There is often the case where we can use the ssllabs to provide a list of weak ciphers used in the site.
There are 2 options we can use:
1. nmap --script ssl-enum-ciphers -p 443 yoursite.com |grep weak
2. sslyze
sslyze is not provided by default with the OS.
The way to install
Option 1: Install Pip with Yum
Step 1: Add the EPEL Repository
Pip is part of Extra Packages for Enterprise Linux (EPEL), which is a community repository of non-standard packages for the RHEL distribution. First, we’ll install the EPEL repository, for directions see How to enable EPEL repository?
Step 2: The Installation
As a matter of best practice we’ll update our packages:
yum -y update
Then let’s install python-pip and any required packages:
yum -y install python-pip
And skip to Step #3.
Option 2: Install Pip with Curl and Python
We can also use cURL and Python to download and install Pip.
curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py"
python get-pip.py
Step 3: Wrap Up / Verify The Installation
View a list of helpful commands:
pip --help
Check the version of Pip that is installed:
pip -V
Which should yield something similar to:
pip 1.3.1 from /usr/lib/python2.7/site-packages (python 2.7)
Install sslyze
pip install --upgrade pip //upgrade to the latest version
pip install --upgrade setuptools //required to be able to install sslyze
pip install --upgrade sslyze
sslyze --regular gss-portal.com 443
AVAILABLE PLUGINS
-----------------
CertificateInfoPlugin
CompressionPlugin
SessionRenegotiationPlugin
HttpHeadersPlugin
SessionResumptionPlugin
HeartbleedPlugin
OpenSslCipherSuitesPlugin
FallbackScsvPlugin
RobotPlugin
OpenSslCcsInjectionPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
gss-portal.com:443 => 217.160.251.179
443:443 => WARNING: Connection rejected; discarding corresponding tasks.
SCAN RESULTS FOR GSS-PORTAL.COM:443 - 217.160.251.179
-----------------------------------------------------
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
* Session Renegotiation:
Client-initiated Renegotiation: OK - Rejected
Secure Renegotiation: OK - Supported
* TLSV1_3 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* Certificate Information:
Content
SHA1 Fingerprint: 32785bda78e6399fcd53080031e4e403de8c1e39
Common Name: gss-portal.com
Issuer: Let's Encrypt Authority X3
Serial Number: 283418967952565582184766806582798465026583
Not Before: 2020-10-08 11:55:08
Not After: 2021-01-06 11:55:08
Signature Algorithm: sha256
Public Key Algorithm: RSA
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: [u'*.gss-portal.com', u'gss-portal.com']
Trust
Hostname Validation: OK - Certificate matches gss-portal.com
Android CA Store (8.1.0_r9): OK - Certificate is trusted
iOS CA Store (11): OK - Certificate is trusted
Java CA Store (jre-10.0.2): OK - Certificate is trusted
macOS CA Store (High Sierra): OK - Certificate is trusted
Mozilla CA Store (2018-04-12): OK - Certificate is trusted
Windows CA Store (2018-06-30): OK - Certificate is trusted
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: gss-portal.com --> Let's Encrypt Authority X3
Verified Chain: gss-portal.com --> Let's Encrypt Authority X3 --> DST Root CA X3
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more
OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* Resumption Support:
With Session IDs: NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
With TLS Tickets: OK - Supported
* ROBOT Attack:
OK - Not vulnerable, RSA cipher suites not supported
* TLSV1 Cipher Suites:
Server rejected all cipher suites.
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* Deflate Compression:
OK - Compression disabled
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
Accepted:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
SCAN COMPLETED IN 3.97 S