2021-11-11
作者:互联网
http://blog.sina.com.cn/s/blog_14971d0000102xnwq.html
┌──(kali㉿kali)-[~]
└─$ sslyze --regular 192.168.0.1
CHECKING HOST(S) AVAILABILITY
-----------------------------
192.168.0.1:443 => 192.168.0.1
SCAN RESULTS FOR 192.168.0.1:443 - 192.168.0.1
----------------------------------------------
* TLS 1.1 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* TLS 1.0 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
* SSL 2.0 Cipher Suites:
Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
* Elliptic Curve Key Exchange:
Supported curves: X25519, X448, prime256v1, secp384r1, secp521r1
Rejected curves: prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1
* SSL 3.0 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 5 cipher suites:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 ECDH: prime256v1 (256 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* TLS 1.2 Session Resumption Support:
With Session IDs: NOT SUPPORTED (0 successful resumptions out of 5 attempts).
With TLS Tickets: OK - Supported.
* Certificates Information:
Hostname sent for SNI: 192.168.0.1
Number of certificates detected: 1
Certificate #0 ( _RSAPublicKey )
SHA1 Fingerprint: a5769d8f36cf57d6616948a15d2e4a5e714d214e
Common Name: TZJS
Issuer: TZJS
Serial Number: 12998667666213029199
Not Before: 2021-10-26
Not After: 2031-10-24
Public Key Algorithm: _RSAPublicKey
Signature Algorithm: sha256
Key Size: 3072
Exponent: 65537
DNS Subject Alternative Names: []
Certificate #0 - Trust
Hostname Validation: FAILED - Certificate does NOT match server hostname
Android CA Store (9.0.0_r9): FAILED - Certificate is NOT Trusted: self signed certificate
Apple CA Store (iOS 14, iPadOS 14, macOS 11, watchOS 7, and tvOS 14):FAILED - Certificate is NOT Trusted: self signed certificate
Java CA Store (jdk-13.0.2): FAILED - Certificate is NOT Trusted: self signed certificate
Mozilla CA Store (2021-01-24): FAILED - Certificate is NOT Trusted: self signed certificate
Windows CA Store (2021-02-08): FAILED - Certificate is NOT Trusted: self signed certificate
Symantec 2018 Deprecation: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain: TZJS
Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
Certificate #0 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: NOT SUPPORTED - Extension not found
Certificate #0 - OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* Session Renegotiation:
Client Renegotiation DoS Attack: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites.
The server accepted the following 3 cipher suites:
TLS_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_AES_256_GCM_SHA384 256 ECDH: X25519 (253 bits)
TLS_AES_128_GCM_SHA256 128 ECDH: X25519 (253 bits)
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* ROBOT Attack:
OK - Not vulnerable, RSA cipher suites not supported.
* Deflate Compression:
OK - Compression disabled
SCAN COMPLETED IN 6.22 S
------------------------
┌──(kali㉿kali)-[~]
└─$
┌──(kali㉿kali)-[~]
└─$ nmap -sV --script ssl-enum-ciphers -p 443 192.168.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 00:58 EST
Nmap scan report for tz.lan (192.168.0.1)
Host is up (0.011s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http mini_httpd 1.30 26Oct2018
|_http-server-header: mini_httpd/1.30 26Oct2018
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds
┌──(kali㉿kali)-[~]
└─$
标签:11,TLS,Certificate,suites,RSA,cipher,2021,256 来源: https://blog.csdn.net/weixin_42191545/article/details/121262035