home > security > www > openssl-testing-cheat-sheet

Openssl Testing Cheat Sheet

25 | 23 Aug 2015

Check the Signing Algorithms

Sha1 on it's own is now considered insecure, the following will pring out the algorithm used.

mike@mike-laptop3:~/git/ssl/src$ openssl s_client -showcerts -connect secure.mikejonesey.co.uk:443 /dev/null| tr "n" "~" | sed 's/END CERTIFICATE-----~/END CERTIFICATE-----n/g' | grep "CERTIFICATE" | while read al; do crt=$(echo "$al" | tr "~" "n" | openssl x509 -noout -text); crt_cname=$(echo "$crt" | grep "Subject: .*CN=" | grep -o "CN=[a-zA-Z0-9. ]*" | sed 's/CN=//'); crt_alg=$(echo "$crt" | head -6 | grep "Signature Algorithm" | sed 's/.* //'); echo -e "$crt_cnamen  $crt_alg"; done

secure.mikejonesey.co.uk
  sha256WithRSAEncryption
COMODO RSA Certification Authority
  sha384WithRSAEncryption
COMODO RSA Domain Validation Secure Server CA
  sha384WithRSAEncryption

Check the Certificate's date Validity

the following can be used to simpley print out the dates each of your chain of certificates has, you could also easily update to print out an integer of days valid, and days remaining allowing for easy alerting.

openssl s_client -showcerts -connect secure.mikejonesey.co.uk:443 /dev/null| tr "n" "~" | sed 's/END CERTIFICATE-----~/END CERTIFICATE-----n/g' | grep "CERTIFICATE" | while read al; do crt=$(echo "$al" | tr "~" "n" | openssl x509 -noout -text); crt_cname=$(echo "$crt" | grep "Subject: .*CN=" | grep -o "CN=[a-zA-Z0-9. ]*" | sed 's/CN=//'); mydata=$(echo "$crt" | grep "Validity" -A 2); echo -e "$crt_cnamen  $mydata"; done

secure.mikejonesey.co.uk
          Validity
            Not Before: Apr  6 00:00:00 2015 GMT
            Not After : Apr  5 23:59:59 2018 GMT
COMODO RSA Certification Authority
          Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
COMODO RSA Domain Validation Secure Server CA
          Validity
            Not Before: Feb 12 00:00:00 2014 GMT
            Not After : Feb 11 23:59:59 2029 GMT

Check for Poodle Vulnerability (Support for SSLv3)

Ensuring SSLv3 is switched off on your server can be achieved using the following.

mike@mike-laptop3:~/git/ssl/src$ openssl s_client -connect secure.mikejonesey.co.uk:443 -ssl3 2>&1 | grep "handshake failure"

140602235258512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1294:SSL alert number 40
140602235258512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:618:

Check for the EXPORT cipher

The export cipher is now considered insecure.

mike@mike-laptop3:~/git/ssl/src$ openssl s_client -connect secure.mikejonesey.co.uk:443 -cipher EXPORT &1 | grep "handshake failure"

139776399570576:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:

Check for the RC4 cipher

RC4 is also now considered insecure.

mike@mike-laptop3:~/git/ssl/src$ openssl s_client -connect secure.mikejonesey.co.uk:443 -cipher RC4 &1 | grep "handshake failure"

139776399570576:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:

Full Testing Script

Putting all little bits of info together into a script; this is useful in combination with a mail client or monitoring agent like zabbix that can notify of issues. Especially if you have a large number of sites to manage.

I've also added support for browser compatibility tests, this enables you to clearly identify which web browser / programs will be able to communicate securley with your server.

Download Link: https://secure.mikejonesey.co.uk/downloads?name=ssl-check.sh

Pgp code sig: https://secure.mikejonesey.co.uk/downloads?name=ssl-check.sh.sig

#!/bin/bash

if [ -n "$1" ]; then
    domainname=$1
else
    read -p "Enter the fqdn: " domainname
fi

printf "e[0;37m"

pfs_ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256"

function checkClient(){
    domainname="$1"
    clientname="$2"
    goodcipher_list="$3"
    badcipher_list="$4"
    client_test=$(openssl s_client -connect $domainname:443 -tls1 -cipher "$goodcipher_list:$badcipher_list" &1)
    cipherUsed=$(echo "$client_test" | grep "New, TLSv1/SSLv3, Cipher is .*" | sed 's/.*Cipher is //')
    if [ -z "$cipherUsed" ]; then
        echo -e "e[0;31m  $clientname:  NOe[0;37m"
    elif [[ $badcipher_list == *$cipherUsed* ]]; then
        echo -e "e[0;31m  $clientname:  NO - only supports weak cipherse[0;37m"
    elif [[ $goodcipher_list == *$cipherUsed* ]]; then
        if [[ $pfs_ciphers != *$cipherUsed* ]]; then
            echo -e "e[0;32m  $clientname:  YES : $cipherUsede[0;37m"
        else
            echo -e "e[0;32m  $clientname:  YES : $cipherUsed : PFSe[0;37m"
        fi
    fi
}

function checkPfsCipher(){
    domainname="$1"
    # Support for > 1024 bit keys
    #ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    #ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    #ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    #ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    #DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
    #DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
    #ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    #ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    #ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    #ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
    #DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
    #DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
    # Support for <= 1024 bit keys
    #DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
    #DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
    #DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
    #DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
    pfs_test=$(openssl s_client -connect $domainname:443 -cipher "$pfs_ciphers" &1)
    if [ -n "$(echo "$pfs_test" | grep "error setting cipher list")" ]; then
        echo "Local Testing node does not support pfs ciphers" >&2
        return 1
    elif [ -n "$(echo "$pfs_test" | grep "alert handshake failure")" ]; then
        echo "Server being tested does not support pfs ciphers" >&2
        return 1
    elif [ -n "$(echo "$pfs_test" | grep "SSL handshake has read")" -a -n "$(echo "$pfs_test" | grep "New, TLSv1/SSLv3, Cipher is .*DSS.*")" ]; then
        echo "Server being tested supports pfs but only using depriciated ciphers" >&2
        echo "1024 bit"
        return 2
    elif [ -n "$(echo "$pfs_test" | grep "SSL handshake has read")" ]; then
        cipherUsed=$(echo "$pfs_test" | grep "New, TLSv1/SSLv3, Cipher is .*" | sed 's/.*Cipher is //')
        echo "$cipherUsed"
        return 0
    fi
    return 3
}

function checkDomain(){
    domainname="$1"
    connection=$(openssl s_client -showcerts -connect $domainname:443 /dev/null)
    echo "$connection"|tr "n" "~"|sed 's/END CERTIFICATE-----~/END CERTIFICATE-----n/g'|grep "CERTIFICATE"| while read al; do
        crt=$(echo "$al" | tr "~" "n" | openssl x509 -noout -text)
        crt_cname=$(echo "$crt" | grep "Subject: .*CN=" | grep -o "CN=[a-zA-Z0-9. ]*" | sed 's/CN=//')
        echo "Certificate: $crt_cname"
        crt_alg=$(echo "$crt" | head -6 | grep "Signature Algorithm" | sed 's/.* //')
        if [ "$crt_alg" == "sha1WithRSAEncryption" ]; then
            echo -e "e[0;31m  Signature Algorithm: $crt_alge[0;37m"
        else
            echo -e "e[0;32m  Signature Algorithm: $crt_alge[0;37m"
        fi
        echo "  Validity:"
        crt_date=$(echo "$crt" | grep "Validity" -A 2)
        crt_date_nb=$(echo "$crt_date" | grep "Not Before")
        crt_date_nb=$(echo ${crt_date_nb:24:24})
        if [ "$(date -d "$crt_date_nb" +"%s")" -gt "$(date +"%s")" ]; then
            echo -e "e[0;31m    Not Before: $crt_date_nbe[0;37m"
        else
            echo -e "e[0;32m    Not Before: $crt_date_nbe[0;37m"
        fi

        crt_date_nb=$(echo "$crt_date" | grep "Not After")
        crt_date_nb=$(echo ${crt_date_nb:24:24})
        if [ "$(date -d "$crt_date_nb" +"%s")" -lt "$(date +"%s")" ]; then
            echo -e "e[0;31m    Not After:  $crt_date_nbe[0;37m"
        else
            echo -e "e[0;32m    Not After:  $crt_date_nbe[0;37m"
        fi
        echo
    done

    echo "Connection Details:"

    pub_key_bit=$(echo "$connection" | grep -o "Server public key is [0-9]* bit" | sed 's/Server public key is ([0-9]*) bit/1/')
    if [ "$pub_key_bit" -lt "2048" ]; then
        echo -e "e[0;31m  Pub key bits: $pub_key_bite[0;37m"
    else
        echo -e "e[0;32m  Pub key bits: $pub_key_bite[0;37m"
    fi

    sec_reneg=$(echo "$connection" | grep "Secure Renegotiation IS supported")
    if [ -z "$sec_reneg" ]; then
        echo -e "e[0;31m  Secure Renegotiation: NO SUPPORTe[0;37m"
    else
        echo -e "e[0;32m  Secure Renegotiation: YESe[0;37m"
    fi

    pfsCipher=$(checkPfsCipher "$domainname")
    if [ "$pfsCipher" == "1024 bit" ]; then
        echo -e "e[0;31m  Supports PFS:  NO - bit limit 1024e[0;37m"
    elif [ -z "$pfsCipher" -o "$pub_key_bit" -lt "2048" ]; then
        echo -e "e[0;31m  Supports PFS:  NOe[0;37m"
    else
        echo -e "e[0;32m  Supports PFS:  YES : $pfsCipher : $pub_key_bite[0;37m"
    fi

    echo ""
    echo "Client Support:"

    ##################################################
    # Android 2.3.7
    ##################################################
    
    #WEAK#SSL_RSA_WITH_RC4_128_MD5 - RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
    #WEAK#SSL_RSA_WITH_RC4_128_SHA - RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
    #TLS_RSA_WITH_AES_128_CBC_SHA - AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
    #TLS_DHE_RSA_WITH_AES_128_CBC_SHA - DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    #TLS_DHE_DSS_WITH_AES_128_CBC_SHA - DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
    #WEAK#SSL_RSA_WITH_3DES_EDE_CBC_SHA - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
    #WEAK#SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - DHE-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
    #WEAK#SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - DHE-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
    #WEAK#SSL_RSA_WITH_DES_CBC_SHA - DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
    #WEAK#SSL_DHE_RSA_WITH_DES_CBC_SHA - DHE-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
    #WEAK#SSL_DHE_DSS_WITH_DES_CBC_SHA - DHE-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
    #WEAK#SSL_RSA_EXPORT_WITH_RC4_40_MD5 - EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
    #WEAK#SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
    #WEAK#SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - EXP-DHE-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
    #WEAK#SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - EXP-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
    checkClient "$domainname" "Android 2.3.7" "AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA" "RC4-MD5:RC4-SHA:DES-CBC3-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:DES-CBC-SHA:DHE-RSA-DES-CBC-SHA:DHE-DSS-DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-DHE-RSA-DES-CBC-SHA:EXP-DHE-DSS-DES-CBC-SHA"

    ##################################################
    # Android 4.0.4
    ##################################################

#    checkClient "$domainname" "Android 4.0.4" "" ""

    ##################################################
    # Android 4.1.1
    ##################################################

#    checkClient "$domainname" "Android 4.1.1" "" ""

    ##################################################
    # Android 4.2.2
    ##################################################

#    checkClient "$domainname" "Android 4.2.2" "" ""

    ##################################################
    # Android 4.3
    ##################################################

#    checkClient "$domainname" "Android 4.3" "" ""

    ##################################################
    # Android 4.4.2
    ##################################################

#    checkClient "$domainname" "Android 4.4.2" "" ""

    ##################################################
    # Android 5.0.0
    ##################################################

#    checkClient "$domainname" "Android 5.0.0" "" ""

    ##################################################
    # Chrome 43 / OS X
    ##################################################

#    checkClient "$domainname" "Chrome 43 / OS X" "" ""

    ##################################################
    # Firefox 31 Win 7
    ##################################################

#    checkClient "$domainname" "???" "" ""

    ##################################################
    # Firefox 39 / OS X
    ##################################################

#    checkClient "$domainname" "???" "" ""

    ##################################################
    # Firefox 40 / Linux
    ##################################################
    #0xC0,0x2B - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    #0xC0,0x2F - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    #0xC0,0x0A - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
    #0xC0,0x09 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
    #0xC0,0x13 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
    #0xC0,0x14 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
    #0x00,0x33 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA - DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    #0x00,0x39 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    #0x00,0x2F - TLS_RSA_WITH_AES_128_CBC_SHA - AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
    #0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
        #0x00,0x0A - SSL_RSA_WITH_3DES_EDE_CBC_SHA - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

    checkClient "$domainname" "Firefox 40 / Linux" "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA" ""

    ##################################################
    # Googlebot Feb 2015
    ##################################################

#    checkClient "$domainname" "Googlebot Feb 2015" "" ""

    ##################################################
    # IE 6 / XP  
    ##################################################

#    checkClient "$domainname" "IE 6 / XP" "" ""

    ##################################################
    # IE 7 / Vista
    ##################################################

#    checkClient "$domainname" "IE 7 / Vista" "" ""

    ##################################################
    # IE 8 / XP
    ##################################################

#    checkClient "$domainname" "IE 8 / XP " "" ""

    ##################################################
    # IE 8-10 / Win 7
    ##################################################

#    checkClient "$domainname" "IE 8-10 / Win 7" "" ""


    ##################################################
    # IE 11 / Win 7
    ##################################################

#    checkClient "$domainname" "IE 11 / Win 7" "" ""

    ##################################################
    # IE 11 / Win 8.1
    ##################################################

#    checkClient "$domainname" "IE 11 / Win 8.1" "" ""

    ##################################################
    # IE 10 / Win Phone 8.0
    ##################################################

#    checkClient "$domainname" "IE 10 / Win Phone 8.0" "" ""

    ##################################################
    # IE 11 / Win Phone 8.1
    ##################################################

#    checkClient "$domainname" "IE 11 / Win Phone 8.1" "" ""

    ##################################################
    # IE 11 / Win Phone 8.1 Update
    ##################################################

#    checkClient "$domainname" "IE 11 / Win Phone 8.1 Update" "" ""

    ##################################################
    # Edge 12 / Win 10 (Build 10130)
    ##################################################

#    checkClient "$domainname" "Edge 12 / Win 10 (Build 10130) " "" ""

    ##################################################
    # Java 6u45
    ##################################################

#    checkClient "$domainname" "Java 6u45 " "" ""

    ##################################################
    # Java 7u25
    ##################################################

#    checkClient "$domainname" "Java 7u25" "" ""

    ##################################################
    # Java 8u31
    ##################################################

#    checkClient "$domainname" "Java 8u31" "" ""

    ##################################################
    # OpenSSL 0.9.8y
    ##################################################

#    checkClient "$domainname" "OpenSSL 0.9.8y" "" ""

    ##################################################
    # OpenSSL 1.0.1l
    ##################################################

#    checkClient "$domainname" "OpenSSL 1.0.1l " "" ""

    ##################################################
    # OpenSSL 1.0.2
    ##################################################

#    checkClient "$domainname" "OpenSSL 1.0.2 " "" ""

    ##################################################
    # Safari 5.1.9 / OS X 10.6.8
    ##################################################

#    checkClient "$domainname" "Safari 5.1.9 / OS X 10.6.8" "" ""

    ##################################################
    # Safari 6 / iOS 6.0.1
    ##################################################

#    checkClient "$domainname" "Safari 6 / iOS 6.0.1" "" ""

    ##################################################
    # Safari 6.0.4 / OS X 10.8.4
    ##################################################

#    checkClient "$domainname" "Safari 6.0.4 / OS X 10.8.4" "" ""

    ##################################################
    # Safari 7 / iOS 7.1
    ##################################################

#    checkClient "$domainname" "Safari 7 / iOS 7.1 " "" ""

    ##################################################
    # Safari 7 / OS X 10.9
    ##################################################

#    checkClient "$domainname" "Safari 7 / OS X 10.9" "" ""

    ##################################################
    # Safari 8 / iOS 8.4
    ##################################################

#    checkClient "$domainname" "Safari 8 / iOS 8.4" "" ""

    ##################################################
    # Safari 8 / OS X 10.10
    ##################################################

#    checkClient "$domainname" "Safari 8 / OS X 10.10" "" ""

    ##################################################
    # Yahoo Slurp Jan 2015
    ##################################################

#    checkClient "$domainname" "Yahoo Slurp Jan 2015" "" ""

#    checkClient "$domainname" "Android 2.3.7" "" ""
#    checkClient "$domainname" "Android 2.3.7" "" ""
#    checkClient "$domainname" "Android 2.3.7" "" ""
#    checkClient "$domainname" "Android 2.3.7" "" ""
#    checkClient "$domainname" "Android 2.3.7" "" ""
    
}

checkDomain "$domainname"

Sample Output

mike@mike-laptop3:~/work/ssl-check$ ./ssl-check.sh secure.mikejonesey.co.uk
Certificate: secure.mikejonesey.co.uk
  Signature Algorithm: sha256WithRSAEncryption
  Validity:
    Not Before: Apr 6 00:00:00 2015 GMT
    Not After:  Apr 5 23:59:59 2018 GMT

Certificate: COMODO RSA Certification Authority
  Signature Algorithm: sha384WithRSAEncryption
  Validity:
    Not Before: May 30 10:48:38 2000 GMT
    Not After:  May 30 10:48:38 2020 GMT

Certificate: COMODO RSA Domain Validation Secure Server CA
  Signature Algorithm: sha384WithRSAEncryption
  Validity:
    Not Before: Feb 12 00:00:00 2014 GMT
    Not After:  Feb 11 23:59:59 2029 GMT

Connection Details:
  Pub key bits: 2048
  Secure Renegotiation: YES
  Supports PFS:  YES : ECDHE-RSA-AES256-GCM-SHA384 : 2048

Client Support:
  Android 2.3.7:  YES : DHE-RSA-AES128-SHA : PFS
  Firefox 40 / Linux:  YES : ECDHE-RSA-AES256-SHA : PFS

Git Updates

I plan to update the browser client support in free time, for updates see my git repo;

git clone https://github.com/mikejonesey/ssl-checker.git

Comments

Posted by Curious reader on 04/11/2015 08:59 For someone starting out which resources would you suggest to use for learning linux terminology bash scripting and the likes

Posted by mikejonesey on 08/11/2015 00:19 man pages these should always be your 1st go to resourceman awkand i also highly recommend Mastering UNIX Shell Scripting 2e Bash Bourne and Korn Shell Scripting for Programmers System Administrators and UNIX Gurus by Randal K. Michael

Post a Comment