在「SSL/TLS for the Pragmatic」這篇裡面提到了 CipherScan 這個工具,用起來很簡單而且輸出很清楚。
直接 git clone 下來後執行就可以了,另外因為檢測 ChaCha20+Poly1305 需要新版 OpenSSL (1.0.2 才有,目前還是開發版),所以 clone 下來的時候裡面包括了一個 Linux 版的 openssl,砍掉的話他會用系統的 openssl。
像是我的 blog 就可以掃出這樣的結果:
gslin@home [~/git/cipherscan] [17:57/W4] (master) ./cipherscan blog.gslin.org:443
........................
Target: blog.gslin.org:443
prio ciphersuite protocols pfs_keysize
1 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,2048bits
2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits
3 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits
4 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,2048bits
6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
7 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
8 AES256-GCM-SHA384 TLSv1.2
9 AES256-SHA256 TLSv1.2
10 AES256-SHA TLSv1,TLSv1.1,TLSv1.2
11 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2
12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
13 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
14 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
15 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,2048bits
16 DHE-RSA-AES128-SHA256 TLSv1.2 DH,2048bits
17 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
18 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
19 AES128-GCM-SHA256 TLSv1.2
20 AES128-SHA256 TLSv1.2
21 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
22 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2
23 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 600
OCSP stapling: supported
Server side cipher ordering