Shammer's Philosophy

My private adversaria

接続先サーバで使用可能なcipherを知りたい--curl_20141108

SSL

curlの最新版、7.39.0が先日出たようだ。これで接続先サーバで使用可能なcipherを知りたい--curl_20141029 - Shammerismスクリプトを試してみたが、問題なさそうだ。でも、、、なんか不安だ。本当に漏れはないだろうか。とりあえず、実行結果の例。

~:# ./check-remote-ciphers.sh 10.255.160.27 /
ECDHE-ECDSA-AES256-GCM-SHA384 is not supported on this server.
ECDHE-ECDSA-AES256-SHA384 is not supported on this server.
ECDHE-ECDSA-AES256-SHA is not supported on this server.
SRP-DSS-AES-256-CBC-SHA is not supported on this server.
SRP-RSA-AES-256-CBC-SHA is not supported on this server.
SRP-AES-256-CBC-SHA is not supported on this server.
DHE-DSS-AES256-GCM-SHA384 is not supported on this server.
DHE-RSA-AES256-GCM-SHA384 is not supported on this server.
DHE-RSA-AES256-SHA256 is not supported on this server.
DHE-DSS-AES256-SHA256 is not supported on this server.
DHE-RSA-AES256-SHA is not supported on this server.
DHE-DSS-AES256-SHA is not supported on this server.
DHE-RSA-CAMELLIA256-SHA is not supported on this server.
DHE-DSS-CAMELLIA256-SHA is not supported on this server.
ECDH-RSA-AES256-GCM-SHA384 is not supported on this server.
ECDH-ECDSA-AES256-GCM-SHA384 is not supported on this server.
ECDH-RSA-AES256-SHA384 is not supported on this server.
ECDH-ECDSA-AES256-SHA384 is not supported on this server.
ECDH-RSA-AES256-SHA is not supported on this server.
ECDH-ECDSA-AES256-SHA is not supported on this server.
CAMELLIA256-SHA is not supported on this server.
PSK-AES256-CBC-SHA is not supported on this server.
ECDHE-RSA-DES-CBC3-SHA is not supported on this server.
ECDHE-ECDSA-DES-CBC3-SHA is not supported on this server.
SRP-DSS-3DES-EDE-CBC-SHA is not supported on this server.
SRP-RSA-3DES-EDE-CBC-SHA is not supported on this server.
SRP-3DES-EDE-CBC-SHA is not supported on this server.
EDH-RSA-DES-CBC3-SHA is not supported on this server.
EDH-DSS-DES-CBC3-SHA is not supported on this server.
ECDH-RSA-DES-CBC3-SHA is not supported on this server.
ECDH-ECDSA-DES-CBC3-SHA is not supported on this server.
PSK-3DES-EDE-CBC-SHA is not supported on this server.
ECDHE-ECDSA-AES128-GCM-SHA256 is not supported on this server.
ECDHE-ECDSA-AES128-SHA256 is not supported on this server.
ECDHE-ECDSA-AES128-SHA is not supported on this server.
SRP-DSS-AES-128-CBC-SHA is not supported on this server.
SRP-RSA-AES-128-CBC-SHA is not supported on this server.
SRP-AES-128-CBC-SHA is not supported on this server.
DHE-DSS-AES128-GCM-SHA256 is not supported on this server.
DHE-RSA-AES128-GCM-SHA256 is not supported on this server.
DHE-RSA-AES128-SHA256 is not supported on this server.
DHE-DSS-AES128-SHA256 is not supported on this server.
DHE-RSA-AES128-SHA is not supported on this server.
DHE-DSS-AES128-SHA is not supported on this server.
DHE-RSA-SEED-SHA is not supported on this server.
DHE-DSS-SEED-SHA is not supported on this server.
DHE-RSA-CAMELLIA128-SHA is not supported on this server.
DHE-DSS-CAMELLIA128-SHA is not supported on this server.
ECDH-RSA-AES128-GCM-SHA256 is not supported on this server.
ECDH-ECDSA-AES128-GCM-SHA256 is not supported on this server.
ECDH-RSA-AES128-SHA256 is not supported on this server.
ECDH-ECDSA-AES128-SHA256 is not supported on this server.
ECDH-RSA-AES128-SHA is not supported on this server.
ECDH-ECDSA-AES128-SHA is not supported on this server.
SEED-SHA is not supported on this server.
CAMELLIA128-SHA is not supported on this server.
PSK-AES128-CBC-SHA is not supported on this server.
ECDHE-RSA-RC4-SHA is not supported on this server.
ECDHE-ECDSA-RC4-SHA is not supported on this server.
ECDH-RSA-RC4-SHA is not supported on this server.
ECDH-ECDSA-RC4-SHA is not supported on this server.
RC4-SHA is not supported on this server.
RC4-MD5 is not supported on this server.
PSK-RC4-SHA is not supported on this server.
EDH-RSA-DES-CBC-SHA is not supported on this server.
EDH-DSS-DES-CBC-SHA is not supported on this server.
DES-CBC-SHA is not supported on this server.
~:# 
~:# 
~:# 
~:# cat supported-ciphers.txt 
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
DES-CBC3-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
~:# 
~:# 
~:# 
~:# 
~:# openssl ciphers -v | wc
     80     480    6053
~:#

うーむ、、、cipherをいくつチェックしたかわかるようにした方がいいかもしれない。以下が最新版。

#!/bin/bash
OK_COUNT=1;
NG_COUNT=1;
SUPPORTED_CIPHERS="supported-ciphers.txt";
if [ $# -ne 2 ];then
    echo "Usage $0 DestServer URI"
    exit 1;
fi

if [ -e $SUPPORTED_CIPHERS ];then
    rm $SUPPORTED_CIPHERS;
fi
ciphers=`openssl ciphers -v | awk '{print $1}'` > /dev/null;
for i in $ciphers
do
    curl -L --silent --insecure --ciphers $i https://$1$2 > res.html;
    RRR=`wc -l res.html | awk '{print $1}'`;
    if [ "$RRR" = "0" ];then
	echo "$NG_COUNT:$i is not supported on this server.";
	NG_COUNT=`expr $NG_COUNT + 1`;
    else
	echo "$OK_COUNT:$i" >> $SUPPORTED_CIPHERS;
	OK_COUNT=`expr $OK_COUNT + 1`;
    fi
done

実行結果は以下。

~:# ./check-remote-ciphers.sh 10.255.160.27 /
1:ECDHE-ECDSA-AES256-GCM-SHA384 is not supported on this server.
2:ECDHE-ECDSA-AES256-SHA384 is not supported on this server.
3:ECDHE-ECDSA-AES256-SHA is not supported on this server.
4:SRP-DSS-AES-256-CBC-SHA is not supported on this server.
5:SRP-RSA-AES-256-CBC-SHA is not supported on this server.
6:SRP-AES-256-CBC-SHA is not supported on this server.
7:DHE-DSS-AES256-GCM-SHA384 is not supported on this server.
8:DHE-RSA-AES256-GCM-SHA384 is not supported on this server.
9:DHE-RSA-AES256-SHA256 is not supported on this server.
10:DHE-DSS-AES256-SHA256 is not supported on this server.
11:DHE-RSA-AES256-SHA is not supported on this server.
12:DHE-DSS-AES256-SHA is not supported on this server.
13:DHE-RSA-CAMELLIA256-SHA is not supported on this server.
14:DHE-DSS-CAMELLIA256-SHA is not supported on this server.
15:ECDH-RSA-AES256-GCM-SHA384 is not supported on this server.
16:ECDH-ECDSA-AES256-GCM-SHA384 is not supported on this server.
17:ECDH-RSA-AES256-SHA384 is not supported on this server.
18:ECDH-ECDSA-AES256-SHA384 is not supported on this server.
19:ECDH-RSA-AES256-SHA is not supported on this server.
20:ECDH-ECDSA-AES256-SHA is not supported on this server.
21:CAMELLIA256-SHA is not supported on this server.
22:PSK-AES256-CBC-SHA is not supported on this server.
23:ECDHE-RSA-DES-CBC3-SHA is not supported on this server.
24:ECDHE-ECDSA-DES-CBC3-SHA is not supported on this server.
25:SRP-DSS-3DES-EDE-CBC-SHA is not supported on this server.
26:SRP-RSA-3DES-EDE-CBC-SHA is not supported on this server.
27:SRP-3DES-EDE-CBC-SHA is not supported on this server.
28:EDH-RSA-DES-CBC3-SHA is not supported on this server.
29:EDH-DSS-DES-CBC3-SHA is not supported on this server.
30:ECDH-RSA-DES-CBC3-SHA is not supported on this server.
31:ECDH-ECDSA-DES-CBC3-SHA is not supported on this server.
32:PSK-3DES-EDE-CBC-SHA is not supported on this server.
33:ECDHE-ECDSA-AES128-GCM-SHA256 is not supported on this server.
34:ECDHE-ECDSA-AES128-SHA256 is not supported on this server.
35:ECDHE-ECDSA-AES128-SHA is not supported on this server.
36:SRP-DSS-AES-128-CBC-SHA is not supported on this server.
37:SRP-RSA-AES-128-CBC-SHA is not supported on this server.
38:SRP-AES-128-CBC-SHA is not supported on this server.
39:DHE-DSS-AES128-GCM-SHA256 is not supported on this server.
40:DHE-RSA-AES128-GCM-SHA256 is not supported on this server.
41:DHE-RSA-AES128-SHA256 is not supported on this server.
42:DHE-DSS-AES128-SHA256 is not supported on this server.
43:DHE-RSA-AES128-SHA is not supported on this server.
44:DHE-DSS-AES128-SHA is not supported on this server.
45:DHE-RSA-SEED-SHA is not supported on this server.
46:DHE-DSS-SEED-SHA is not supported on this server.
47:DHE-RSA-CAMELLIA128-SHA is not supported on this server.
48:DHE-DSS-CAMELLIA128-SHA is not supported on this server.
49:ECDH-RSA-AES128-GCM-SHA256 is not supported on this server.
50:ECDH-ECDSA-AES128-GCM-SHA256 is not supported on this server.
51:ECDH-RSA-AES128-SHA256 is not supported on this server.
52:ECDH-ECDSA-AES128-SHA256 is not supported on this server.
53:ECDH-RSA-AES128-SHA is not supported on this server.
54:ECDH-ECDSA-AES128-SHA is not supported on this server.
55:SEED-SHA is not supported on this server.
56:CAMELLIA128-SHA is not supported on this server.
57:PSK-AES128-CBC-SHA is not supported on this server.
58:ECDHE-RSA-RC4-SHA is not supported on this server.
59:ECDHE-ECDSA-RC4-SHA is not supported on this server.
60:ECDH-RSA-RC4-SHA is not supported on this server.
61:ECDH-ECDSA-RC4-SHA is not supported on this server.
62:RC4-SHA is not supported on this server.
63:RC4-MD5 is not supported on this server.
64:PSK-RC4-SHA is not supported on this server.
65:EDH-RSA-DES-CBC-SHA is not supported on this server.
66:EDH-DSS-DES-CBC-SHA is not supported on this server.
67:DES-CBC-SHA is not supported on this server.
~:# 
~:# 
~:# 
~:# cat supported-ciphers.txt 
1:ECDHE-RSA-AES256-GCM-SHA384
2:ECDHE-RSA-AES256-SHA384
3:ECDHE-RSA-AES256-SHA
4:AES256-GCM-SHA384
5:AES256-SHA256
6:AES256-SHA
7:DES-CBC3-SHA
8:ECDHE-RSA-AES128-GCM-SHA256
9:ECDHE-RSA-AES128-SHA256
10:ECDHE-RSA-AES128-SHA
11:AES128-GCM-SHA256
12:AES128-SHA256
13:AES128-SHA
~:#