pornin / testsslserver Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
Hi Thomas,
Thank you for developing this great tool, it's really helpful to check the security of a SSL server.
But I found an odd thing recently that the info returned in ServerHello might not be correct when server side is using a certificate signed with EC.
At first, I wanted to use this tool to check the security of my Tomcat which was using a certificate signed with RSA:2048, but I got WARN[SK004].
To get rid of that warning, I switched to use a certificate signed with EC:secp256r1, but I still got that warning.
That made me start to look into the codes to identify the issue is in server side or in the tools.
Finally I found if we send ClientHello with the extension including all curves from 1 to 30, the server will tell us it supports 1 ~ 23. But if we send ClientHello with the extension including one curve each time, from 1 to 30, the server will tell us it only supports 23, which's the curve used to sign the certificate. And then I tried a little further, if we send ClientHello with the extension including any other curves its ID less than 23 together with 23, the server will always tell us it supports all of them.
I am not sure if this is a defect of the tool or a defect of the server I am using.
Can you please take a look?
FYI. The info of my server, certificate, and cipher suites:
Web Server: Tomcat 8.0.33
TLSv1.2:
server selection: uses client preferences
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
3f- (key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
key type: EC
key size: 256
key curve: ansix9p256r1 (P-256)
sign hash: SHA-256
Minimum EC size (no extension): 256
Minimum EC size (with extension): 162
Supported curves (size and name) ('*' = selected by server):
162 sect163k1 (K-163)
Thanks,
Alan
TestSSLServer does not currently report support for the draft spec for TLS1.3.
Creating this issue as a feature request for when the draft is finalized.
Installed on Ubuntu 16.04 LTS. Just trying to run check against an internal web server.
Compiled without errors.
When I run the command ...
./TestSSLServer.exe hostname.domain.local 443, I get a lengthy error message that basically boils down to.. "Could not resolve host..."
I verified my DNS settings.
I can ping the host from the shell, so I'm not sure what else I need to do to help it resolve.
I replaced my actual server name below with 'hostname' and the domain name with 'domain' The rest is exactly as it returned.
System.Net.Sockets.SocketException: Could not resolve host 'hostname.domain.local'
at System.Net.Dns.Error_11001 (System.String hostName) <0x4150c690 + 0x0006f> in <filename unknown>:0
at System.Net.Dns.GetHostByName (System.String hostName) <0x414e3500 + 0x0005f> in <filename unknown>:0
at System.Net.Dns.GetHostEntry (System.String hostNameOrAddress) <0x414e33e0 + 0x00093> in <filename unknown>:0
at System.Net.Dns.GetHostAddresses (System.String hostNameOrAddress) <0x414e1a60 + 0x000c7> in <filename unknown>:0
at System.Net.Sockets.TcpClient.Connect (System.String hostname, Int32 port) <0x414e1a10 + 0x0001b> in <filename unknown>:0
at System.Net.Sockets.TcpClient..ctor (System.String hostname, Int32 port) <0x414e19e0 + 0x00017> in <filename unknown>:0
at FullTest.OpenConnection () <0x414e1730 + 0x0007b> in <filename unknown>:0
at FullTest.DoConnectV2 () <0x414e1510 + 0x0002f> in <filename unknown>:0
at FullTest.Run () <0x414df4e0 + 0x0030f> in <filename unknown>:0
at TestSSLServer.Process (System.String[] args) <0x414dbf00 + 0x0132f> in <filename unknown>:0
at TestSSLServer.Main (System.String[] args) <0x414dbd50 + 0x0001f> in <filename unknown>:0
Hi,
I'm noticing that this tool has identified some servers as supporting SSL 3.0, when other tools (e.g ssllabs), run against the same server, report that SSL 3.0 isn't enabled. Is this a known issue?
This domain illustrates the point: d2nnjlsh3usk06.cloudfront.net. I get a "WARN[PV003]: Server supports SSL 3.0." message, however if I attempt to connect via openssl using sslv3, I can't e.g.
openssl s_client -connect d2nnjlsh3usk06.cloudfront.net:443 -servername d2nnjlsh3usk06.cloudfront.net -ssl3
Also, the SSL labs report indicates that SSLv3 is not supported: https://www.ssllabs.com/ssltest/analyze.html?d=d2nnjlsh3usk06.cloudfront.net&s=52.84.213.210&latest
Excellent tool, thank you.
Could this be extended with option flags for SMTP (read line, "STARTTLS\r\n", read line) and FTP (read line, "AUTH TLS\r\n", read line)?
First of all, great tool - thank you!
I am trying to target only the TLSv1.3 protocol however if i set the minimum -min TLSv1.3
the tool does not run and return the helper menu.
I can target all other protocols with the following example -min TLSv1.2 -max TLSv1.2
but it doesn't work if I want to target TLSv1.3
Can we make it work with TLSv1.3 as well please?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.