标签:11 TLS Certificate suites RSA cipher 2021 256
http://blog.sina.com.cn/s/blog_14971d0000102xnwq.html
┌──(kali㉿kali)-[~]
└─$ sslyze --regular 192.168.0.1
CHECKING HOST(S) AVAILABILITY
-----------------------------
192.168.0.1:443 => 192.168.0.1
SCAN RESULTS FOR 192.168.0.1:443 - 192.168.0.1
----------------------------------------------
* TLS 1.1 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* TLS 1.0 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
* SSL 2.0 Cipher Suites:
Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
* Elliptic Curve Key Exchange:
Supported curves: X25519, X448, prime256v1, secp384r1, secp521r1
Rejected curves: prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1
* SSL 3.0 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 5 cipher suites:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 ECDH: prime256v1 (256 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* TLS 1.2 Session Resumption Support:
With Session IDs: NOT SUPPORTED (0 successful resumptions out of 5 attempts).
With TLS Tickets: OK - Supported.
* Certificates Information:
Hostname sent for SNI: 192.168.0.1
Number of certificates detected: 1
Certificate #0 ( _RSAPublicKey )
SHA1 Fingerprint: a5769d8f36cf57d6616948a15d2e4a5e714d214e
Common Name: TZJS
Issuer: TZJS
Serial Number: 12998667666213029199
Not Before: 2021-10-26
Not After: 2031-10-24
Public Key Algorithm: _RSAPublicKey
Signature Algorithm: sha256
Key Size: 3072
Exponent: 65537
DNS Subject Alternative Names: []
Certificate #0 - Trust
Hostname Validation: FAILED - Certificate does NOT match server hostname
Android CA Store (9.0.0_r9): FAILED - Certificate is NOT Trusted: self signed certificate
Apple CA Store (iOS 14, iPadOS 14, macOS 11, watchOS 7, and tvOS 14):FAILED - Certificate is NOT Trusted: self signed certificate
Java CA Store (jdk-13.0.2): FAILED - Certificate is NOT Trusted: self signed certificate
Mozilla CA Store (2021-01-24): FAILED - Certificate is NOT Trusted: self signed certificate
Windows CA Store (2021-02-08): FAILED - Certificate is NOT Trusted: self signed certificate
Symantec 2018 Deprecation: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain: TZJS
Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
Certificate #0 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: NOT SUPPORTED - Extension not found
Certificate #0 - OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* Session Renegotiation:
Client Renegotiation DoS Attack: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites.
The server accepted the following 3 cipher suites:
TLS_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_AES_256_GCM_SHA384 256 ECDH: X25519 (253 bits)
TLS_AES_128_GCM_SHA256 128 ECDH: X25519 (253 bits)
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* ROBOT Attack:
OK - Not vulnerable, RSA cipher suites not supported.
* Deflate Compression:
OK - Compression disabled
SCAN COMPLETED IN 6.22 S
------------------------
┌──(kali㉿kali)-[~]
└─$
┌──(kali㉿kali)-[~]
└─$ nmap -sV --script ssl-enum-ciphers -p 443 192.168.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 00:58 EST
Nmap scan report for tz.lan (192.168.0.1)
Host is up (0.011s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http mini_httpd 1.30 26Oct2018
|_http-server-header: mini_httpd/1.30 26Oct2018
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds
┌──(kali㉿kali)-[~]
└─$
标签:11,TLS,Certificate,suites,RSA,cipher,2021,256 来源: https://blog.csdn.net/weixin_42191545/article/details/121262035
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。