Rod's Tech: June 2016

Some of you are familiar with SSLLabs.com

Of those who have used it, some of you probably have run into at least one of these limitations:
It doesn't work for sites on your intranet. It doesn't work for sites with no DNS. It doesn't work with SNI sites (sites whit more than one site on a server under different DNS names). It doesn't work for any port other than 443, and it has to be a web server, not a mail server. so no way to test TLS is working on your SMTP server and what ciphers it uses.... but NMAP has that if you can remember what command line options to feed it.

I put these 3 lines in a file called testTLSCiphers.ps1 to make it easier for me to remember, and you might want to do that too.

$ServerName = Read-Host -Prompt 'Input your server name'

$Port = Read-Host -Prompt 'Input your server TCP port number (443 is most common)'
nmap --script ssl-enum-ciphers -p $Port $ServerName

The output looks something like this:

PS C:\Users\rod> C:\scripts\Powershell scripts\testTLSCiphers.ps1
Input your server name: internalsite.local
Input your server TCP port number (443 is most common): 443
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2016-06-01 15:29 Eastern Daylight Time
Nmap scan report for internalsite.local (192.168.1.6)
Host is up (0.0010s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 256) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 3.38 seconds

Rod's Tech

Wednesday, June 01, 2016

Powershell tidbit of the week

About Me

My other blog

Tesla Referral

Blog Archive

Links To Cool Tech Sites