解密SSL/TLS流量通常是为了分析和审计加密通信,以确保数据传输的安全性和合规性。密码套件扫描仪是实现这一目的的一种工具,它可以提供关于SSL/TLS配置的详细信息,帮助安全专家评估潜在的风险。
SSL/TLS协议基础
SSL/TLS协议是网络安全中不可或缺的一部分,它们为网络通信提供了传输层的数据安全。
首先,来了解一下SSL和TLS的概念。SSL(安全套接字层)是一种早期的安全协议,它的主要目的是在Web服务器和Web浏览器之间创建加密连接。而TLS(传输层安全性)是SSL的后继者,它在SSL的基础上进行了改进和标准化,目前被广泛使用以确保互联网通信的私密性和数据安全性。
接下来,深入探讨一下SSL/TLS协议的基础构成。SSL/TLS协议主要分为两层,底层是记录协议,负责使用对称密码对消息进行加密。上层是握手协议,它包括四个部分:握手协议、密码规格变更协议、警告协议和应用数据协议。其中,握手协议是最为复杂的部分,它负责在客户端和服务器端之间商定密码算法和共享密钥,以及进行证书认证。
关注一下SSL/TLS协议的安全性。随着技术的发展,SSL/TLS也在不断进化。例如,TLS 1.3是该协议的最新版本,它于2018年发布,提供了更高的安全性和性能。此外,SSL/TLS协议的安全性还依赖于证书颁发机构(CA)颁发的证书,这些证书用于验证通信双方的身份,确保数据传输的安全性。
密码套件扫描仪的工作原理
密码套件扫描仪是一种网络安全工具,用于自动化检测和分析SSL/TLS配置,以识别潜在的安全弱点。以下是密码套件扫描仪工作原理的详细说明:
1. 目标识别
扫描仪首先确定需要扫描的目标,这可以是单个服务器、一组服务器或整个网络。目标通常是通过IP地址或域名指定的。
2. 端口检测
扫描仪对目标进行端口扫描,以确定哪些端口是开放的,并且可能使用SSL/TLS协议。常见的端口包括443(HTTPS)、465(SMTPS)、993(IMAPS)等。
3. 建立连接
对于每个开放的SSL/TLS端口,扫描仪尝试建立一个SSL/TLS连接。这涉及到执行一个模拟的SSL/TLS握手过程。
4. 握手过程
在SSL/TLS握手中,客户端(扫描仪)和服务器交换信息以验证彼此的身份,并建立一个安全层来保护后续通信。这个过程包括:
- 客户端Hello:客户端发送一个“Hello”消息,包含它支持的SSL/TLS版本和密码套件列表。
- 服务器Hello:服务器响应,选择一个客户端支持的版本和密码套件。
- 证书交换:服务器发送其证书,证明其身份。
- 密钥交换:使用选定的密码套件,双方生成共享密钥,用于加密后续通信。
5. 密码套件分析
扫描仪分析在握手过程中协商的密码套件,检查其安全性。这包括:
- 加密算法:评估使用的加密算法的强度,如AES、DES等。
- 密钥交换算法:检查密钥交换算法,如RSA、ECDHE等。
- MAC算法:分析用于消息完整性验证的算法,如SHA-1、SHA-256等。
6. 弱点识别
扫描仪使用已知漏洞数据库,来识别配置中的弱点,如:
- 已知漏洞的密码套件:如含有心脏出血(Heartbleed)漏洞的OpenSSL版本。
- 过时的协议版本:如SSLv3,已知存在POODLE攻击。
- 弱加密算法:如RC4,易受特定类型的攻击。
7. 报告生成
扫描完成后,扫描仪生成一份详细的报告,包括:
- 目标信息:目标的IP地址或域名。
- 端口信息:开放的SSL/TLS端口。
- 密码套件列表:服务器支持的所有密码套件。
- 安全评估:对每个密码套件的安全评估。
- 建议:改进SSL/TLS配置的建议。
8. 响应措施
根据扫描报告,系统管理员或安全专家可以采取措施,如:
- 更新软件:升级到没有已知漏洞的OpenSSL版本。
- 配置更改:禁用不安全的密码套件和协议版本。
- 证书管理:确保证书有效,未过期。
9. 持续监控
密码套件扫描仪通常用于定期扫描,以持续监控网络的安全状况。
对SSL/TLS加密的流量进行深度分析和审计
为了实现对SSL/TLS加密流量的深度解析,密码套件扫描仪通常需要结合特定工具和方法来解密传输中的数据。以下是进行深度解析的一些方法和步骤:
- 使用Wireshark进行解密:Wireshark是一款广泛使用的网络协议分析工具,它支持SSL/TLS流量的解析和解密。当提供了服务器的私钥或者通过其他方式获取了会话密钥时,Wireshark可以解密SSL或TLS加密的流量。
- 获取私钥或会话密钥:解密SSL/TLS流量的关键通常是拥有服务器的私钥或者是客户端与服务器协商生成的会话密钥。在一些情况下,可以通过法律允许的方式获取到这些密钥,例如从服务器上直接导出私钥或通过某些设置让浏览器在访问数据时实时将会话秘钥记录到日志文件中。
- 利用日志文件:在某些情况下,可以通过配置浏览器和Wireshark,使用NSS库提供的服务,让浏览器在访问数据时实时将动态生成的会话秘钥导入到一个指定的日志文件中。随后,Wireshark可以读取这个日志文件来获取会话秘钥,从而实现对所有流量的解密。
- sslscan工具:sslscan是一个专门用于扫描SSL/TLS证书的工具,它可以报告协议版本、密码套件、密钥交换、签名算法和证书详细信息等。虽然它本身不用于解密流量,但提供的信息对于理解和分析加密通信非常有用。
- 注意合法性和隐私问题:在进行任何形式的加密流量分析时,必须确保操作符合法律法规并尊重用户隐私。未经授权解密通信内容可能违反隐私法和监听法规。
- 技术要求:进行此类深度分析需要具备一定的网络和安全知识,如理解网络追踪、TCP/IP和SSL/TLS协议,以及熟悉相关工具的使用。
解密SSL/TLS:密码套件扫描仪的深度解析(C/C++代码实现)
...
typedef enum {
X_ACCEPTED = 0,
X_DO_SMTP_EHLO,
X_DO_SMTP_STARTTLS,
X_CHECK_SMTP_STARTTLS,
X_DO_CLIENTHELLO,
X_GOT_HEADER,
X_GOT_RECORD,
X_DONE
} test_state_t;
typedef enum {
SSLv2 = 0x0002,
SSLv3 = 0x0300,
TLSv10 = 0x301,
TLSv11 = 0x302,
TLSv12 = 0x303
} ssl_version_t;
#define TEST_MAX_CIPHERS 512
#define TEST_MAX_CERTS 32
#define TEST_MAX_NPN 32
typedef struct {
/* 请求的TLS版本 */
ssl_version_t version;
/* 内部状态 */
test_state_t state;
/* 最后一个套接字错误 */
int error;
/* 成功的连接数 */
int num_connections;
/* 接收到TLS标头数据 */
int rec_contenttype;
int rec_version;
size_t rec_len;
/* 子协议握手的存储 */
unsigned char hs_type;
size_t hs_len;
/* 压缩算法 */
unsigned char compression;
/* 会话ID字节数 */
unsigned char resumption;
/* 证书链 */
size_t cert_chain_size;
int num_certs;
char *certs[TEST_MAX_CERTS];
/* 服务器支持的密码 */
int num_ciphers;
int ciphers[TEST_MAX_CIPHERS];
int has_cs_preference;
int test_cs_preference;
/* 在ServerHello中看到NPN */
int num_npn;
char *npn[TEST_MAX_NPN];
/* 如果在ServerHello中看到SNI */
int ext_sni;
/* 如果我们得到“无法识别的名称” */
int ext_sni_unknown;
/* 在ServerHello中看到SessionTicket */
int ext_tickets;
/* 在ServerHello中看到重新协商 */
int ext_reneg;
/* 在ServerHello中看到Heart甜菜(RFC6520) */
int ext_heartbeat;
/* 服务器将密码计数限制为128 */
int bugfix_limit_cs;
/* 设置服务器是否在TLS扩展上中断(Oracle HTTP server 10g) */
int bugfix_broken_tlsext;
/* 服务器选择的密码不在ClientHello中, */
int bugfix_forced_cs;
/* 子协议警报的存储*/
int alert_level;
int alert_desc;
} test_t;
typedef enum {
CLEAR,
WEAK,
MEDIUM,
STRONG
} cipher_strength_t;
typedef struct {
int id;
int isCBC;
cipher_strength_t strength;
char *name;
} cipher_t;
...
int connection_num_connections(void);
void *connection_priv(connection_t *);
void connection_set_callbacks(connection_t *, connection_callback_t, connection_callback_t, connection_callback_t, void *);
connection_t *connection_open(struct addrinfo *, char *);
void connection_finish(connection_t *);
int connection_write(connection_t *, void *, size_t);
void connection_set_expected_bytes(connection_t *, size_t);
int connection_do_io(void);
...
int sslv2_do_clienthello(connection_t *);
int sslv2_handle_header(connection_t *);
int sslv2_handle_record(connection_t *);
int tls_handle_header(connection_t *);
int tls_handle_record(connection_t *);
int tls_do_clienthello(connection_t *);
int tls_do_heartbeat(connection_t *, ssize_t);
int smtp_do_ehlo(connection_t *);
int smtp_do_starttls(connection_t *);
int smtp_check_starttls(connection_t *);
char *pem_encode(const unsigned char *, size_t, size_t *);
int x509_dump(const unsigned char *, size_t, int);
char *proto_name(ssl_version_t);
char *proto_ver(connection_t *);
int proto_connect(struct addrinfo *, char *, test_t *);
int proto_process(void);
...
static void probe_server(struct addrinfo *, char *);
static void protocol_report(test_t *, int *);
int main(int argc, char **argv) {
char *port = "443";
char *hostname;
struct addrinfo *ai0, *ai;
if(argc < 2) {
fprintf(stderr, "Usage: %s <host> [port (= %s)] [output file]\n", argv[0], port);
return 0;
}
hostname = argv[1];
if(argc == 3)
port = argv[2];
if(argc == 4) {
if(freopen(argv[3], "w", stdout) == NULL)
return -1;
}
...
setlocale(LC_ALL, "");
openlog(APPNAME, LOG_PERROR, LOG_USER);
signal(SIGPIPE, SIG_IGN);
if((ai0 = addr_resolve(hostname, port)) == NULL)
return 0;
if(!strcmp(hostname, addr_ai2ip(ai0)))
hostname = NULL;
printf("[\n");
for(ai = ai0; ai; ai = ai->ai_next) probe_server(ai, hostname);
printf("]\n");
return 0;
}
static void probe_server(struct addrinfo *ai, char *hostname) {
int i, once = 0;
test_t tests[] = {
{ .version = 0x0002 },
{ .version = 0x0300 },
{ .version = 0x0301 },
{ .version = 0x0302 },
{ .version = 0x0303 }
};
printf(" {\n");
printf(" \"ip\":\"%s\",\n", addr_ai2ip(ai));
printf(" \"port\":%d,\n", addr_ai2port(ai));
if(hostname != NULL)
printf(" \"host\":\"%s\",\n", hostname);
else
printf(" \"host\":null,\n");
/* 启动新连接以测试每个协议 */
fprintf(stderr, "[%s] -- Starting SSL/TLS tests\n",
addr_ai2ip(ai));
for(i = 0; i < sizeof(tests)/sizeof(tests[0]); i++)
proto_connect(ai, hostname, &tests[i]);
/* 进行协议协商并测试密码 */
proto_process();
printf(" \"protocols\":[\n");
for(i = 0; i < sizeof(tests)/sizeof(tests[0]); i++)
protocol_report(&tests[i], &once);
printf("\n ]\n");
printf(" }%s\n", ai->ai_next? ",": "");
}
static void protocol_report(test_t *test, int *once) {
...
printf(" {\n");
printf(" \"name\":\"%s\",\n", proto_name(test->version));
printf(" \"version\":%d,\n", test->version);
printf(" \"supported\":%s,\n", test->num_ciphers? "true": "false");
printf(" \"establishedConnections\":%d,\n", test->num_connections);
if(test->error)
printf(" \"lastError\":\"%s\",\n", strerror(test->error));
else
printf(" \"lastError\":null,\n");
printf(" \"compressionAlgorithm\":%d,\n", test->compression);
/* Number of session ID bytes */
printf(" \"sessionIdBytes\":%d,\n", test->resumption);
printf(" \"cipherSuites\":[\n");
for(i = 0; i < test->num_ciphers; i++) {
for(j = 0; j < sizeof(ciphers) / sizeof(*ciphers); j++) {
if(test->ciphers[i] != ciphers[j].id) continue;
printf(" { \"id\":%d,\t\"name\":\"%s\" }%s\n",
ciphers[j].id, ciphers[j].name,
i < test->num_ciphers - 1? ",": "");
break;
}
}
printf(" ],\n");
printf(" \"cipherSuitePreference\":%d,\n", test->has_cs_preference);
if(test->version != 2) {
printf(" \"extensions\":{\n");
printf(" \"sni\":%d,\n", test->ext_sni);
printf(" \"sniNameUnknown\":%d,\n", test->ext_sni_unknown);
printf(" \"sessionTicket\":%d,\n", test->ext_tickets);
printf(" \"secureRenegotiation\":%d,\n", test->ext_reneg);
printf(" \"heartbeat\":%d,\n", test->ext_heartbeat);
printf(" \"npn\":[\n");
for(i = 0; i < test->num_npn; i++) {
printf(" \"%s\"%s\n", test->npn[i],
i < test->num_npn - 1? ",": "");
}
printf(" ]\n");
printf(" },\n");
printf(" \"lastAlert\":{\n");
printf(" \"level\":%d,\n", test->alert_level);
printf(" \"description\":%d\n", test->alert_desc);
printf(" },\n");
printf(" \"bugs\":{\n");
printf(" \"brokenTlsExt\":%d,\n", test->bugfix_broken_tlsext);
printf(" \"csLimit\":%d,\n", test->bugfix_limit_cs);
printf(" \"forcedCs\":%d\n", test->bugfix_forced_cs);
printf(" },\n");
}
printf(" \"certificateChainSize\":%zd,\n", test->cert_chain_size);
printf(" \"certificates\":[\n");
for(i = 0; i < test->num_certs; i++) {
printf("\"");
p = test->certs[i];
while(*p) {
if(*p == '\n') printf("\\n");
else printf("%c", *p);
p++;
}
printf("\"%s\n", i < test->num_certs - 1? ",": "");
}
printf(" ]\n");
printf(" }");
/* 释放协议处理程序分配的资源 */
for(i = 0; i < test->num_npn; i++)
if(test->npn[i] != NULL) free(test->npn[i]);
for(i = 0; i < test->num_certs; i++)
if(test->certs[i] != NULL) free(test->certs[i]);
}
If you need the complete source code, please add the WeChat number (c17865354792)
输出结果:
json:
{
"name":"TLS 1.1",
"version":770,
"supported":true,
"establishedConnections":8,
"lastError":null,
"compressionAlgorithm":0,
"sessionIdBytes":0,
"cipherSuites":[
{ "id":49169, "name":"TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
{ "id":49171, "name":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
{ "id":49172, "name":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
{ "id":47, "name":"RSA_WITH_AES_128_CBC_SHA" },
{ "id":53, "name":"RSA_WITH_AES_256_CBC_SHA" },
{ "id":5, "name":"RSA_WITH_RC4_128_SHA" }
],
"cipherSuitePreference":1,
"extensions":{
"sni":1,
"sniNameUnknown":0,
"sessionTicket":1,
"secureRenegotiation":1,
"heartbeat":1,
"npn":[
"spdy/3.1",
"http/1.1"
]
},
"lastAlert":{
"level":0,
"description":0
},
"bugs":{
"brokenTlsExt":0,
"csLimit":0,
"forcedCs":0
},
"certificateChainSize":3170,
"certificates":[
"-----BEGIN CERTIFICATE-----\nMIIHTjCCBjagAwIBAgIQBYujqAe8Wo3DiG8NBXh81DANBgkqhkiG9w0BAQsFADBQ\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSowKAYDVQQDEyFE\naWdpQ2VydCBTZWN1cmUgU2l0ZSBQcm8gQ04gQ0EgRzMwHhcNMjQwMTMwMDAwMDAw\nWhcNMjUwMzAxMjM1OTU5WjBzMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ5YyX5Lqs\n5biCMTkwNwYDVQQKEzBCZWlKaW5nIEJhaWR1IE5ldGNvbSBTY2llbmNlIFRlY2hu\nb2xvZ3kgQ28uLCBMdGQxFTATBgNVBAMTDHd3dy5iYWlkdS5jbjCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAIOr17+yvFVNjeBttQGQUQeE6nvfknzzGt/X\nYIRUPY5EPU4YhKhxVEASMfJKwFsUEtM/p8KkHLy+L5UUIbiIKr4Gds8SvJmpIW8t\nO7Hc3JI6+YQqCchDjLPx90W10qjuZeY5LdCiBg7DEuVxgqSBDP2J+Rn9uGZSUerP\nwVOC63sku6ZfLDnGCaiC7wdGC18cY3O/9jprQHPNJPWFt64P6CfZ9rvo4tFSIFpt\n6JWjMzzVX76Y8h9PYBFq7g9zczt6z8HiYkV5EDboyNYFm3cOnFjyjIrZsdIJaiW+\nUR8+3Dy/GaY3sipoBE6PMrfB1aI+G1yTWU6iLtpOaqGLPAgiRX0CAwEAAaOCA/8w\nggP7MB8GA1UdIwQYMBaAFHuj+v/11QldHvkq/4VT7a9HqNd6MB0GA1UdDgQWBBQQ\n4UFHNdbzY57FPYYqkslJBUYWXDCB9AYDVR0RBIHsMIHpggx3d3cuYmFpZHUuY26C\nCGJhaWR1LmNuggliYWlkdS5jb22CDGJhaWR1LmNvbS5jboILdy5iYWlkdS5jb22C\nDHd3LmJhaWR1LmNvbYIQd3d3LmJhaWR1LmNvbS5jboIQd3d3LmJhaWR1LmNvbS5o\na4IMd3d3LmJhaWR1LmhrghB3d3cuYmFpZHUubmV0LmF1ghB3d3cuYmFpZHUubmV0\nLnBoghB3d3cuYmFpZHUubmV0LnR3ghB3d3cuYmFpZHUubmV0LnZugg53d3d3LmJh\naWR1LmNvbYIRd3d3dy5iYWlkdS5jb20uY24wPgYDVR0gBDcwNTAzBgZngQwBAgIw\nKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1Ud\nDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwRwYDVR0f\nBEAwPjA8oDqgOIY2aHR0cDovL2NybC5kaWdpY2VydC5jbi9EaWdpQ2VydFNlY3Vy\nZVNpdGVQcm9DTkNBRzMuY3JsMHsGCCsGAQUFBwEBBG8wbTAjBggrBgEFBQcwAYYX\naHR0cDovL29jc3AuZGlnaWNlcnQuY24wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNl\ncnRzLmRpZ2ljZXJ0LmNuL0RpZ2lDZXJ0U2VjdXJlU2l0ZVByb0NOQ0FHMy5jcnQw\nDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUATnWjJ1ya\nEMM4W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGNV/zgGwAABAMARjBEAiAQrH3Y\nvwsL6DHkXu6oYoBlJbKYFW9SHR77F7D6RQ0uFgIgFRSrqyM/YtW7ZNibRix6WULe\njbZ1k7akpCyhfDvMkjsAdgB9WR4S4XgqexxhZ3xe/fjQh1wUoE6VnrkDL9kOjC55\nuAAAAY1X/OBNAAAEAwBHMEUCIEFeRJY30iEWmlHfbzfp35wEL9SmltrxGjFLf/dW\nEC6BAiEAv3HRQVrVUOeUbgo4CJMjdDxROFFcBvciWVoXkL97GUwAdgDm0jFjQHeM\nwRBBBtdxuc7B0kD2loSG+7qHMh39HjeOUAAAAY1X/OB8AAAEAwBHMEUCIBMKNF+z\nh9422XPQ7da9BQ7pyK3CcxVEcK3JqVz5EhhuAiEAg/+mv6lix7Vp1drI9TpIrJq/\nR/PDYhId2ASdq7za9PUwDQYJKoZIhvcNAQELBQADggEBAGtFSzrdZyGghp2R4bqL\ntg/X3MV0ytr8YXggOynqzrc5GBApeUwJ5vBEkO7WL176Y5gtJXtiNhpuX9mOQCzI\nF1KOrv3akz3TXufPR1ZeNfLTOHjB6cE7bZd4cXS7FZVkWGqQ4p3FzYq1SlpJySiI\nAbaMqpQcT1q+V7rEI+p2cPz+h+QsBn2BQ24+lt1VZoyu8ua/Dj9qvtwOIRo++Jfd\nKjmvTp3lYOOS1m7A9KwC7n3tmtweEWhmwoz0bFPxWh7R9frFA5Q+gsspL4SxvU/i\nvZThPMdeTgwOzn2nJhPcJFZ5yUGPZ8thorOYjMLHQ4DKsy7mnGMnKLwmz17L/0Tx\n8GU=\n-----END CERTIFICATE-----\n",
"-----BEGIN CERTIFICATE-----\nMIIFDDCCA/SgAwIBAgIQBR8Mft3IjbrwDFDihfQiZTANBgkqhkiG9w0BAQsFADBh\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\nQTAeFw0yMDAzMTMxMjAwNDhaFw0zMDAzMTMxMjAwNDhaMFAxCzAJBgNVBAYTAlVT\nMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKjAoBgNVBAMTIURpZ2lDZXJ0IFNlY3Vy\nZSBTaXRlIFBybyBDTiBDQSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBALqD6tXbzIpRYNzoznLbHwz+chdbruBQJ80/GqdVld/xtIvi2yIE0aPZ/awW\nD7yc353pX9eNysCtYMr+uLlqHxSU3DgMh+HdZG3wam+rGbO2I6l5tjxJKP5BSysG\noxnL2ZnONKTiDOu5RL5JrD35R64w6FWGFx+DsKW/e3WnR80NDH+JWFFzwi/bzHFh\nHJ6gsaeAiWqMunCyxbejtHnPcmDs7Mca0d8tb7vqs8KbHwEjMMTfE8lLGYL2rHy3\nq/uSfMUminrjr4TTgVoHhhjABA0y5f0FF8S4SNBDB9GbUrToL4nuX9AtuC65j+u/\ncQ6I/T1Tdyks5seRKiFamCtMxo0CAwEAAaOCAc8wggHLMB0GA1UdDgQWBBR7o/r/\n9dUJXR75Kv+FU+2vR6jXejAfBgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3R\nVTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzAB\nhhdodHRwOi8vb2NzcC5kaWdpY2VydC5jbjBABgNVHR8EOTA3MDWgM6Axhi9odHRw\nOi8vY3JsLmRpZ2ljZXJ0LmNuL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDCBzgYD\nVR0gBIHGMIHDMIHABgRVHSAAMIG3MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k\naWdpY2VydC5jb20vQ1BTMIGKBggrBgEFBQcCAjB+DHxBbnkgdXNlIG9mIHRoaXMg\nQ2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNjZXB0YW5jZSBvZiB0aGUgUmVseWlu\nZyBQYXJ0eSBBZ3JlZW1lbnQgbG9jYXRlZCBhdCBodHRwczovL3d3dy5kaWdpY2Vy\ndC5jb20vcnBhLXVhMA0GCSqGSIb3DQEBCwUAA4IBAQCFMP6Exs4uwBILlV3yCOg1\n9T0GhyY1XFLHJkG/zgYmdoFZc4N0I7NIuMKEZkcaOc13Wt6QkS6GpMO3aZkXYTfl\n9zpDtwdqSpL43nkCxd+nxB1A3N+9D/ZswoOUeBi0FI/fhKTh4B8sdRoVBYRJEhef\n5J0LRssXrSRiYxmITdX2N2zCcIL6/17YXds2BTxvfCHDWGWnnAys4i0W5ccgQ5bt\nnPHVW3hEZCO9nbrAOl4swdyFTV1Q0UUG/wZRYZEkFKdpfBOjCWDDrKo1SGV1Qys8\n6y96+AgqbDB91mdnxIr1MuTtHGn/Q1YE2x9OSTb2f2k0ArhFxFdcjKTfLLewG1xD\n-----END CERTIFICATE-----\n"
]
},
{
"name":"TLS 1.2",
"version":771,
"supported":true,
"establishedConnections":16,
"lastError":null,
"compressionAlgorithm":0,
"sessionIdBytes":0,
"cipherSuites":[
{ "id":49199, "name":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
{ "id":49191, "name":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
{ "id":49169, "name":"TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
{ "id":49171, "name":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
{ "id":49172, "name":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
{ "id":49200, "name":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
{ "id":49192, "name":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
{ "id":156, "name":"TLS_RSA_WITH_AES_128_GCM_SHA256" },
{ "id":157, "name":"TLS_RSA_WITH_AES_256_GCM_SHA384" },
{ "id":60, "name":"RSA_WITH_AES_128_CBC_SHA256" },
{ "id":47, "name":"RSA_WITH_AES_128_CBC_SHA" },
{ "id":61, "name":"RSA_WITH_AES_256_CBC_SHA256" },
{ "id":53, "name":"RSA_WITH_AES_256_CBC_SHA" },
{ "id":5, "name":"RSA_WITH_RC4_128_SHA" }
],
"cipherSuitePreference":1,
"extensions":{
"sni":1,
"sniNameUnknown":0,
"sessionTicket":1,
"secureRenegotiation":1,
"heartbeat":1,
"npn":[
"spdy/3.1",
"http/1.1"
]
},
"lastAlert":{
"level":0,
"description":0
},
"bugs":{
"brokenTlsExt":0,
"csLimit":0,
"forcedCs":0
},
"certificateChainSize":3170,
"certificates":[
"-----BEGIN CERTIFICATE-----\nMIIHTjCCBjagAwIBAgIQBYujqAe8Wo3DiG8NBXh81DANBgkqhkiG9w0BAQsFADBQ\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSowKAYDVQQDEyFE\naWdpQ2VydCBTZWN1cmUgU2l0ZSBQcm8gQ04gQ0EgRzMwHhcNMjQwMTMwMDAwMDAw\nWhcNMjUwMzAxMjM1OTU5WjBzMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ5YyX5Lqs\n5biCMTkwNwYDVQQKEzBCZWlKaW5nIEJhaWR1IE5ldGNvbSBTY2llbmNlIFRlY2hu\nb2xvZ3kgQ28uLCBMdGQxFTATBgNVBAMTDHd3dy5iYWlkdS5jbjCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAIOr17+yvFVNjeBttQGQUQeE6nvfknzzGt/X\nYIRUPY5EPU4YhKhxVEASMfJKwFsUEtM/p8KkHLy+L5UUIbiIKr4Gds8SvJmpIW8t\nO7Hc3JI6+YQqCchDjLPx90W10qjuZeY5LdCiBg7DEuVxgqSBDP2J+Rn9uGZSUerP\nwVOC63sku6ZfLDnGCaiC7wdGC18cY3O/9jprQHPNJPWFt64P6CfZ9rvo4tFSIFpt\n6JWjMzzVX76Y8h9PYBFq7g9zczt6z8HiYkV5EDboyNYFm3cOnFjyjIrZsdIJaiW+\nUR8+3Dy/GaY3sipoBE6PMrfB1aI+G1yTWU6iLtpOaqGLPAgiRX0CAwEAAaOCA/8w\nggP7MB8GA1UdIwQYMBaAFHuj+v/11QldHvkq/4VT7a9HqNd6MB0GA1UdDgQWBBQQ\n4UFHNdbzY57FPYYqkslJBUYWXDCB9AYDVR0RBIHsMIHpggx3d3cuYmFpZHUuY26C\nCGJhaWR1LmNuggliYWlkdS5jb22CDGJhaWR1LmNvbS5jboILdy5iYWlkdS5jb22C\nDHd3LmJhaWR1LmNvbYIQd3d3LmJhaWR1LmNvbS5jboIQd3d3LmJhaWR1LmNvbS5o\na4IMd3d3LmJhaWR1LmhrghB3d3cuYmFpZHUubmV0LmF1ghB3d3cuYmFpZHUubmV0\nLnBoghB3d3cuYmFpZHUubmV0LnR3ghB3d3cuYmFpZHUubmV0LnZugg53d3d3LmJh\naWR1LmNvbYIRd3d3dy5iYWlkdS5jb20uY24wPgYDVR0gBDcwNTAzBgZngQwBAgIw\nKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1Ud\nDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwRwYDVR0f\nBEAwPjA8oDqgOIY2aHR0cDovL2NybC5kaWdpY2VydC5jbi9EaWdpQ2VydFNlY3Vy\nZVNpdGVQcm9DTkNBRzMuY3JsMHsGCCsGAQUFBwEBBG8wbTAjBggrBgEFBQcwAYYX\naHR0cDovL29jc3AuZGlnaWNlcnQuY24wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNl\ncnRzLmRpZ2ljZXJ0LmNuL0RpZ2lDZXJ0U2VjdXJlU2l0ZVByb0NOQ0FHMy5jcnQw\nDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUATnWjJ1ya\nEMM4W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGNV/zgGwAABAMARjBEAiAQrH3Y\nvwsL6DHkXu6oYoBlJbKYFW9SHR77F7D6RQ0uFgIgFRSrqyM/YtW7ZNibRix6WULe\njbZ1k7akpCyhfDvMkjsAdgB9WR4S4XgqexxhZ3xe/fjQh1wUoE6VnrkDL9kOjC55\nuAAAAY1X/OBNAAAEAwBHMEUCIEFeRJY30iEWmlHfbzfp35wEL9SmltrxGjFLf/dW\nEC6BAiEAv3HRQVrVUOeUbgo4CJMjdDxROFFcBvciWVoXkL97GUwAdgDm0jFjQHeM\nwRBBBtdxuc7B0kD2loSG+7qHMh39HjeOUAAAAY1X/OB8AAAEAwBHMEUCIBMKNF+z\nh9422XPQ7da9BQ7pyK3CcxVEcK3JqVz5EhhuAiEAg/+mv6lix7Vp1drI9TpIrJq/\nR/PDYhId2ASdq7za9PUwDQYJKoZIhvcNAQELBQADggEBAGtFSzrdZyGghp2R4bqL\ntg/X3MV0ytr8YXggOynqzrc5GBApeUwJ5vBEkO7WL176Y5gtJXtiNhpuX9mOQCzI\nF1KOrv3akz3TXufPR1ZeNfLTOHjB6cE7bZd4cXS7FZVkWGqQ4p3FzYq1SlpJySiI\nAbaMqpQcT1q+V7rEI+p2cPz+h+QsBn2BQ24+lt1VZoyu8ua/Dj9qvtwOIRo++Jfd\nKjmvTp3lYOOS1m7A9KwC7n3tmtweEWhmwoz0bFPxWh7R9frFA5Q+gsspL4SxvU/i\nvZThPMdeTgwOzn2nJhPcJFZ5yUGPZ8thorOYjMLHQ4DKsy7mnGMnKLwmz17L/0Tx\n8GU=\n-----END CERTIFICATE-----\n",
"-----BEGIN CERTIFICATE-----\nMIIFDDCCA/SgAwIBAgIQBR8Mft3IjbrwDFDihfQiZTANBgkqhkiG9w0BAQsFADBh\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\nQTAeFw0yMDAzMTMxMjAwNDhaFw0zMDAzMTMxMjAwNDhaMFAxCzAJBgNVBAYTAlVT\nMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKjAoBgNVBAMTIURpZ2lDZXJ0IFNlY3Vy\nZSBTaXRlIFBybyBDTiBDQSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBALqD6tXbzIpRYNzoznLbHwz+chdbruBQJ80/GqdVld/xtIvi2yIE0aPZ/awW\nD7yc353pX9eNysCtYMr+uLlqHxSU3DgMh+HdZG3wam+rGbO2I6l5tjxJKP5BSysG\noxnL2ZnONKTiDOu5RL5JrD35R64w6FWGFx+DsKW/e3WnR80NDH+JWFFzwi/bzHFh\nHJ6gsaeAiWqMunCyxbejtHnPcmDs7Mca0d8tb7vqs8KbHwEjMMTfE8lLGYL2rHy3\nq/uSfMUminrjr4TTgVoHhhjABA0y5f0FF8S4SNBDB9GbUrToL4nuX9AtuC65j+u/\ncQ6I/T1Tdyks5seRKiFamCtMxo0CAwEAAaOCAc8wggHLMB0GA1UdDgQWBBR7o/r/\n9dUJXR75Kv+FU+2vR6jXejAfBgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3R\nVTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzAB\nhhdodHRwOi8vb2NzcC5kaWdpY2VydC5jbjBABgNVHR8EOTA3MDWgM6Axhi9odHRw\nOi8vY3JsLmRpZ2ljZXJ0LmNuL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDCBzgYD\nVR0gBIHGMIHDMIHABgRVHSAAMIG3MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k\naWdpY2VydC5jb20vQ1BTMIGKBggrBgEFBQcCAjB+DHxBbnkgdXNlIG9mIHRoaXMg\nQ2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNjZXB0YW5jZSBvZiB0aGUgUmVseWlu\nZyBQYXJ0eSBBZ3JlZW1lbnQgbG9jYXRlZCBhdCBodHRwczovL3d3dy5kaWdpY2Vy\ndC5jb20vcnBhLXVhMA0GCSqGSIb3DQEBCwUAA4IBAQCFMP6Exs4uwBILlV3yCOg1\n9T0GhyY1XFLHJkG/zgYmdoFZc4N0I7NIuMKEZkcaOc13Wt6QkS6GpMO3aZkXYTfl\n9zpDtwdqSpL43nkCxd+nxB1A3N+9D/ZswoOUeBi0FI/fhKTh4B8sdRoVBYRJEhef\n5J0LRssXrSRiYxmITdX2N2zCcIL6/17YXds2BTxvfCHDWGWnnAys4i0W5ccgQ5bt\nnPHVW3hEZCO9nbrAOl4swdyFTV1Q0UUG/wZRYZEkFKdpfBOjCWDDrKo1SGV1Qys8\n6y96+AgqbDB91mdnxIr1MuTtHGn/Q1YE2x9OSTb2f2k0ArhFxFdcjKTfLLewG1xD\n-----END CERTIFICATE-----\n"
]
}
]
}
]
总结
密码套件扫描仪通过模拟SSL/TLS握手过程,分析服务器的SSL/TLS配置,识别潜在的安全弱点。它为系统管理员提供了一个强大的工具,以提高网络通信的安全性。然而,使用这种工具需要专业知识,以正确解释结果并采取适当的措施。
We also undertake the development of program requirements here. If necessary, please follow the WeChat official account 【程序猿编码】and contact me
参考:
RFC6101 、RFC5246 、RFC5077 、RFC5746 、RFC3207
