SSL testing
From Noah.org
Jump to navigationJump to search
The sslscan tool is useful. Openssl can also be used.
openssl
This starts an interactive connection with a service sitting behind an SSL/TLS layer. The following command will connect to a remote HTTPS client and establish a connection.
openssl s_client -showcerts -connect www.example.com:443
It's a bit like testing an unsecure HTTP server with telnet. Now you can type in manual requests. Remember, you have to enter two line feeds after the GET request. Note that some servers require the host: header, some do not. If you get an HTTP 400 Bad Request then you probably need to add the host: header.
GET / HTTP/1.1 host: www.example.com
You can check if a specific cipher is allowed:
openssl s_client -showcerts -connect www.example.com:443 -cipher RC4
A full test session might look like the following. In this example a redirect is returned as a response to GET / HTTP/1.1.
CONNECTED(00000003) depth=0 C = US, ST = California, O = "Exemplar, Inc.", OU = IT Department, CN = www.example.com, emailAddress = itteam@example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, O = "Exemplar, Inc.", OU = IT Department, CN = www.example.com, emailAddress = itteam@example.com verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = California, O = "Exemplar, Inc.", OU = IT Department, CN = www.example.com, emailAddress = itteam@example.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/O=Exemplar, Inc./OU=IT Department/CN=www.example.com/emailAddress=itteam@example.com i:/C=US/ST=California/L=San Francisco/O=Exemplar, Inc./OU=IT Department/CN=lb_test_root_CA_1/emailAddress=itteam@example.com --- Server certificate -----BEGIN CERTIFICATE----- MIIGRTCCBC2gAwIBAgICAVIwDQYJKoZIhvcNAQEFBQAwgbExCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRow GAYDVQQKExFTcXVhcmVUcmFkZSwgSW5jLjEWMBQGA1UECxMNSVQgRGVwYXJ0bWVu dDEaMBgGA1UEAxQRbGJfdGVzdF9yb290X0NBXzExJTAjBgkqhkiG9w0BCQEWFml0 dGVhbUBzcXVhcmV0cmFkZS5jb29wHhcNMTIwOTEzMjMzMTIwWhcNMTUwNjEwMjMz MTIwWjCBpDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGjAYBgNV BAoMEVNxdWFyZVRyYWRlLCBJbmMuMRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MSUw IwYDVQQDDBx3d3ctbXVoYW1tYWQuc3F1YXJldHJhZGUuY29tMSUwIwYJKoZIhvcN AQkBFhZpdHRlYW1Ac3F1YXJldHJhZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEApFz500fjWy0DfAvqm+H+Ol8sOp4ip12C5PZDh+CRVoAGGYvl tStfMojTeDSluAr5s49qdypjb3rOgL43NNATMBvNq8tS8XhTdnq+wd4WDTPe5TPL wE1Q67NVeEfFi33Zjt8VvcuPZSMU/JKL/7z96AxFdOFkYctPC6xGYAqywTZywT8+ Xshd3AILV5b4JqPzTjxSJZxRFDuWjp0gCHX/ATFIuoBoLoAdBISr/RAjn9qWxS+h 3xGH24SHLc5Js1oXu1Vlgnu9SLTYW14QmTYpNHByRUdWIPkrpAITCqjaUWUB7KJO 82aNCw+6LtF3UX6/t9hQmid9XWXHQTu+P/O05wIDAQABo4IBcDCCAWwwCQYDVR0T BAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoG CCsGAQUFBwMBMDgGCWCGSAGG+EIBDQQrFilTcXVhcmVUcmFkZSAtIFdhcnJhbnRp ZXMgdGhhdCBtYWtlIHNlbnNlITAdBgNVHQ4EFgQUR9nBJsa0o9mYhWB54zX98vU7 HR0wgdAGA1UdIwSByDCBxaGBt6SBtDCBsTELMAkGA1UEBhMCVVMxEzARBgNVBAgT CkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAoTEVNx dWFyZVRyYWRlLCBJbmMuMRYwFAYDVQQLEw1JVCBEZXBhcnRtZW50MRowGAYDVQQD FBFsYl90ZXN0X3Jvb3RfQ0FfMTElMCMGCSqGSIb3DQEJARYWaXR0ZWFtQHNxdWFy ZXRyYWRlLmNvbYIJAOkVdZRJpqb+MA0GCSqGSIb3DQEBBQUAA4ICAQAphQ/SF3EP 8MS7hB1Cm2ntV9HUZD3DdLVIEBpujZhty9GsqPSExRGeU+uDnWYF8j+z7ZbhYHjd VcVfxszHn9VzX2HyQm9kFs2dry3qGJgILVmlvWcVYpuAdpgnpe6BxwW7gdGOIpwi OAKytVQLGsWsf/IbVjWnx3JQsb86XRodF3HGQNrb5Xzdez6dD4GaAVWHnZjqaPlS REHLS5iRz7Q8ZqtPGqqy/GPUEpT2kppJeqUprzcUByZwXFThkPUjF3pGZEdE753W Jlxvr8x6hapqY3dsFHbWiN6lI6mEGIjAK/8q+O+tihvk+9ZChw8rDMxj8q2C1IGG mhF8cIl1E0RVp4EVs+vVVlnMB8I+pMcocmR/8LIzPFnG2PyJxSKxu1ql6FSZ6zfx ZOjLRtvNdr0mBvAJT3zw6IwGnRSNNrqwqEOvfeDTB/nqaL/6B9/krNpGjcdIOwKB Atnscto7KI7Xdrp4shnsjJaQYf0F4Vl4HaiDXMS2ighESol+jT3v40GD//rLk/a0 tyIVpF2agxe8ePX6dKhJwaKvaWE4+xXJAseZHJoMV3o1sameXIHDdpjtxnx5DxD7 3x9nHI/w95EGG4/leq6MAcOg1zS/r/D9Bs3YocuejIjUZnbbg63Iu1hWoWz/xyGi U1GG58DEwDzOh+7Ol8huBJUaSfVuT5pQQw== -----END CERTIFICATE----- subject=/C=US/ST=California/O=Exemplar, Inc./OU=IT Department/CN=www.example.com/emailAddress=itteam@example.com issuer=/C=US/ST=California/L=San Francisco/O=Exemplar, Inc./OU=IT Department/CN=lb_test_root_CA_1/emailAddress=itteam@example.com --- No client certificate CA names sent --- SSL handshake has read 1913 bytes and written 460 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: DE7F22EA486EFB11C8FAFAB9D191637875D9410273AD51EF2419A982E4A26FC1 Session-ID-ctx: Master-Key: 83ACFBB0CD615455FB35019C4FC2036AE0649A2238F0CA2F952D782A06A3C90794F5B4CA5FA00F861F88FFDDC1849C0D Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 82 c8 de 59 85 86 40 c9-be c8 d9 e6 7f 29 2e 91 ...Y..@......).. 0010 - a4 53 ea 18 bf 5f ff 3e-cd a4 ac 0b 54 fe 12 ef .S..._.>....T... 0020 - fd d9 8b 76 e6 69 81 9b-9b ed 79 69 26 d6 e2 70 ...v.i....yi&..p 0030 - 4f 8b 7d 15 d3 e3 43 6f-d5 60 f5 0b 76 5a 26 48 O.}...Co.`..vZ&H 0040 - 22 52 8f b3 a6 10 50 92-9d 8d d4 42 2b 8d b2 d7 "R....P....B+... 0050 - 83 a7 5b 6b fe 7b a2 d8-9a db 14 0e de bf 54 d4 ..[k.{........T. 0060 - db f8 4e 71 9d 7b 57 1d-7a 50 24 ae f3 16 76 e5 ..Nq.{W.zP$...v. 0070 - ef 8b 4d 04 60 05 43 d7-74 99 39 68 bc aa d0 d5 ..M.`.C.t.9h.... 0080 - 51 31 1a 96 b0 35 65 8c-ec 92 5f 1a 48 7f 4f 5c Q1...5e..._.H.O\ 0090 - 65 be 85 9f 36 13 13 84-4b aa df 92 e4 58 31 59 e...6...K....X1Y Start Time: 1362183958 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- GET / HTTP/1.1 host: www.example.com HTTP/1.1 302 Found Server: nginx Date: Sat, 02 Mar 2013 00:26:17 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.13-1~dotdeb.0 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 02 Mar 2013 00:26:20 +0000 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 ETag: "1362183980" Location: http://www.example.com/ Content-Length: 9 302 Found
sslscan
sslscan www.example.com