nota: tutti i test da un client remoto dipenderanno sempre dalla libs su quel client, quindi se hai una vecchia versione di openssl su un client e vuoi testare una nuova versione di openssl su un server, dovrai ottieni risultati validi solo per il cliente.
OpenSSL
il modo più semplice sarebbe provare tramite openssl s_client:
$ openssl s_client -host HOST -port PORT
-- output
... .oO( a lot of debug-outout )Oo. ...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
tramite script
c'è uno script chiamato testssl.sh che potrebbe dare qualche informazione su un ssl-setup (potrebbe essere necessario modificarlo un po ', ho dovuto usare / bin / bash invece di / bin / sh per farlo funzionare)
link
-- output
########################################################
testssl.sh v2.0pre (http://software.drwetter.eu/ssl/)
Testing now (2014-02-24 22:40) ---> blah.org:443 <---
("blah.org" resolves to "12.34.56.78")
--> Testing specific vulnerabilities
Renegotiation Vulnerability (CVE 2009-3555): **NOT vulnerable (ok)**
CRIME Vulnerability (CVE-2012-4929): **NOT vulnerable (ok)
--> Testing HTTP Header settings
HSTS: **365 days (31536000 s)
Server banner: nginux
--> Testing (Perfect) Forward Secrecy (P)FS)
PFS seems generally available. Now testing specific ciphers
ECDHE-RSA-AES256-GCM-SHA384 [0xc030]: **works**
ECDHE-RSA-AES128-GCM-SHA256 [0xc02f]: **works**
ECDHE-RSA-AES128-SHA256 [0xc027]: **works**
ECDHE-RSA-RC4-SHA [0xc011]: **works**
DHE-RSA-AES256-GCM-SHA384 [0x9f]: **works**
DHE-RSA-AES256-SHA256 [0x6b]: **works**
DHE-RSA-AES256-SHA [0x39]: **works**
DHE-RSA-CAMELLIA256-SHA [0x88]: **works**
DHE-RSA-AES128-GCM-SHA256 [0x9e]: **works**
DHE-RSA-AES128-SHA256 [0x67]: **works**
DHE-RSA-AES128-SHA [0x33]: **works**
DHE-RSA-CAMELLIA128-SHA [0x45]: **works**
ECDHE-RSA-AES256-SHA384 [0xc028]: **works**
ECDHE-RSA-AES256-SHA [0xc014]: **works**
ECDHE-RSA-AES128-SHA [0xc013]: **works**
(A **"green" cipher doesn't mean any browser will be able to use it)
--> Checking RC4 Ciphers
ECDHE-RSA-RC4-SHA [0xc011] (Kx=ECDH, Mac=SHA1): **available **
RC4-SHA [0x05] (Kx=RSA, Mac=SHA1): **available **
**
RC4 is kind of broken (for e.g. IE6 consider 0xa or 0x13)
--> Testing Protocols
SSLv2: **Local problem: /usr/bin/openssl doesn't support "s_client -ssl2"**
SSLv3: **NOT offered (ok)**
TLSv1: **offered (ok)**
TLSv1.1: **offered (ok)**
TLSv1.2: **offered (ok)**
SPDY: Following protocols advertised:** spdy/2, http/1.1**
--> Testing cipher suites
Null Cipher: **NOT offered (ok)**
Anonymous NULL Cipher : **NOT offered (ok)**
40 Bit encryption: **NOT offered (ok)**
56 Bit encryption: **Local problem: No 56 Bit encryption configured in /usr/bin/openssl**
Export Cipher (general): **NOT offered (ok)**
Low (<=64 Bit): **NOT offered (ok)**
Medium grade encryption: offered
High grade encryption: **offered (ok)**
python
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,cert_reqs=ssl.CERT_REQUIRED,ca_certs='/etc/ssl/certs/ca-certificates.crt')
ssl_sock.connect((target, port))
print repr(ssl_sock.getpeername())
print ssl_sock.cipher()
-- output
> ssl-info
('12.34.56.78', 443)
('ECDHE-RSA-AES128-GCM-SHA256', 'TLSv1', 128)