快速扫描服务端口来获取服务器支持的SSL cipher列表
出于安全考虑,网络上的数据传输大部分都是加密传输。我们平时接触到比较多的应该算是https了。HTTPS是在HTTP的基础上通过SSL协议对数据进行加密,以保证用户数据在传输过程中不被窃取。
SSL协议有sslv2, sslv3, tlsv1, tlsv1.1和tlsv1.2。目前推荐使用的只有tlsv1.2,其它协议都存在各种安全漏洞。在每种SSL协议中,又包括了一系列的加密算法,也即是ciphers suite。即使是tlsv1.2的cipher suite,也包含了一些比较弱的加密算法。通常我们需要在服务器端禁止这些cipher。
那我们如何检查我们的服务器是否有安全漏洞,是否支持带安全隐患的SSL协议或者cipher呢?你可以检查服务器的配置,不过如果服务器的数量比较多,这会是一个很繁重的工作,而且不同类型的服务器配置的方法,语法不一,检查起来也不方便。网络上也有一些商业的或者免费的扫描工具可以直接使用。但如果你的服务器只对内网开放,就只能使用内网环境下的工具扫描了。
最简单的方法就是通过openssl s_client命令去检查服务端口,比如
openssl s_client -connect host:port -ssl3
openssl s_client -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -connect host:port 嫌手动麻烦的话可以使用脚本,如下面这个脚本可以用来扫描服务器支持或不支持的cipher(引用自点击打开链接)
#!/usr/bin/env bash
# 运行方式:./scanServerCiphers.sh host:port
# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY不过用这种方式去枚举每一种cipher实在是太耗时了,扫描单台服务器单个端口的速度我都接受不了。
噔噔噔噔,下面另一个工具--sslyze闪亮登场。。。
源码可以在这里下载。最新版本支持pythone 2.7和3.4+,不过有太多依赖包,我选择了比较旧的版本,只支持python 2.7 -->点击打开链接,此版本的requirements.txt貌似写错了,安装之后无法运行,我把它修改成"nassl>=0.13.0,<0.14.0"后可以正常使用。
下面讲一下如何安装和使用。
我是在Linux上使用的,需要安装python-devel
yum install python-devel.x86_64然后是安装依赖包,此处需要修改一下requirements.txt (上文已有阐述)。不知道pip的请自行百度。
pip install -r requirements.txt然后就可以直接运行了。
$ python sslyze_cli.py --tlsv1_2 www.baidu.com:443
AVAILABLE PLUGINS
-----------------
FallbackScsvPlugin
OpenSslCipherSuitesPlugin
SessionResumptionPlugin
HstsPlugin
CertificateInfoPlugin
CompressionPlugin
OpenSslCcsInjectionPlugin
SessionRenegotiationPlugin
HeartbleedPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
www.baidu.com:443 => 14.215.177.39
SCAN RESULTS FOR WWW.BAIDU.COM:443 - 14.215.177.39:443
------------------------------------------------------
* TLSV1_2 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits
TLS_RSA_WITH_RC4_128_SHA - 128 bits
Rejected:
TLS_SRP_SHA_WITH_AES_256_CBC_SHA TLS / No ciphers available
TLS_SRP_SHA_WITH_AES_128_CBC_SHA TLS / No ciphers available
TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA TLS / No ciphers available
TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA TLS / No ciphers available
TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA TLS / No ciphers available
TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA TLS / No ciphers available
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA TLS / No ciphers available
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA TLS / No ciphers available
TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA TLS / No ciphers available
TLS_RSA_WITH_SEED_CBC_SHA TLS / Alert handshake failure
TLS_RSA_WITH_RC4_128_MD5 TLS / Alert handshake failure
TLS_RSA_WITH_NULL_SHA256 TLS / Alert handshake failure
TLS_RSA_WITH_NULL_SHA TLS / Alert handshake failure
TLS_RSA_WITH_NULL_MD5 TLS / Alert handshake failure
TLS_RSA_WITH_IDEA_CBC_SHA TLS / Alert handshake failure
TLS_RSA_WITH_DES_CBC_SHA TLS / Alert handshake failure
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS / Alert handshake failure
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS / Alert handshake failure
TLS_RSA_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS / Alert handshake failure
TLS_RSA_WITH_AES_128_GCM_SHA256 TLS / Alert handshake failure
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS / Alert handshake failure
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS / Alert handshake failure
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS / Alert handshake failure
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS / Alert handshake failure
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS / Alert handshake failure
TLS_PSK_WITH_RC4_128_SHA TLS / No ciphers available
TLS_PSK_WITH_AES_256_CBC_SHA TLS / No ciphers available
TLS_PSK_WITH_AES_128_CBC_SHA TLS / No ciphers available
TLS_PSK_WITH_3DES_EDE_CBC_SHA TLS / No ciphers available
TLS_ECDH_anon_WITH_RC4_128_SHA TLS / Alert handshake failure
TLS_ECDH_anon_WITH_NULL_SHA TLS / Alert handshake failure
TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS / Alert handshake failure
TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS / Alert handshake failure
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_ECDH_RSA_WITH_RC4_128_SHA TLS / Alert handshake failure
TLS_ECDH_RSA_WITH_NULL_SHA TLS / Alert handshake failure
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS / Alert handshake failure
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS / Alert handshake failure
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS / Alert handshake failure
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS / Alert handshake failure
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS / Alert handshake failure
TLS_ECDH_ECDSA_WITH_NULL_SHA TLS / Alert handshake failure
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS / Alert handshake failure
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS / Alert handshake failure
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS / Alert handshake failure
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS / Alert handshake failure
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_ECDHE_RSA_WITH_NULL_SHA TLS / Alert handshake failure
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS / Alert handshake failure
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS / Alert handshake failure
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS / Alert handshake failure
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_DH_anon_WITH_SEED_CBC_SHA TLS / Alert handshake failure
TLS_DH_anon_WITH_RC4_128_MD5 TLS / Alert handshake failure
TLS_DH_anon_WITH_DES_CBC_SHA TLS / Alert handshake failure
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA TLS / Alert handshake failure
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA TLS / Alert handshake failure
TLS_DH_anon_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_DH_anon_WITH_AES_256_CBC_SHA256 TLS / Alert handshake failure
TLS_DH_anon_WITH_AES_256_CBC_SHA TLS / Alert handshake failure
TLS_DH_anon_WITH_AES_128_GCM_SHA256 TLS / Alert handshake failure
TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_DH_anon_WITH_AES_128_CBC_SHA TLS / Alert handshake failure
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 TLS / Alert handshake failure
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS / Alert handshake failure
TLS_DH_RSA_WITH_SEED_CBC_SHA TLS / Alert handshake failure
TLS_DH_RSA_WITH_DES_CBC_SHA TLS / Alert handshake failure
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA TLS / Alert handshake failure
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA TLS / Alert handshake failure
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 TLS / Alert handshake failure
TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS / Alert handshake failure
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 TLS / Alert handshake failure
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS / Alert handshake failure
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA TLS / Alert handshake failure
TLS_DH_DSS_WITH_SEED_CBC_SHA TLS / Alert handshake failure
TLS_DH_DSS_WITH_DES_CBC_SHA TLS / Alert handshake failure
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA TLS / Alert handshake failure
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA TLS / Alert handshake failure
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 TLS / Alert handshake failure
TLS_DH_DSS_WITH_AES_256_CBC_SHA TLS / Alert handshake failure
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 TLS / Alert handshake failure
TLS_DH_DSS_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_DH_DSS_WITH_AES_128_CBC_SHA TLS / Alert handshake failure
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA TLS / Alert handshake failure
TLS_DHE_RSA_WITH_SEED_CBC_SHA TLS / Alert handshake failure
TLS_DHE_RSA_WITH_DES_CBC_SHA TLS / Alert handshake failure
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS / Alert handshake failure
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS / Alert handshake failure
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS / Alert handshake failure
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS / Alert handshake failure
TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS / Alert handshake failure
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS / Alert handshake failure
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS / Alert handshake failure
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS / Alert handshake failure
TLS_DHE_DSS_WITH_SEED_CBC_SHA TLS / Alert handshake failure
TLS_DHE_DSS_WITH_RC4_128_SHA TLS / Alert handshake failure
TLS_DHE_DSS_WITH_DES_CBC_SHA TLS / Alert handshake failure
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS / Alert handshake failure
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA TLS / Alert handshake failure
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS / Alert handshake failure
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS / Alert handshake failure
TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS / Alert handshake failure
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS / Alert handshake failure
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS / Alert handshake failure
TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS / Alert handshake failure
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS / Alert handshake failure
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS / Alert handshake failure
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA TLS / Alert handshake failure
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS / Alert handshake failure
RSA-PSK-RC4-SHA TLS / Alert handshake failure
RSA-PSK-AES256-CBC-SHA TLS / Alert handshake failure
RSA-PSK-AES128-CBC-SHA TLS / Alert handshake failure
RSA-PSK-3DES-EDE-CBC-SHA TLS / Alert handshake failure
EXP1024-RC4-MD5 TLS / Alert handshake failure
EXP1024-RC2-CBC-MD5 TLS / Alert handshake failure
ECDHE-RSA-CAMELLIA256-SHA384 TLS / Alert handshake failure
ECDHE-RSA-CAMELLIA128-SHA256 TLS / Alert handshake failure
ECDHE-ECDSA-CAMELLIA256-SHA384 TLS / Alert handshake failure
ECDHE-ECDSA-CAMELLIA128-SHA256 TLS / Alert handshake failure
ECDH-RSA-CAMELLIA256-SHA384 TLS / Alert handshake failure
ECDH-RSA-CAMELLIA128-SHA256 TLS / Alert handshake failure
ECDH-ECDSA-CAMELLIA256-SHA384 TLS / Alert handshake failure
ECDH-ECDSA-CAMELLIA128-SHA256 TLS / Alert handshake failure
DHE-RSA-CAMELLIA256-SHA256 TLS / Alert handshake failure
DHE-RSA-CAMELLIA128-SHA256 TLS / Alert handshake failure
DHE-DSS-CAMELLIA256-SHA256 TLS / Alert handshake failure
DHE-DSS-CAMELLIA128-SHA256 TLS / Alert handshake failure
DH-RSA-CAMELLIA256-SHA256 TLS / Alert handshake failure
DH-RSA-CAMELLIA128-SHA256 TLS / Alert handshake failure
DH-DSS-CAMELLIA256-SHA256 TLS / Alert handshake failure
DH-DSS-CAMELLIA128-SHA256 TLS / Alert handshake failure
CAMELLIA256-SHA256 TLS / Alert handshake failure
CAMELLIA128-SHA256 TLS / Alert handshake failure
ADH-CAMELLIA256-SHA256 TLS / Alert handshake failure
ADH-CAMELLIA128-SHA256 TLS / Alert handshake failure
SCAN COMPLETED IN 1.41 S
------------------------