The sslscan command for the Kali Linux penetration testing distribution is very useful for gaining an insight into the SSL configuration of a web site.
Here is example usage on healthcare.gov…
root@darknet:~# sslscan healthcare.gov Version: 1.10.5-static OpenSSL 1.0.2e-dev xx XXX xxxx Testing SSL server healthcare.gov on port 443 TLS renegotiation: Secure session renegotiation supported TLS Compression: Compression disabled Heartbleed: TLS 1.0 not vulnerable to heartbleed TLS 1.1 not vulnerable to heartbleed TLS 1.2 not vulnerable to heartbleed Supported Server Cipher(s): Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 112 bits DES-CBC3-SHA Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 112 bits DES-CBC3-SHA Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 112 bits DES-CBC3-SHA Preferred Server Cipher(s): TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048 Subject: www.healthcare.gov Altnames: DNS:aca.api.healthcare.gov, DNS:cciio.cms.gov, DNS:eidm.cms.gov, DNS:styleguide.healthcare.gov, DNS:reminder.healthcare.gov, DNS:geo.api.healthcare.gov, DNS:ahrcvo.cms.gov, DNS:calt.cms.gov, DNS:portal.cms.gov, DNS:confluence.cms.gov, DNS:maps.cms.gov, DNS:cicd.cms.gov, DNS:tmdsmdr.aws.healthcare.gov, DNS:www.errp.gov, DNS:assets.cms.gov, DNS:ci.cms.gov, DNS:downloads.cms.gov, DNS:partnershippledge.healthcare.gov, DNS:www.hospitalcompare.hhs.gov, DNS:marketplace.api.healthcare.gov, DNS:ratereview.healthcare.gov, DNS:wr.healthcare.gov, DNS:login.healthcare.gov, DNS:marketplace-int.api.healthcare.gov, DNS:monitor.healthcare.gov, DNS:www.cciio.cms.gov, DNS:ayudalocal.cuidadodesalud.gov, DNS:api.healthcare.gov, DNS:assets.healthcare.gov, DNS:www.stopmedicarefraud.gov, DNS:signup.healthcare.gov, DNS:billing.healthcare.gov, DNS:prodprime.cuidadodesalud.gov, DNS:splunk.cms.gov, DNS:localhelp.healthcare.gov, DNS:tmdsm.aws.healthcare.gov, DNS:hfpp.cms.gov, DNS:jira.cms.gov, DNS:stopmedicarefraud.gov, DNS:errp.gov, DNS:companyprofile.healthcare.gov, DNS:crowd.cms.gov, DNS:healthcare.gov, DNS:finder.healthcare.gov, DNS:marketplace.cms.gov, DNS:companyprofiles.healthcare.gov, DNS:nagios.healthcare.gov, DNS:ahrc.cms.gov, DNS:search.healthcare.gov, DNS:openpaymentsdata.cms.gov, DNS:prodprime.healthcare.gov, DNS:scclia.cms.gov, DNS:vpn.aws.healthcare.gov, DNS:hipchat.cms.gov, DNS:splunk.healthcare.gov, DNS:data.healthcare.gov, DNS:cuidadodesalud.gov, DNS:status.healthcare.gov, DNS:developer.cms.gov, DNS:eap.cms.gov, DNS:pcip.gov, DNS:github.cms.gov, DNS:api.finder.healthcare.gov, DNS:hospitalcompare.hhs.gov, DNS:go.healthcare.gov, DNS:search.stopmedicarefraud.gov, DNS:www.pcip.gov, DNS:www.cuidadodesalud.gov, DNS:www.healthcare.gov Issuer: GeoTrust SSL CA - G3 |
This shows some comprehensive information about the website SSL configuration.
To test only TLS ciphers, use this command line parameter.
root@darknet:~# sslscan --tlsall healthcare.gov Version: 1.10.5-static OpenSSL 1.0.2e-dev xx XXX xxxx Testing SSL server healthcare.gov on port 443 TLS renegotiation: Secure session renegotiation supported TLS Compression: Compression disabled Heartbleed: TLS 1.0 not vulnerable to heartbleed TLS 1.1 not vulnerable to heartbleed TLS 1.2 not vulnerable to heartbleed Supported Server Cipher(s): Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 112 bits DES-CBC3-SHA Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 112 bits DES-CBC3-SHA Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 112 bits DES-CBC3-SHA Preferred Server Cipher(s): TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048 Subject: www.healthcare.gov Altnames: DNS:aca.api.healthcare.gov, DNS:cciio.cms.gov, DNS:eidm.cms.gov, DNS:styleguide.healthcare.gov, DNS:reminder.healthcare.gov, DNS:geo.api.healthcare.gov, DNS:ahrcvo.cms.gov, DNS:calt.cms.gov, DNS:portal.cms.gov, DNS:confluence.cms.gov, DNS:maps.cms.gov, DNS:cicd.cms.gov, DNS:tmdsmdr.aws.healthcare.gov, DNS:www.errp.gov, DNS:assets.cms.gov, DNS:ci.cms.gov, DNS:downloads.cms.gov, DNS:partnershippledge.healthcare.gov, DNS:www.hospitalcompare.hhs.gov, DNS:marketplace.api.healthcare.gov, DNS:ratereview.healthcare.gov, DNS:wr.healthcare.gov, DNS:login.healthcare.gov, DNS:marketplace-int.api.healthcare.gov, DNS:monitor.healthcare.gov, DNS:www.cciio.cms.gov, DNS:ayudalocal.cuidadodesalud.gov, DNS:api.healthcare.gov, DNS:assets.healthcare.gov, DNS:www.stopmedicarefraud.gov, DNS:signup.healthcare.gov, DNS:billing.healthcare.gov, DNS:prodprime.cuidadodesalud.gov, DNS:splunk.cms.gov, DNS:localhelp.healthcare.gov, DNS:tmdsm.aws.healthcare.gov, DNS:hfpp.cms.gov, DNS:jira.cms.gov, DNS:stopmedicarefraud.gov, DNS:errp.gov, DNS:companyprofile.healthcare.gov, DNS:crowd.cms.gov, DNS:healthcare.gov, DNS:finder.healthcare.gov, DNS:marketplace.cms.gov, DNS:companyprofiles.healthcare.gov, DNS:nagios.healthcare.gov, DNS:ahrc.cms.gov, DNS:search.healthcare.gov, DNS:openpaymentsdata.cms.gov, DNS:prodprime.healthcare.gov, DNS:scclia.cms.gov, DNS:vpn.aws.healthcare.gov, DNS:hipchat.cms.gov, DNS:splunk.healthcare.gov, DNS:data.healthcare.gov, DNS:cuidadodesalud.gov, DNS:status.healthcare.gov, DNS:developer.cms.gov, DNS:eap.cms.gov, DNS:pcip.gov, DNS:github.cms.gov, DNS:api.finder.healthcare.gov, DNS:hospitalcompare.hhs.gov, DNS:go.healthcare.gov, DNS:search.stopmedicarefraud.gov, DNS:www.pcip.gov, DNS:www.cuidadodesalud.gov, DNS:www.healthcare.gov Issuer: GeoTrust SSL CA - G3 |
To ask for an OCSP Stapling Request, use this command.
root@darknet:~# sslscan --ocsp healthcare.gov |
With the –ssl3 parameter, the user can check just for the sslv3 implementation.
root@darknet:~# sslscan --ssl3 healthcare.gov Version: 1.10.5-static OpenSSL 1.0.2e-dev xx XXX xxxx Testing SSL server healthcare.gov on port 443 TLS renegotiation: Secure session renegotiation supported TLS Compression: Compression disabled Heartbleed: All TLS protocols disabled, cannot check for heartbleed. Supported Server Cipher(s): Preferred Server Cipher(s): SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048 Subject: www.healthcare.gov Altnames: DNS:aca.api.healthcare.gov, DNS:cciio.cms.gov, DNS:eidm.cms.gov, DNS:styleguide.healthcare.gov, DNS:reminder.healthcare.gov, DNS:geo.api.healthcare.gov, DNS:ahrcvo.cms.gov, DNS:calt.cms.gov, DNS:portal.cms.gov, DNS:confluence.cms.gov, DNS:maps.cms.gov, DNS:cicd.cms.gov, DNS:tmdsmdr.aws.healthcare.gov, DNS:www.errp.gov, DNS:assets.cms.gov, DNS:ci.cms.gov, DNS:downloads.cms.gov, DNS:partnershippledge.healthcare.gov, DNS:www.hospitalcompare.hhs.gov, DNS:marketplace.api.healthcare.gov, DNS:ratereview.healthcare.gov, DNS:wr.healthcare.gov, DNS:login.healthcare.gov, DNS:marketplace-int.api.healthcare.gov, DNS:monitor.healthcare.gov, DNS:www.cciio.cms.gov, DNS:ayudalocal.cuidadodesalud.gov, DNS:api.healthcare.gov, DNS:assets.healthcare.gov, DNS:www.stopmedicarefraud.gov, DNS:signup.healthcare.gov, DNS:billing.healthcare.gov, DNS:prodprime.cuidadodesalud.gov, DNS:splunk.cms.gov, DNS:localhelp.healthcare.gov, DNS:tmdsm.aws.healthcare.gov, DNS:hfpp.cms.gov, DNS:jira.cms.gov, DNS:stopmedicarefraud.gov, DNS:errp.gov, DNS:companyprofile.healthcare.gov, DNS:crowd.cms.gov, DNS:healthcare.gov, DNS:finder.healthcare.gov, DNS:marketplace.cms.gov, DNS:companyprofiles.healthcare.gov, DNS:nagios.healthcare.gov, DNS:ahrc.cms.gov, DNS:search.healthcare.gov, DNS:openpaymentsdata.cms.gov, DNS:prodprime.healthcare.gov, DNS:scclia.cms.gov, DNS:vpn.aws.healthcare.gov, DNS:hipchat.cms.gov, DNS:splunk.healthcare.gov, DNS:data.healthcare.gov, DNS:cuidadodesalud.gov, DNS:status.healthcare.gov, DNS:developer.cms.gov, DNS:eap.cms.gov, DNS:pcip.gov, DNS:github.cms.gov, DNS:api.finder.healthcare.gov, DNS:hospitalcompare.hhs.gov, DNS:go.healthcare.gov, DNS:search.stopmedicarefraud.gov, DNS:www.pcip.gov, DNS:www.cuidadodesalud.gov, DNS:www.healthcare.gov Issuer: GeoTrust SSL CA - G3 |
Type man sslscan
for more information.