nmz.me

This is my public notebook.


Project maintained by nicomz Hosted on GitHub Pages — Theme by mattgraham

Recently helping a friend that was facing problems using some government API between the test and production environment, I suspected that the issue was related to the SSL/TLS version that was enabled on both sites. Here are some handy scripts for checking that setting on remote sites.

nmap --script  ssl-enum-ciphers -p 443 nmz.me

And here’s the output

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-16 17:51 -03
Nmap scan report for nmz.me (104.27.148.109)
Host is up (0.28s latency).
Other addresses for nmz.me (not scanned): 172.67.199.116 104.27.149.109 2606:4700:3034::681b:956d 2606:4700:3036::681b:946d 2606:4700:3036::ac43:c774

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-draft (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds

Here’s another handy script in case you don’t have nmap installed. (Found on StackOverflow)

#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
  error=$(echo -n $result | cut -d':' -f6)
  echo NO \($error\)
else
  if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
    echo YES
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

And this is the sample output:

➜  scripts git:(master) ✗ ./show_ssl_ciphers.sh wsaahomo.afip.gov.ar:443
Obtaining cipher list from OpenSSL 1.1.1f 31 Mar 2020.
Testing TLS_AES_256_GCM_SHA384...NO (SSL_CTX_set_cipher_list)
Testing TLS_CHACHA20_POLY1305_SHA256...NO (SSL_CTX_set_cipher_list)
Testing TLS_AES_128_GCM_SHA256...NO (SSL_CTX_set_cipher_list)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-GCM-SHA384...YES
Testing DHE-DSS-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-GCM-SHA384...NO (141A318A)
Testing ECDHE-ECDSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-CCM...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-CCM...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-DSS-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ADH-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-GCM-SHA256...YES
Testing DHE-DSS-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-GCM-SHA256...NO (141A318A)
Testing ECDHE-ECDSA-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-CCM...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-CCM...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA384...YES
Testing DHE-RSA-AES256-SHA256...NO (141A318A)
Testing DHE-DSS-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA256...YES
Testing DHE-RSA-AES128-SHA256...NO (141A318A)
Testing DHE-DSS-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA...YES
Testing DHE-RSA-AES256-SHA...NO (141A318A)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA...YES
Testing DHE-RSA-AES128-SHA...NO (141A318A)
Testing DHE-DSS-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-SEED-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CCM...NO (sslv3 alert handshake failure)
Testing RSA-PSK-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing AES256-GCM-SHA384...YES
Testing AES256-CCM8...NO (sslv3 alert handshake failure)
Testing AES256-CCM...NO (sslv3 alert handshake failure)
Testing ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CCM...NO (sslv3 alert handshake failure)
Testing PSK-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CCM...NO (sslv3 alert handshake failure)
Testing RSA-PSK-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-GCM-SHA256...YES
Testing AES128-CCM8...NO (sslv3 alert handshake failure)
Testing AES128-CCM...NO (sslv3 alert handshake failure)
Testing ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CCM...NO (sslv3 alert handshake failure)
Testing PSK-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing AES256-SHA256...YES
Testing CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA256...YES
Testing CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-DSS-AES-256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-RSA-AES-256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-AES-256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing AES256-SHA...YES
Testing CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-DSS-AES-128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-RSA-AES-128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-AES-128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing RSA-PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA...YES
Testing SEED-SHA...NO (sslv3 alert handshake failure)
Testing CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-NULL-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing RSA-PSK-NULL-SHA...NO (sslv3 alert handshake failure)
Testing DHE-PSK-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-MD5...NO (sslv3 alert handshake failure)
Testing PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-NULL-SHA...NO (sslv3 alert handshake failure)