-
Notifications
You must be signed in to change notification settings - Fork 388
/
sslscan.1
225 lines (220 loc) · 5.31 KB
/
sslscan.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
.TH SSLSCAN 1 "March 19, 2020"
.SH NAME
sslscan \- Fast SSL/TLS scanner
.SH SYNOPSIS
.B sslscan
.RI [ options ] " [host:port | host]"
.SH DESCRIPTION
.PP
\fBsslscan\fP queries SSL/TLS services (such as HTTPS) and reports the protocol versions, cipher suites, key exchanges, signature algorithms, and certificates in use. This helps the user understand which parameters are weak from a security standpoint.
Terminal output is thus colour-coded as follows:
Red Background NULL cipher (no encryption)
.br
Red Broken cipher (<= 40 bit), broken protocol (SSLv2 or SSLv3) or broken certificate signing algorithm (MD5)
.br
Yellow Weak cipher (<= 56 bit or RC4) or weak certificate signing algorithm (SHA-1)
.br
Purple Anonymous cipher (ADH or AECDH)
\fBsslscan\fP can also output results into an XML file for easy consumption by external programs.
.SH OPTIONS
.TP
.B \-\-help
.br
Show summary of options
.TP
.B \-\-targets=<file>
A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port). One target per line
.TP
.B \-\-sni\-name=<name>
Use a different hostname for SNI
.br
.TP
.B \-\-ipv4, \-4
.br
Force IPv4 DNS resolution.
Default is to try IPv4, and if that fails then fall back to IPv6.
.TP
.B \-\-ipv6, \-6
.br
Force IPv6 DNS resolution.
Default is to try IPv4, and if that fails then fall back to IPv6.
.TP
.B \-\-show\-certificate
Display certificate information.
.TP
.B \-\-show\-certificates
Display the full certificate chain.
.TP
.B \-\-no\-check\-certificate
.B \-\-no\-check\-certificate
Don't flag certificates signed with weak algorithms (MD5 and SHA-1) or short (<2048 bit) RSA keys
.TP
.B \-\-show\-client\-cas
Show a list of CAs that the server allows for client authentication. Will be blank for IIS/Schannel servers.
.TP
.B \-\-show\-ciphers
Show a complete list of ciphers supported by sslscan
.TP
.B \-\-show\-cipher-ids
Print the hexadecimal cipher IDs
.TP
.B \-\-iana\-names
Use IANA/RFC cipher names rather than OpenSSL ones
.TP
.B \-\-show\-times
Show the time taken for each handshake in milliseconds. Note that only a single request is made with each cipher, and that the size of the ClientHello is not constant, so this should not be used for proper benchmarking or performance testing.
You might want to also use \-\-no\-cipher\-details to make the output a bit clearer.
.TP
.B \-\-ssl2
.br
Only check if SSLv2 is enabled
.TP
.B \-\-ssl3
.br
Only check if SSLv3 is enabled
.TP
.B \-\-tls10
.br
Only check TLS 1.0 ciphers
.TP
.B \-\-tls11
.br
Only check TLS 1.1 ciphers
.TP
.B \-\-tls12
.br
Only check TLS 1.2 ciphers
.TP
.B \-\-tls13
.br
Only check TLS 1.3 ciphers
.TP
.B \-\-tlsall
.br
Only check TLS ciphers (versions 1.0, 1.1, 1.2, and 1.3)
.TP
.B \-\-ocsp
.br
Display OCSP status
.TP
.B \-\-pk=<file>
A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape)
.TP
.B \-\-pkpass=<password>
The password for the private key or PKCS#12 file
.TP
.B \-\-certs=<file>
A file containing PEM/ASN1 formatted client certificates
.TP
.B \-\-no\-ciphersuites
Do not scan for supported ciphersuites.
.TP
.B \-\-no\-fallback
Do not check for TLS Fallback Signaling Cipher Suite Value (fallback)
.TP
.B \-\-no\-renegotiation
Do not check for secure TLS renegotiation
.TP
.B \-\-no\-compression
Do not check for TLS compression (CRIME)
.TP
.B \-\-no\-heartbleed
Do not check for OpenSSL Heartbleed (CVE-2014-0160)
.TP
.B \-\-no\-groups
Do not enumerate key exchange groups
.TP
.B \-\-show\-sigs
Enumerate signature algorithms
.TP
.B \-\-starttls\-ftp
STARTTLS setup for FTP
.TP
.B \-\-starttls\-imap
STARTTLS setup for IMAP
.TP
.B \-\-starttls\-irc
STARTTLS setup for IRC
.TP
.B \-\-starttls\-ldap
STARTTLS setup for LDAP
.TP
.B \-\-starttls\-pop3
STARTTLS setup for POP3
.TP
.B \-\-starttls\-smtp
STARTTLS setup for SMTP
.TP
.B \-\-starttls\-mysql
STARTTLS setup for MySQL
.TP
.B \-\-starttls\-xmpp
STARTTLS setup for XMPP
.TP
.B \-\-starttls\-psql
STARTTLS setup for PostgreSQL
.TP
.B \-\-xmpp-server
Perform a server-to-server XMPP connection. Try this if --starttls-xmpp is failing.
.TP
.B \-\-rdp
.br
Send RDP preamble before starting scan.
.TP
.B \-\-bugs
.br
Enables workarounds for SSL bugs
.TP
.B \-\-timeout=<sec>
.br
Set socket timeout. Useful for hosts that fail to respond to ciphers they don't understand. Default is 3s.
.TP
.B \-\-connect\-timeout=<sec>
.br
Set initial connection timeout. Useful for hosts that are slow to respond to the initial connect(). Default is 75s.
.TP
.B \-\-sleep=<msec>
.br
Pause between connections. Useful on STARTTLS SMTP services, or anything else that's performing rate limiting. Default is disabled.
.TP
.B \-\-xml=<file>
.br
Output results to an XML file. - can be used to mean stdout.
.br
.TP
.B \-\-version
Show version of program
.TP
.B \-\-verbose
Display verbose output
.TP
.B \-\-no\-cipher\-details
.br
Hide NIST EC curve name and EDH/RSA key length.
.TP
.B \-\-no-colour
.br
Disable coloured output.
.SH EXAMPLES
.LP
Scan a local HTTPS server
.RS
.nf
sslscan localhost
sslscan 127.0.0.1
sslscan 127.0.0.1:443
sslscan [::1]
sslscan [::1]:443
.SH AUTHOR
sslscan was originally written by Ian Ventura-Whiting <[email protected]>.
.br
sslscan was extended by Jacob Appelbaum <[email protected]>.
.br
sslscan was extended by rbsec <[email protected]>.
.br
This manual page was originally written by Marvin Stark <[email protected]>.