SSL Version을 체크하는 여러가지 방법들

by hahwul 3 min read

여러가지 명령을 통해 ssl version 체크하는 방법들 간략하게 메모해둡니다. 개인적으로 주로 testssl.sh를 자주 사용했었는데, 쓰다보니 종종 다른 도구와 크로스 체크가 필요한 일이 있네요. 여러 도구들이 ssl version 관련 옵션은 지원하고 있으니 숙지해두면 종종 사용할 일이 있을듯 합니다 :D

Testssl.sh

testssl.sh의 경우 ssl version 이외에도 지원하는 알고리즘이나 키체인 등 여러가지 체크를 위해 많이 사용되는 도구입니다. 다만 connection에 대해 일부 캐시하는 과정이 있는지 minimum-tls-version을 변경하여도 제대로 식별하진 못했습니다.

git clone https://github.com/drwetter/testssl.sh
cd testssl.sh

./testssl.sh www.hahwul.com | grep "Testing protocols" -A 10

# Testing protocols via sockets except NPN+ALPN

# SSLv2      not offered (OK)
# SSLv3      not offered (OK)
# TLS 1      not offered
# TLS 1.1    not offered
# TLS 1.2    offered (OK)
# TLS 1.3    offered (OK): final
# NPN/SPDY   not offered
# ALPN/HTTP2 h2, http/1.1 (offered)

OpenSSL

brew install openssl

openssl s_client -connect www.hahwul.com:443 -tls1
openssl s_client -connect www.hahwul.com:443 -tls1_1
openssl s_client -connect www.hahwul.com:443 -tls1_2

# 지원하지 않는 경우
# openssl s_client -connect www.hahwul.com:443 -tls1
# ...
# This TLS version forbids renegotiation.

# 지원하는 경우
# ...
# SSL-Session:
#     Protocol  : TLSv1.2
#    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
# ...

Curl

brew install curl

curl https://www.hahwul.com -vv --tlsv1.0 --tls-max 1.0
curl https://www.hahwul.com -vv --tlsv1.1 --tls-max 1.1
curl https://www.hahwul.com -vv --tlsv1.2 --tls-max 1.2

# 지원하지 않는 경우
# *   Trying 185.199.111.153:443...
# * Connected to www.hahwul.com (185.199.111.153) port 443 (#0)
# * CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION
# * Closing connection 0
# curl: (35) CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION

# 지원하는 경우
# *   Trying 185.199.108.153:443...
# * Connected to www.hahwul.com (185.199.108.153) port 443 (#0)
# * ALPN: offers h2,http/1.1
# * (304) (OUT), TLS handshake, Client hello (1):
# *  CAfile: /etc/ssl/cert.pem
# *  CApath: none
# * (304) (IN), TLS handshake, Server hello (2):
# * TLSv1.2 (IN), TLS handshake, Certificate (11):
# ...

HTTPie

brew install httpie

http https://www.hahwul.com --ssl tls1
http https://www.hahwul.com --ssl tls1.1
http https://www.hahwul.com --ssl tls1.2

# 지원하지 않는 경우
# http: error: SSLError: HTTPSConnectionPool(host='www.hahwul.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:1002)'))) while doing a GET request to URL: https://www.hahwul.com/

# 지원하는 경우
# HTTP/1.1 200 OK
# Accept-Ranges: bytes
# Access-Control-Allow-Origin: *
# Age: 0
# Cache-Control: max-age=600

Nmap

brew install nmap

nmap --script ssl-enum-ciphers www.hahwul.com -p 443

# 지원하는 버전을 알 수 있음 (예시에선 1.2와 1.3만 지원)
# PORT    STATE SERVICE
# 443/tcp open  https
# | ssl-enum-ciphers:
# |   TLSv1.2:
# |     ciphers:
# |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
# |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
# |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
# |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
# |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
# |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
# |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
# |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
# |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
# |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
# |     compressors:
# |       NULL
# |     cipher preference: server
# |   TLSv1.3:
# |     ciphers:
# |       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
# |       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
# |       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
# |     cipher preference: client
# |_  least strength: A

Metasploit

use auxiliary/scanner/ssl/ssl_version

Module options (auxiliary/scanner/ssl/ssl_version): show options

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   RHOSTS      www.hahwul.com   yes       The target host(s)
   RPORT       443              yes       The target port (TCP)
   SSLCipher   All              yes       SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, ...
   SSLVersion  All              yes       SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
   THREADS     1                yes       The number of concurrent threads (max one per host)

Module options (auxiliary/scanner/ssl/ssl_version): run
[+] 185.199.111.153:443   - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305
[+] 185.199.111.153:443   - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
[+] 185.199.111.153:443   - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384
[+] 185.199.111.153:443   - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-SHA256
[+] 185.199.111.153:443   - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
....