nmapを使用したWebサーバの暗号化アルゴリズム一覧表示
Webサーバ(Apache)にて使用可能な暗号化アルゴリズムを一覧表示する方法を知ったのでメモ。
今まではopensslコマンドを使用し、該当のアルゴリズムを使用していないかを調べていた。
openssl
[root@localhost ~]# openssl s_client -connect localhost:443 -cipher RC4-SHA < /dev/null CONNECTED(00000003) Can't use SSL_get_servername depth=0 C = JP, ST = Tokyo, L = Shibuya, O = Default Company Ltd verify error:num=18:self signed certificate verify return:1 depth=0 C = JP, ST = Tokyo, L = Shibuya, O = Default Company Ltd verify return:1 --- Certificate chain 0 s:C = JP, ST = Tokyo, L = Shibuya, O = Default Company Ltd i:C = JP, ST = Tokyo, L = Shibuya, O = Default Company Ltd --- Server certificate -----BEGIN CERTIFICATE----- (省略) -----END CERTIFICATE----- subject=C = JP, ST = Tokyo, L = Shibuya, O = Default Company Ltd issuer=C = JP, ST = Tokyo, L = Shibuya, O = Default Company Ltd --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1361 bytes and written 317 bytes Verification error: self signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self signed certificate) --- DONE
が、nmapコマンドを使用すればこれが一覧表示できる。
nmap
使い方はカンタン。
nmap -p <ポート番号> --script ssl-enum-ciphers <Webサーバ名/IPアドレス>
これだけで、使用可能な暗号化アルゴリズム一覧が表示される。
また、SSL、TLSの各バージョンに対応しているかも確認できる。
[root@localhost ~]# nmap -p 443 --script ssl-enum-ciphers localhost Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-24 22:44 JST Nmap scan report for localhost (127.0.0.1) Host is up (0.000040s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 0.79 seconds