls10_supported;$/;" m struct:sslCheckOptions typeref:typename:unsigned int 249 | tls11_supported sslscan.h /^ unsigned int tls11_supported;$/;" m struct:sslCheckOptions typeref:typename:unsigned int 250 | tls12_supported sslscan.h /^ unsigned int tls12_supported;$/;" m struct:sslCheckOptions typeref:typename:unsigned int 251 | tls13_supported sslscan.h /^ unsigned int tls13_supported;$/;" m struct:sslCheckOptions typeref:typename:unsigned int 252 | tlsExtensionAddDefaultKeyShare sslscan.c /^void tlsExtensionAddDefaultKeyShare(bs *tls_extensions) {$/;" f typeref:typename:void 253 | tlsExtensionAddTLSv1_3 sslscan.c /^void tlsExtensionAddTLSv1_3(bs *tls_extensions) {$/;" f typeref:typename:void 254 | tlsExtensionUpdateLength sslscan.c /^void tlsExtensionUpdateLength(bs *tls_extensions) {$/;" f typeref:typename:void 255 | tls_all sslscan.h /^#define tls_all /;" d 256 | tls_reneg_init sslscan.c /^void tls_reneg_init(struct sslCheckOptions *options)$/;" f typeref:typename:void 257 | tls_v10 sslscan.h /^#define tls_v10 /;" d 258 | tls_v11 sslscan.h /^#define tls_v11 /;" d 259 | tls_v12 sslscan.h /^#define tls_v12 /;" d 260 | tls_v13 sslscan.h /^#define tls_v13 /;" d 261 | true sslscan.h /^#define true /;" d 262 | type sslscan.h /^ int type;$/;" m struct:ocsp_cert_status_st typeref:typename:int 263 | type sslscan.h /^ int type;$/;" m struct:ocsp_responder_id_st typeref:typename:int 264 | unknown sslscan.h /^ ASN1_NULL *unknown;$/;" m union:ocsp_cert_status_st::__anonf49f55d2020a typeref:typename:ASN1_NULL * 265 | use_unsafe_renegotiation_flag sslscan.c /^static int use_unsafe_renegotiation_flag = 0;$/;" v typeref:typename:int file: 266 | use_unsafe_renegotiation_op sslscan.c /^static int use_unsafe_renegotiation_op = 0;$/;" v typeref:typename:int file: 267 | value sslscan.h /^ } value;$/;" m struct:ocsp_cert_status_st typeref:union:ocsp_cert_status_st::__anonf49f55d2020a 268 | value sslscan.h /^ } value;$/;" m struct:ocsp_responder_id_st typeref:union:ocsp_responder_id_st::__anonf49f55d2010a 269 | verbose sslscan.h /^ int verbose;$/;" m struct:sslCheckOptions typeref:typename:int 270 | version sslscan.h /^ ASN1_INTEGER *version;$/;" m struct:ocsp_response_data_st typeref:typename:ASN1_INTEGER * 271 | version sslscan.h /^ const char *version;$/;" m struct:sslCipher typeref:typename:const char * 272 | xmlOutput sslscan.h /^ FILE *xmlOutput;$/;" m struct:sslCheckOptions typeref:typename:FILE * 273 | xml_to_stdout sslscan.c /^static int xml_to_stdout = 0;$/;" v typeref:typename:int file: 274 | xmpp_server sslscan.h /^ int xmpp_server;$/;" m struct:sslCheckOptions typeref:typename:int 275 | -------------------------------------------------------------------------------- /tools/iana_tls_ciphersuite_parser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | # 4 | # Copyright (C) 2019 Joe Testa 5 | # 6 | # This tool will parse the list of TLS ciphersuites from IANA 7 | # (https://www.iana.org/assignments/tls-parameters/tls-parameters.xml) into a C-struct 8 | # for use in missing_ciphersuites.h. 9 | # 10 | 11 | import csv, sys 12 | from datetime import date 13 | 14 | 15 | # We must be given a path to a CSV file with the ciphersuites. It can be obtained from 16 | # . 17 | if len(sys.argv) != 2: 18 | print("\nUsage: %s tls_ciphers.csv\n\nHint: copy the TLS table in CSV format from .\n" % sys.argv[0]) 19 | exit() 20 | 21 | csv_file = sys.argv[1] 22 | 23 | print("/* Auto-generated by %s on %s. */" % (sys.argv[0], date.today().strftime("%B %d, %Y"))) 24 | print("struct missing_ciphersuite missing_ciphersuites[] = {") 25 | with open(csv_file, 'r') as f: 26 | reader = csv.reader(f) 27 | for row in reader: 28 | id = row[0] 29 | cipher_name = row[1] 30 | 31 | # Skip the header. 32 | if '0x' not in id: 33 | continue 34 | 35 | # Skip reserved or unassigned ranges. Also skip SCSV ciphers. 36 | if ('Reserved' in cipher_name) or ('Unassigned' in cipher_name) or ('TLS_FALLBACK_SCSV' in cipher_name) or ('TLS_EMPTY_RENEGOTIATION_INFO_SCSV' in cipher_name): 37 | continue 38 | 39 | # Convert '0xC0,0x87' to '0xC087' 40 | parsed_id = id[0:4] + id[7:9] 41 | if len(parsed_id) != 6: 42 | print("Error: parsed ID is not length 6: %s" % parsed_id) 43 | exit -1 44 | 45 | # Make an educated guess of the cipher's bit strength based on its name. 46 | bits = -1 47 | if 'AES_128' in cipher_name: 48 | bits = 128 49 | elif 'AES_256' in cipher_name: 50 | bits = 256 51 | elif 'CHACHA20' in cipher_name: 52 | bits = 256 53 | elif 'CAMELLIA_128' in cipher_name: 54 | bits = 128 55 | elif 'CAMELLIA_256' in cipher_name: 56 | bits = 256 57 | elif 'ARIA_128' in cipher_name: 58 | bits = 128 59 | elif 'ARIA_256' in cipher_name: 60 | bits = 256 61 | elif 'AEGIS_128' in cipher_name: 62 | bits = 128 63 | elif 'AEGIS_256' in cipher_name: 64 | bits = 256 65 | elif 'SEED' in cipher_name: 66 | bits = 128 67 | elif '3DES' in cipher_name: 68 | bits = 112 69 | elif 'DES40' in cipher_name: 70 | bits = 40 71 | elif '_DES_' in cipher_name: 72 | bits = 56 73 | elif 'RC4_128' in cipher_name: 74 | bits = 128 75 | elif 'RC4_40' in cipher_name: 76 | bits = 40 77 | elif 'IDEA' in cipher_name: 78 | bits = 128 79 | elif '_RC2_' in cipher_name: 80 | bits = 40 81 | elif 'GOSTR341112_256' in cipher_name: 82 | bits = 256 83 | elif '_SM4_' in cipher_name: # See http://www.gmbz.org.cn/upload/2018-04-04/1522788048733065051.pdf 84 | bits = 128 85 | 86 | print(' {%s, "%s", %d, VALL, 0},' % (parsed_id, cipher_name, bits)) 87 | 88 | # These ciphers are reserved for private use. Kind of like the 10.0.0.0/8 IPv4 89 | # addresses. 90 | print("\n /* The ciphers below are reserved for private use (see RFC8446). */") 91 | for i in range(0, 256): 92 | low_byte = hex(i)[2:].upper() 93 | if len(low_byte) == 1: 94 | low_byte = '0' + low_byte 95 | 96 | parsed_id = '0xFF' + low_byte 97 | cipher_name = 'PRIVATE_CIPHER_%d' % i 98 | bits = -1 99 | print(' {%s, "%s", %d, VALL, 0},' % (parsed_id, cipher_name, bits)) 100 | 101 | print("};") 102 | -------------------------------------------------------------------------------- /tools/iana_tls_supported_groups_parser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | # 4 | # Copyright (C) 2019 Joe Testa 5 | # 6 | # This tool will parse the list of TLS supported groups from IANA 7 | # (https://www.iana.org/assignments/tls-parameters/tls-parameters-8.csv) into a C-struct 8 | # for use in testSupportedGroups(). 9 | # 10 | 11 | import csv, sys 12 | from datetime import date 13 | 14 | 15 | # We must be given a path to a CSV file with the groups. It can be obtained from 16 | # . 17 | if len(sys.argv) != 2: 18 | print("\nUsage: %s tls_ciphers.csv\n\nHint: copy the TLS table in CSV format from .\n" % sys.argv[0]) 19 | exit(0) 20 | 21 | csv_file = sys.argv[1] 22 | 23 | print() 24 | print(" /* Auto-generated by %s on %s. */" % (sys.argv[0], date.today().strftime("%B %d, %Y"))) 25 | print('#define COL_PLAIN ""') 26 | print('#define NID_TYPE_NA 0 /* Not Applicable (i.e.: X25519/X448) */') 27 | print('#define NID_TYPE_ECDHE 1 /* For ECDHE curves (sec*, P-256/384-521) */') 28 | print('#define NID_TYPE_DHE 2 /* For ffdhe* */') 29 | print(" /* Bit strength of DHE 2048 and 3072-bit moduli is taken directly from NIST SP 800-57 pt.1, rev4., pg. 53; DHE 4096, 6144, and 8192 are estimated using that document. */") 30 | print(" struct group_key_exchange group_key_exchanges[] = {") 31 | with open(csv_file, 'r') as f: 32 | reader = csv.reader(f) 33 | for row in reader: 34 | id = row[0] 35 | group_name = row[1] 36 | reference = row[4] 37 | 38 | # Skip the header. 39 | try: 40 | int(id) 41 | except ValueError as e: 42 | continue 43 | 44 | id = int(id) 45 | 46 | # Skip reserved or unassigned IDs. 47 | if group_name in ('Reserved', 'Unassigned'): 48 | continue 49 | 50 | # The Reference field looks like "[RFC1234]", "[draft-blah-blah]", or "[RFC-ietf-tls-blah-02]". Skip all rows that aren't of the "[RFC1234]" variety. 51 | reference = reference[1:] 52 | rt_bracket_pos = reference.find(']') 53 | if rt_bracket_pos == -1: 54 | print("Warning: can't parse reference: %s" % reference) 55 | else: 56 | reference = reference[3:rt_bracket_pos] 57 | 58 | try: 59 | int(reference) 60 | except ValueError as e: 61 | continue 62 | 63 | bits = 0 64 | nid = "NID_x" 65 | nid_type = "NID_TYPE_x" 66 | key_exchange_len = 0 67 | color = "COL_PLAIN" 68 | if group_name.startswith('sec'): 69 | bits = int(group_name[4:-2]) / 2 70 | nid = "NID_%s" % group_name 71 | nid_type = "NID_TYPE_ECDHE" 72 | if group_name == "secp192r1": 73 | nid = "NID_X9_62_prime192v1" 74 | elif group_name == "secp256r1": 75 | nid = "NID_X9_62_prime256v1" 76 | group_name += ' (NIST P-256)' 77 | elif group_name == "secp256k1": 78 | color = "COL_GREEN" # This is the very well-tested Bitcoin curve. 79 | elif group_name == "secp384r1": 80 | group_name += ' (NIST P-384)' 81 | elif group_name == "secp521r1": 82 | group_name += ' (NIST P-521)' 83 | elif group_name.startswith('brainpoolP'): 84 | bits = int(group_name[10:-2]) / 2 85 | nid = "NID_%s" % group_name 86 | nid_type = "NID_TYPE_ECDHE" 87 | elif group_name in ('x25519', 'x448'): 88 | color = "COL_GREEN" 89 | nid = "-1" 90 | nid_type = "NID_TYPE_NA" 91 | if group_name == 'x25519': 92 | bits = 128 93 | key_exchange_len = 32 94 | elif group_name == 'x448': 95 | bits = 224 96 | key_exchange_len = 56 97 | elif group_name.startswith('ffdhe'): 98 | # Bit strength of DHE 2048 and 3072-bit moduli is taken directly from NIST SP 800-57 pt.1, rev4., pg. 53; DHE 4096, 6144, and 8192 are estimated using that document. 99 | if group_name == 'ffdhe2048': 100 | bits = 112 101 | key_exchange_len = 256 102 | elif group_name == 'ffdhe3072': 103 | bits = 128 104 | key_exchange_len = 384 105 | elif group_name == 'ffdhe4096': 106 | bits = 150 107 | key_exchange_len = 512 108 | elif group_name == 'ffdhe6144': 109 | bits = 175 110 | key_exchange_len = 768 111 | elif group_name == 'ffdhe8192': 112 | bits = 192 113 | key_exchange_len = 1024 114 | nid = "NID_%s" % group_name 115 | nid_type = "NID_TYPE_DHE" 116 | elif group_name.startswith('arbitrary_'): # Skip these two. 117 | continue 118 | 119 | if bits < 112: 120 | color = "COL_RED" 121 | 122 | print(' {0x%04x, "%s", %d, %s, %s, %s, %d},' % (id, group_name, bits, color, nid, nid_type, key_exchange_len)) 123 | 124 | print(" };") 125 | print() 126 | exit(0) 127 | -------------------------------------------------------------------------------- /win32bit-compat.h: -------------------------------------------------------------------------------- 1 | /* The file below was copied from glibc v2.26 (resolv/inet_ntop.c). */ 2 | /* This is needed for legacy 32-bit Windows builds only. */ 3 | 4 | #include 5 | typedef unsigned char u_char; 6 | #define __set_errno(X) 7 | #define libc_hidden_def(X) 8 | #define internal_function 9 | #define NS_IN6ADDRSZ 16 10 | #define NS_INT16SZ 2 11 | 12 | /* 13 | * Copyright (c) 1996-1999 by Internet Software Consortium. 14 | * 15 | * Permission to use, copy, modify, and distribute this software for any 16 | * purpose with or without fee is hereby granted, provided that the above 17 | * copyright notice and this permission notice appear in all copies. 18 | * 19 | * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS 20 | * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES 21 | * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE 22 | * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL 23 | * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 24 | * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS 25 | * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 26 | * SOFTWARE. 27 | */ 28 | 29 | #include 30 | #include 31 | /*#include 32 | 33 | #include 34 | #include 35 | #include */ 36 | 37 | #include 38 | #include 39 | #include 40 | 41 | #ifdef SPRINTF_CHAR 42 | # define SPRINTF(x) strlen(sprintf/**/x) 43 | #else 44 | # define SPRINTF(x) ((size_t)sprintf x) 45 | #endif 46 | 47 | /* 48 | * WARNING: Don't even consider trying to compile this on a system where 49 | * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX. 50 | */ 51 | 52 | static const char *inet_ntop4 (const u_char *src, char *dst, socklen_t size) 53 | internal_function; 54 | static const char *inet_ntop6 (const u_char *src, char *dst, socklen_t size) 55 | internal_function; 56 | 57 | /* char * 58 | * inet_ntop(af, src, dst, size) 59 | * convert a network format address to presentation format. 60 | * return: 61 | * pointer to presentation format address (`dst'), or NULL (see errno). 62 | * author: 63 | * Paul Vixie, 1996. 64 | */ 65 | const char * 66 | inet_ntop (int af, const void *src, char *dst, socklen_t size) 67 | { 68 | switch (af) { 69 | case AF_INET: 70 | return (inet_ntop4(src, dst, size)); 71 | case AF_INET6: 72 | return (inet_ntop6(src, dst, size)); 73 | default: 74 | __set_errno (EAFNOSUPPORT); 75 | return (NULL); 76 | } 77 | /* NOTREACHED */ 78 | } 79 | libc_hidden_def (inet_ntop) 80 | 81 | /* const char * 82 | * inet_ntop4(src, dst, size) 83 | * format an IPv4 address 84 | * return: 85 | * `dst' (as a const) 86 | * notes: 87 | * (1) uses no statics 88 | * (2) takes a u_char* not an in_addr as input 89 | * author: 90 | * Paul Vixie, 1996. 91 | */ 92 | static const char * 93 | internal_function 94 | inet_ntop4 (const u_char *src, char *dst, socklen_t size) 95 | { 96 | static const char fmt[] = "%u.%u.%u.%u"; 97 | char tmp[sizeof "255.255.255.255"]; 98 | 99 | if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) >= size) { 100 | __set_errno (ENOSPC); 101 | return (NULL); 102 | } 103 | return strcpy(dst, tmp); 104 | } 105 | 106 | /* const char * 107 | * inet_ntop6(src, dst, size) 108 | * convert IPv6 binary address into presentation (printable) format 109 | * author: 110 | * Paul Vixie, 1996. 111 | */ 112 | static const char * 113 | internal_function 114 | inet_ntop6 (const u_char *src, char *dst, socklen_t size) 115 | { 116 | /* 117 | * Note that int32_t and int16_t need only be "at least" large enough 118 | * to contain a value of the specified size. On some systems, like 119 | * Crays, there is no such thing as an integer variable with 16 bits. 120 | * Keep this in mind if you think this function should have been coded 121 | * to use pointer overlays. All the world's not a VAX. 122 | */ 123 | char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp; 124 | struct { int base, len; } best, cur; 125 | u_int words[NS_IN6ADDRSZ / NS_INT16SZ]; 126 | int i; 127 | 128 | /* 129 | * Preprocess: 130 | * Copy the input (bytewise) array into a wordwise array. 131 | * Find the longest run of 0x00's in src[] for :: shorthanding. 132 | */ 133 | memset(words, '\0', sizeof words); 134 | for (i = 0; i < NS_IN6ADDRSZ; i += 2) 135 | words[i / 2] = (src[i] << 8) | src[i + 1]; 136 | best.base = -1; 137 | cur.base = -1; 138 | best.len = 0; 139 | cur.len = 0; 140 | for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) { 141 | if (words[i] == 0) { 142 | if (cur.base == -1) 143 | cur.base = i, cur.len = 1; 144 | else 145 | cur.len++; 146 | } else { 147 | if (cur.base != -1) { 148 | if (best.base == -1 || cur.len > best.len) 149 | best = cur; 150 | cur.base = -1; 151 | } 152 | } 153 | } 154 | if (cur.base != -1) { 155 | if (best.base == -1 || cur.len > best.len) 156 | best = cur; 157 | } 158 | if (best.base != -1 && best.len < 2) 159 | best.base = -1; 160 | 161 | /* 162 | * Format the result. 163 | */ 164 | tp = tmp; 165 | for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) { 166 | /* Are we inside the best run of 0x00's? */ 167 | if (best.base != -1 && i >= best.base && 168 | i < (best.base + best.len)) { 169 | if (i == best.base) 170 | *tp++ = ':'; 171 | continue; 172 | } 173 | /* Are we following an initial run of 0x00s or any real hex? */ 174 | if (i != 0) 175 | *tp++ = ':'; 176 | /* Is this address an encapsulated IPv4? */ 177 | if (i == 6 && best.base == 0 && 178 | (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) { 179 | if (!inet_ntop4(src+12, tp, sizeof tmp - (tp - tmp))) 180 | return (NULL); 181 | tp += strlen(tp); 182 | break; 183 | } 184 | tp += SPRINTF((tp, "%x", words[i])); 185 | } 186 | /* Was it a trailing run of 0x00's? */ 187 | if (best.base != -1 && (best.base + best.len) == 188 | (NS_IN6ADDRSZ / NS_INT16SZ)) 189 | *tp++ = ':'; 190 | *tp++ = '\0'; 191 | 192 | /* 193 | * Check for overflow, copy, and we're done. 194 | */ 195 | if ((socklen_t)(tp - tmp) > size) { 196 | __set_errno (ENOSPC); 197 | return (NULL); 198 | } 199 | return strcpy(dst, tmp); 200 | } 201 | --------------------------------------------------------------------------------