testssl - HolaSecurity

本文最后更新于 420 天前，其中的信息可能已经有所发展或是发生改变。

下载地址： https://github.com/drwetter/testssl.sh

安装命令：git clone https://github.com/drwetter/testssl.sh.git

建议在 linux 环境下运行，可以直接在 kali 下。

windows 10 下需要安装 hexdump 组件，比较麻烦，还容易报错。

基本使用

./testssl.sh –help

帮助文档

./testssl.sh –quiet

不输出 banner

./testssl.sh www.xxx.com

全量测试

./testssl.sh -E www.xxx.com

密码

./testssl.sh -U www.xxx.com

漏洞

./testssl.sh -S www.xxx.com

服务基本

Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "next protocol/#13172" "max fragment length/#1"
                              "application layer protocol negotiation/#16" "encrypt-then-mac/#22" "extended master secret/#23"
 Session Ticket RFC 5077 hint 300 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               Random values, no fingerprinting possible 
 Client Authentication        none
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits (exponent is 65537)
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial                       048260A65FD07F450261A6F7C05B5115 (OK: length 16)
 Fingerprints                 SHA1 70CA205C75919F40639126B78A1DF08F54946C2D
                              SHA256 B2B07C9061DC37B712B9D160F8639410C55F44D860B0D69DB1AFF9DDE07D344B
 Common Name (CN)             *.liangzizhige.com 
 subjectAltName (SAN)         *.liangzizhige.com liangzizhige.com 
 Trust (hostname)             Ok via SAN wildcard and CN wildcard (same w/o SNI)
                              wildcard certificate could be problematic, see other hosts at
                              https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=B2B07C9061DC37B712B9D160F8639410C55F44D860B0D69DB1AFF9DDE07D344B
 Chain of trust               Ok   
 EV cert (experimental)       no 
 Certificate Validity (UTC)   expires < 30 days (17) (2022-11-17 00:00 --> 2023-12-01 23:59)
 ETS/"eTLS", visibility info  not present
 Certificate Revocation List  http://crl3.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl
                              http://crl4.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl
 OCSP URI                     http://ocsp.digicert.com
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     yes (certificate extension)
 Certificates provided        2
 Issuer                       RapidSSL Global TLS RSA4096 SHA256 2022 CA1 (DigiCert, Inc. from US)
 Intermediate cert validity   #1: ok > 40 days (2031-11-09 23:59). RapidSSL Global TLS RSA4096 SHA256 2022 CA1 <-- DigiCert Global Root CA
 Intermediate Bad OCSP (exp.) Ok

./testssl.sh -P www.xxx.com

服务加密配置

Testing server's cipher preferences 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 - 
SSLv3
 -
TLSv1
 -
TLSv1.1
 -
TLSv1.2 (server order)
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256                    
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256                    
 xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      
TLSv1.3

./testssl.sh -p www.xxx.com

协议安全

Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)

./testssl.sh –file urls.txt

批量

./testssl.sh –file urls.txt –logfile scan_results

批量扫描且输出。

也可以输出为 html、csv 等格式