-
Notifications
You must be signed in to change notification settings - Fork 1
/
sslciphertest.sh
executable file
·121 lines (111 loc) · 2.96 KB
/
sslciphertest.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/usr/bin/env bash
#
# Copyright (c) 2014 Matthias Baur
# Inspired by indiv (https://superuser.com/questions/109213/is-there-a-tool-that-can-test-what-ssl-tls-cipher-suites-a-particular-website-of/224263#224263)
#
# License: http://www.gnu.org/licenses/gpl.html GPL version 2 or higher
#
########################################################################
usage(){
cat <<EOF
$0 <OPTIONS>
-s : Hostname or IP (required)
-p : Port (required)
-t : Enables StartTLS usage. Parameter needs to be smtp, pop3, imap or ftp. (optional)
-d : Delay between tests. See 'man sleep' for notation. (optional)
-c : OpenSSL cipher list. (optional)
Examples:
$0 -s example.org -p 443
$0 -s example.org -p 25 -t smtp -d 30s
$0 -s example.org -p 25 -t smtp -c HIGH
EOF
}
while getopts "s:p:t:d:c:" optname; do
case "$optname" in
"s")
SERVER="$OPTARG"
;;
"p")
if [[ $OPTARG =~ ^[0-9]+$ ]]; then
PORT="$OPTARG"
else
echo "-p needs to be an numeric value!"
exit 1
fi
;;
"t")
case "$OPTARG" in
"smtp")
STARTTLS="-starttls smtp"
;;
"pop3")
STARTTLS="-starttls pop3"
;;
"imap")
STARTTLS="-starttls imap"
;;
"ftp")
STARTTLS="-starttls ftp"
;;
*)
echo "-t only supports smtp, pop3, imap or ftp. See 'man s_client' for more information."
exit 1
;;
esac
;;
"d")
if [[ "$OPTARG" =~ ^[0-9]+[smhd]?$ ]]; then
DELAY="$OPTARG"
else
echo "-d can only be a numeric value followed by s (seconds), m (minutes), h (hours) or d (days). See 'man sleep' from more information."
exit 1
fi
;;
"c")
CIPHERS=$(openssl ciphers "$OPTARG" 2>/dev/null)
if [ "$?" == "0" ]; then
CIPHERS=$(echo $CIPHERS | sed -e 's/:/ /g')
else
echo "-c needs to a valid OpenSSL cipher. Please validate with 'openssl ciphers "$OPTARG"'."
exit 1
fi
;;
*)
echo "Unknown parameter"
usage
exit 1
;;
esac
done
if ( [ -z "$SERVER" ] || [ -z "$PORT" ] ); then
echo -e "-s and -p is required!\n"
usage
exit 1
fi
if [ "$CIPHERS" == "" ]; then
echo Obtaining cipher list from $(openssl version).
CIPHERS=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
fi
TEMPOPENSSLPARAM="$STARTTLS -connect $SERVER:$PORT"
echo "Server: $SERVER"
echo "Port : $PORT"
echo "-----------------------------"
for CIPHER in ${CIPHERS[@]};do
OPENSSLPARAM="-cipher $CIPHER $TEMPOPENSSLPARAM"
echo -n Testing $CIPHER...
result=$(echo -n | openssl s_client $OPENSSLPARAM 2>&1)
if [[ "$result" =~ "Cipher is ${CIPHER}" || "$result" =~ "Cipher :" ]] ; then
echo YES
else
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
if [ "$DELAY" != "" ]; then
sleep $DELAY
fi
done