在「SSL/TLS for the Pragmatic」這篇裡面提到了 CipherScan 這個工具,用起來很簡單而且輸出很清楚。
直接 git clone 下來後執行就可以了,另外因為檢測 ChaCha20+Poly1305 需要新版 OpenSSL (1.0.2 才有,目前還是開發版),所以 clone 下來的時候裡面包括了一個 Linux 版的 openssl,砍掉的話他會用系統的 openssl。
像是我的 blog 就可以掃出這樣的結果:
gslin@home [~/git/cipherscan] [17:57/W4] (master) ./cipherscan blog.gslin.org:443 ........................ Target: blog.gslin.org:443 prio ciphersuite protocols pfs_keysize 1 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,2048bits 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits 3 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits 4 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,2048bits 6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits 7 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits 8 AES256-GCM-SHA384 TLSv1.2 9 AES256-SHA256 TLSv1.2 10 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 11 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits 13 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits 14 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 15 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,2048bits 16 DHE-RSA-AES128-SHA256 TLSv1.2 DH,2048bits 17 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits 18 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits 19 AES128-GCM-SHA256 TLSv1.2 20 AES128-SHA256 TLSv1.2 21 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 22 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 23 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: 600 OCSP stapling: supported Server side cipher ordering