testing_tls_ssl_encryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
testing_tls_ssl_encryption [2018/03/31 08:47]
Stephane de Labrusse
testing_tls_ssl_encryption [2022/01/06 15:27] (current)
Stephane de Labrusse [ssllabs.com]
Line 1: Line 1:
 +===== Testing TLS/SSL encryption =====
 +====Command-line====
 +Some commands for QA
 +
 +xmpp
 +
 +<file>
 +openssl s_client  -starttls xmpp -xmpphost domain.org -connect sub.domain.org:5222
 +</file>
 +
 +domain.org is the domain of xmpp
 +
 +<file>
 +nmap  --script ssl-enum-ciphers sub.domain.org -p 5223
 +</file>
 +
 +httpd
 +
 +    curl -k -v https://192.168.122.8
 +    curl -k -v https://192.168.122.8 -H 'Host: mynextcloud.domain.com'
 +    curl -k -v https://192.168.122.8 -H 'Host: mattermost.dpnet.nethesis.it'
 +
 +httpd vhost
 +
 +    openssl s_client -servername vm8.dpnet.nethesis.it -connect 192.168.122.8:443
 +
 +httpd-admin
 +
 +     curl -k -v https://192.168.122.8:980
 +
 +slapd
 +
 +    LDAPTLS_REQCERT=never ldapsearch -ZZ -s base -H ldap://192.168.122.8 -D 'cn=ldapservice,dc=directory,dc=nh' -x -w '6lpPIkkPr_DEXzdu'  -b ''
 +
 +dovecot 
 +
 +    curl --ssl -k -v -u first.user:Nethesis,1234 imap://192.168.122.8
 +
 +postfix
 +
 +    curl --ssl -k -v -u first.user:Nethesis,1234 smtp://192.168.122.8:587
 +
 +generate a CSR with server alt names (`-subj`)
 +
 +    openssl req -new -sha256 -key ecc-qa-key.pem -out ecc-qa-csr.csr -subj '/CN=vmalpha.dpnet.nethesis.it, O=Nethesis, ST=Italy/emailAddress=davide.principi@nethesis.it/subjectAltName=vmalpha.dpnet.nethesis.it,mattermost.dpnet.nethesis.it,mynextcloud.domain.com,vm8.dpnet.nethesis.it, OU=Development, C=IT, L=Pesaro'
 +
 +Nmap
 +
 +     nmap  --script ssl-enum-ciphers 192.168.122.8 -p 636
 +
 +The `nmap` command in Fedora 28 has more detailed output than the one in CentOS7.
 +
 +openssl
 +
 +<file>
 +openssl s_client -showcerts -connect 192.168.56.8:636
 +</file>
 +====CryptCheck====
 +https://tls.imirhil.fr/
 +
 +test ssl/tls/ssh
 +
 +====ssllabs.com====
 +
 +https://www.ssllabs.com/ssltest/
 +==== testssl.sh ====
 +
 testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.  testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more. 
  
 Read more at https://testssl.sh/ Read more at https://testssl.sh/
-* how to install + 
 +===How to install=== 
 <file> <file>
 yum install git yum install git
Line 8: Line 77:
 cd testssl.sh/ cd testssl.sh/
 </file> </file>
 +
 +===Services===
  
 Here how to test services, please refer to the man for complete commands Here how to test services, please refer to the man for complete commands
 +
 +* openldap 
 +
 +<file>
 +         ./testssl.sh 127.0.0.1:636
 +
 +</file>
 +
 +* Samba AD
 +
 +<file>
 +         ./testssl.sh ad.domain.com:636
 +</file>
  
 * https  * https 
  
 +<file>
     ./testssl.sh 127.0.0.1:443     ./testssl.sh 127.0.0.1:443
 +</file>
  
 * httpd-admin  * httpd-admin 
  
 +<file>
     ./testssl.sh 127.0.0.1:980     ./testssl.sh 127.0.0.1:980
 +</file>
  
 * smtp * smtp
  
 +<file>
     ./testssl.sh   -t smtp 127.0.0.1:25     ./testssl.sh   -t smtp 127.0.0.1:25
     ./testssl.sh   -t smtp 127.0.0.1:587     ./testssl.sh   -t smtp 127.0.0.1:587
 +</file>
  
 * imap and pop3 * imap and pop3
  
 +<file>
     ./testssl.sh   -t imap 127.0.0.1:143     ./testssl.sh   -t imap 127.0.0.1:143
     ./testssl.sh   -t pop3 127.0.0.1:110     ./testssl.sh   -t pop3 127.0.0.1:110
 +</file>
          
          
 {{tag>developer dev_tips}} {{tag>developer dev_tips}}
  • testing_tls_ssl_encryption.1522486072.txt.gz
  • Last modified: 2018/03/31 08:47
  • by Stephane de Labrusse