testing_tls_ssl_encryption

Testing TLS/SSL encryption

Command-line

Some commands for QA

xmpp 

openssl s_client  -starttls xmpp -xmpphost domain.org -connect sub.domain.org:5222

domain.org is the domain of xmpp 

nmap  --script ssl-enum-ciphers sub.domain.org -p 5223

httpd 

  curl -k -v https://192.168.122.8
  curl -k -v https://192.168.122.8 -H 'Host: mynextcloud.domain.com'
  curl -k -v https://192.168.122.8 -H 'Host: mattermost.dpnet.nethesis.it'

httpd vhost 

  openssl s_client -servername vm8.dpnet.nethesis.it -connect 192.168.122.8:443

httpd-admin 

   curl -k -v https://192.168.122.8:980

slapd 

  LDAPTLS_REQCERT=never ldapsearch -ZZ -s base -H ldap://192.168.122.8 -D 'cn=ldapservice,dc=directory,dc=nh' -x -w '6lpPIkkPr_DEXzdu'  -b ''

dovecot 

  openssl s_client -starttls imap -connect 127.0.0.1:143
  curl --ssl -k -v -u first.user:Nethesis,1234 imap://192.168.122.8

sieve 

  openssl s_client -starttls sieve  -connect 127.0.0.1:4190

postfix 

  openssl s_client -starttls smtp -connect 127.0.0.1:587
  curl --ssl -k -v -u first.user:Nethesis,1234 smtp://192.168.122.8:587

generate a CSR with server alt names (`-subj`) 

  openssl req -new -sha256 -key ecc-qa-key.pem -out ecc-qa-csr.csr -subj '/CN=vmalpha.dpnet.nethesis.it, O=Nethesis, ST=Italy/emailAddress=davide.principi@nethesis.it/subjectAltName=vmalpha.dpnet.nethesis.it,mattermost.dpnet.nethesis.it,mynextcloud.domain.com,vm8.dpnet.nethesis.it, OU=Development, C=IT, L=Pesaro'

Nmap 

   nmap  --script ssl-enum-ciphers 192.168.122.8 -p 636

The `nmap` command in Fedora 28 has more detailed output than the one in CentOS7.

openssl 

openssl s_client -showcerts -connect 192.168.56.8:636

CryptCheck

https://tls.imirhil.fr/

test ssl/tls/ssh

ssllabs.com

https://www.ssllabs.com/ssltest/

testssl.sh

testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

Read more at https://testssl.sh/

How to install

yum install git
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh/

Services

Here how to test services, please refer to the man for complete commands

* openldap 

         ./testssl.sh 127.0.0.1:636

* Samba AD 

         ./testssl.sh ad.domain.com:636

* https 

    ./testssl.sh 127.0.0.1:443

* httpd-admin 

    ./testssl.sh 127.0.0.1:980

* smtp 

    ./testssl.sh   -t smtp 127.0.0.1:25
    ./testssl.sh   -t smtp 127.0.0.1:587

* imap and pop3 

    ./testssl.sh   -t imap 127.0.0.1:143
    ./testssl.sh   -t pop3 127.0.0.1:110
,