SSL Version을 체크하는 여러가지 방법들
여러가지 명령을 통해 ssl version 체크하는 방법들 간략하게 메모해둡니다. 개인적으로 주로 testssl.sh를 자주 사용했었는데, 쓰다보니 종종 다른 도구와 크로스 체크가 필요한 일이 있네요. 여러 도구들이 ssl version 관련 옵션은 지원하고 있으니 숙지해두면 종종 사용할 일이 있을듯 합니다 :D
Testssl.sh
testssl.sh의 경우 ssl version 이외에도 지원하는 알고리즘이나 키체인 등 여러가지 체크를 위해 많이 사용되는 도구입니다. 다만 connection에 대해 일부 캐시하는 과정이 있는지 minimum-tls-version을 변경하여도 제대로 식별하진 못했습니다.
git clone https://github.com/drwetter/testssl.sh
cd testssl.sh
./testssl.sh www.hahwul.com | grep "Testing protocols" -A 10
# Testing protocols via sockets except NPN+ALPN
# SSLv2 not offered (OK)
# SSLv3 not offered (OK)
# TLS 1 not offered
# TLS 1.1 not offered
# TLS 1.2 offered (OK)
# TLS 1.3 offered (OK): final
# NPN/SPDY not offered
# ALPN/HTTP2 h2, http/1.1 (offered)
OpenSSL
brew install openssl
openssl s_client -connect www.hahwul.com:443 -tls1
openssl s_client -connect www.hahwul.com:443 -tls1_1
openssl s_client -connect www.hahwul.com:443 -tls1_2
# 지원하지 않는 경우
# openssl s_client -connect www.hahwul.com:443 -tls1
# ...
# This TLS version forbids renegotiation.
# 지원하는 경우
# ...
# SSL-Session:
# Protocol : TLSv1.2
# Cipher : ECDHE-RSA-AES128-GCM-SHA256
# ...
Curl
brew install curl
curl https://www.hahwul.com -vv --tlsv1.0 --tls-max 1.0
curl https://www.hahwul.com -vv --tlsv1.1 --tls-max 1.1
curl https://www.hahwul.com -vv --tlsv1.2 --tls-max 1.2
# 지원하지 않는 경우
# * Trying 185.199.111.153:443...
# * Connected to www.hahwul.com (185.199.111.153) port 443 (#0)
# * CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION
# * Closing connection 0
# curl: (35) CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION
# 지원하는 경우
# * Trying 185.199.108.153:443...
# * Connected to www.hahwul.com (185.199.108.153) port 443 (#0)
# * ALPN: offers h2,http/1.1
# * (304) (OUT), TLS handshake, Client hello (1):
# * CAfile: /etc/ssl/cert.pem
# * CApath: none
# * (304) (IN), TLS handshake, Server hello (2):
# * TLSv1.2 (IN), TLS handshake, Certificate (11):
# ...
HTTPie
brew install httpie
http https://www.hahwul.com --ssl tls1
http https://www.hahwul.com --ssl tls1.1
http https://www.hahwul.com --ssl tls1.2
# 지원하지 않는 경우
# http: error: SSLError: HTTPSConnectionPool(host='www.hahwul.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:1002)'))) while doing a GET request to URL: https://www.hahwul.com/
# 지원하는 경우
# HTTP/1.1 200 OK
# Accept-Ranges: bytes
# Access-Control-Allow-Origin: *
# Age: 0
# Cache-Control: max-age=600
Nmap
brew install nmap
nmap --script ssl-enum-ciphers www.hahwul.com -p 443
# 지원하는 버전을 알 수 있음 (예시에선 1.2와 1.3만 지원)
# PORT STATE SERVICE
# 443/tcp open https
# | ssl-enum-ciphers:
# | TLSv1.2:
# | ciphers:
# | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
# | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
# | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
# | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
# | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
# | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
# | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
# | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
# | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
# | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
# | compressors:
# | NULL
# | cipher preference: server
# | TLSv1.3:
# | ciphers:
# | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
# | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
# | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
# | cipher preference: client
# |_ least strength: A
Metasploit
use auxiliary/scanner/ssl/ssl_version
Module options (auxiliary/scanner/ssl/ssl_version): show options
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS www.hahwul.com yes The target host(s)
RPORT 443 yes The target port (TCP)
SSLCipher All yes SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, ...
SSLVersion All yes SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
THREADS 1 yes The number of concurrent threads (max one per host)
Module options (auxiliary/scanner/ssl/ssl_version): run
[+] 185.199.111.153:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305
[+] 185.199.111.153:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
[+] 185.199.111.153:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384
[+] 185.199.111.153:443 - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-SHA256
[+] 185.199.111.153:443 - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
....