{"id":13492031,"url":"https://github.com/mozilla/cipherscan","last_synced_at":"2025-05-15T06:05:53.234Z","repository":{"id":9571408,"uuid":"11484496","full_name":"mozilla/cipherscan","owner":"mozilla","description":"A very simple way to find out which SSL ciphersuites are supported by a target.","archived":false,"fork":false,"pushed_at":"2024-07-08T16:27:42.000Z","size":35375,"stargazers_count":1976,"open_issues_count":35,"forks_count":263,"subscribers_count":102,"default_branch":"master","last_synced_at":"2025-05-08T05:25:57.697Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"v2ray/v2ray-core","license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mozilla.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-07-17T18:50:06.000Z","updated_at":"2025-05-04T04:20:41.000Z","dependencies_parsed_at":"2024-07-25T12:36:48.343Z","dependency_job_id":null,"html_url":"https://github.com/mozilla/cipherscan","commit_stats":{"total_commits":331,"total_committers":32,"mean_commits":10.34375,"dds":0.6888217522658611,"last_synced_commit":"5866911b6207fb29491b6a625f62cea441961e5d"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Fcipherscan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Fcipherscan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Fcipherscan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Fcipherscan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mozilla","download_url":"https://codeload.github.com/mozilla/cipherscan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253764372,"owners_count":21960570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T19:01:02.503Z","updated_at":"2025-05-15T06:05:48.224Z","avatar_url":"https://github.com/mozilla.png","language":"Python","readme":"CipherScan\n==========\n\n[![Build Status](https://travis-ci.org/mozilla/cipherscan.svg?branch=master)](https://travis-ci.org/mozilla/cipherscan)\n\n![cipherscan](https://pbs.twimg.com/media/CPbjvCFW8AAnUK3.png:large)\n\nCipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the `openssl s_client` command line.\n\nCipherscan is meant to run on all flavors of unix. It ships with its own built of OpenSSL for Linux/64 and Darwin/64. On other platform, it will use the openssl version provided by the operating system (which may have limited ciphers support), or your own version provided in the `-o` command line flag.\n\nExamples\n--------\n\nBasic test:\n```bash\n$ ./cipherscan google.com\n...................\nTarget: google.com:443\n\nprio ciphersuite protocols pfs curves\n1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH,P-256,256bits prime256v1\n2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1\n3 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1\n4 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1\n5 AES128-GCM-SHA256 TLSv1.2 None None\n6 AES128-SHA256 TLSv1.2 None None\n7 AES128-SHA TLSv1.1,TLSv1.2 None None\n8 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None\n9 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None\n10 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1\n11 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1\n12 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1\n13 AES256-GCM-SHA384 TLSv1.2 None None\n14 AES256-SHA256 TLSv1.2 None None\n15 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None\n16 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1\n17 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1\n18 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None\n\nCertificate: trusted, 2048 bit, sha1WithRSAEncryption signature\nTLS ticket lifetime hint: 100800\nOCSP stapling: not supported\nCipher ordering: server\n```\n\nTesting STARTTLS:\n```\ndarwin$ $ ./cipherscan --curves -starttls xmpp jabber.ccc.de:5222\n................................\nTarget: jabber.ccc.de:5222\n\nprio ciphersuite protocols pfs curves\n1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1\n2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1\n3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1\n4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits None\n5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None\n6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None\n7 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None\n8 AES256-GCM-SHA384 TLSv1.2 None None\n9 AES256-SHA256 TLSv1.2 None None\n10 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None\n11 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None\n12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1\n13 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1\n14 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1\n15 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None\n16 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None\n17 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None\n18 DHE-RSA-SEED-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None\n19 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None\n20 AES128-GCM-SHA256 TLSv1.2 None None\n21 AES128-SHA256 TLSv1.2 None None\n22 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None\n23 SEED-SHA TLSv1,TLSv1.1,TLSv1.2 None None\n24 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None None\n\nCertificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature\nTLS ticket lifetime hint: None\nOCSP stapling: not supported\nCipher ordering: client\nCurves ordering: server\nCurves fallback: False\n```\n\nExporting to JSON with the `-j` command line option:\n```javascript\n$ ./cipherscan --curves -j www.ebay.com | j\n{\n \"curves_fallback\": \"False\",\n \"serverside\": \"True\",\n \"target\": \"www.ebay.com:443\",\n \"utctimestamp\": \"2015-04-03T14:54:31.0Z\",\n \"ciphersuite\": [\n {\n \"cipher\": \"AES256-SHA\",\n \"ocsp_stapling\": \"False\",\n \"pfs\": \"None\",\n \"protocols\": [\n \"TLSv1\",\n \"TLSv1.1\",\n \"TLSv1.2\"\n ],\n \"pubkey\": [\n \"2048\"\n ],\n \"sigalg\": [\n \"sha1WithRSAEncryption\"\n ],\n \"ticket_hint\": \"None\",\n \"trusted\": \"True\"\n },\n {\n \"cipher\": \"ECDHE-RSA-DES-CBC3-SHA\",\n \"curves\": [\n \"prime256v1\",\n \"secp384r1\",\n \"secp224r1\",\n \"secp521r1\"\n ],\n \"curves_ordering\": \"server\",\n \"ocsp_stapling\": \"False\",\n \"pfs\": \"ECDH,P-256,256bits\",\n \"protocols\": [\n \"TLSv1\",\n \"TLSv1.1\",\n \"TLSv1.2\"\n ],\n \"pubkey\": [\n \"2048\"\n ],\n \"sigalg\": [\n \"sha1WithRSAEncryption\"\n ],\n \"ticket_hint\": \"None\",\n \"trusted\": \"True\"\n }\n ]\n}\n```\n\nAnalyzing configurations\n------------------------\nThe motivation behind cipherscan is to help operators configure good TLS on their\nendpoints. To help this further, the script `analyze.py` compares the results of\na cipherscan with the TLS guidelines from https://wiki.mozilla.org/Security/Server_Side_TLS\nand output a level and recommendations.\n\n```bash\n$ ./analyze.py -t jve.linuxwall.info\njve.linuxwall.info:443 has intermediate tls\n\nChanges needed to match the old level:\n* consider enabling SSLv3\n* add cipher DES-CBC3-SHA\n* use a certificate with sha1WithRSAEncryption signature\n* consider enabling OCSP Stapling\n\nChanges needed to match the intermediate level:\n* consider enabling OCSP Stapling\n\nChanges needed to match the modern level:\n* remove cipher AES128-GCM-SHA256\n* remove cipher AES256-GCM-SHA384\n* remove cipher AES128-SHA256\n* remove cipher AES128-SHA\n* remove cipher AES256-SHA256\n* remove cipher AES256-SHA\n* disable TLSv1\n* consider enabling OCSP Stapling\n```\n\nIn the output above, `analyze.py` indicates that the target `jve.linuxwall.info`\nmatches the intermediate configuration level. If the administrator of this site\nwants to reach the modern level, the items that failed under the modern tests\nshould be corrected.\n\n`analyze.py` does not make any assumption on what a good level should be. Sites\noperators should know what level they want to match against, based on the\ncompatibility level they want to support. Again, refer to\nhttps://wiki.mozilla.org/Security/Server_Side_TLS for more information.\n\nNote on Nagios mode:\n`analyse.py` can be ran as a nagios check with `--nagios`. The exit code will\nthen represent the state of the configuration:\n* 2 (critical) for bad tls\n* 1 (warning) if it doesn't match the desired level\n* 0 (ok) if it matches.\ncipherscan can take more than 10 seconds to complete. To alleviate any timeout\nissues, you may want to run it outside of nagios, passing data through some\ntemporary file.\n\nOpenSSL\n-------\n\nCipherscan uses a custom release of openssl for linux 64 bits and darwin 64\nbits. OpenSSL is build from a custom branch maintained by Peter Mosmans that\nincludes a number of patches not merged upstream. It can be found here:\nhttps://github.com/PeterMosmans/openssl\n\nYou can build it yourself using following commands:\n```\ngit clone https://github.com/PeterMosmans/openssl.git --depth 1 -b 1.0.2-chacha\ncd openssl\n./Configure zlib no-shared experimental-jpake enable-md2 enable-rc5 \\\nenable-rfc3779 enable-gost enable-static-engine linux-x86_64\nmake depend\nmake\nmake report\n```\n\nThe statically linked binary will be `apps/openssl`.\n\nContributors\n------------\n\n* Julien Vehent \u003cjulien@linuxwall.info\u003e (original author)\n* Hubert Kario \u003chkario@redhat.com\u003e (co-maintainer)\n* Pepi Zawodsky \u003cgit@maclemon.at\u003e\n* Michael Zeltner \u003cm@niij.org\u003e\n* Peter Mosmans \u003csupport@go-forward.net\u003e\n* Vincent Riquer \u003cv.riquer@b2f-concept.com\u003e\n* Christian Stadelmann\n* Simon Deziel \u003csimon.deziel@gmail.com\u003e\n* Aaron Zauner \u003cazet@azet.org\u003e\n* Mike \u003cmikedawg@gmail.com\u003e\n* Phil Cohen \u003cphlipper@users.noreply.github.com\u003e\n* Samuel Kleiner \u003csam@firstbanco.com\u003e\n* Richard Soderberg \u003chttps://twitter.com/floatingatoll\u003e\n* Adam Crosby \u003cadamcrosby@users.noreply.github.com\u003e\n","funding_links":[],"categories":["Python","\u003ca id=\"a76463feb91d09b3d024fae798b92be6\"\u003e\u003c/a\u003e侦察\u0026\u0026信息收集\u0026\u0026子域名发现与枚举\u0026\u0026OSINT","Python (1887)","\u003ca id=\"170048b7d8668c50681c0ab1e92c679a\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"05ab1b75266fddafc7195f5b395e4d99\"\u003e\u003c/a\u003e未分类-OSINT"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozilla%2Fcipherscan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmozilla%2Fcipherscan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozilla%2Fcipherscan/lists"}