检测弱encryption和过时的协议

我不认为一旦服务器和客户端之间的SSL握手完成，你就可以窥探stream量。 您可能需要扫描服务器以查看是否提供弱密码。 也许“sslscan”？

http://sourceforge.net/projects/sslscan/

https://www.titania-security.com/labs/sslscan

我知道有一个Ubuntu软件包可用于此。

这将显示由服务器提供的密码套件。

所以，用sslscan扫描GMail，我得到：

$ sslscan --no-failed mail.google.com:443 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server mail.google.com on port 443 Supported Server Cipher(s): Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 128 bits AES128-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Prefered Server Cipher(s): SSLv3 128 bits RC4-SHA TLSv1 128 bits RC4-SHA SSL Certificate: Version: 2 Serial Number: 4294967295 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA Not valid before: Oct 26 00:00:00 2011 GMT Not valid after: Sep 30 23:59:59 2013 GMT Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:af:39:15:98:68:e4:92:fe:4f:4f:f1:bb:ff:0d: 2e:b0:fe:25:aa:bd:68:04:67:27:ea:6c:43:4c:a7: 6d:cb:c8:8f:7e:81:ee:87:26:25:10:12:54:33:9e: aa:3d:9b:8f:8e:92:b3:4b:01:e3:f9:4a:29:c3:0f: fd:ac:b7:d3:4c:97:29:3f:69:55:cf:70:83:04:af: 2e:04:6e:74:d6:0f:17:09:fe:9e:20:24:24:e3:c7: 68:9c:ac:11:bd:92:e4:b2:1b:09:f2:02:32:bb:55: 1b:2d:16:5f:30:12:23:e2:4c:4a:8d:c2:da:3f:e1: b8:bf:f7:3a:b1:86:be:f0:c5 Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: URI:http://crl.thawte.com/ThawteSGCCA.crl X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.thawte.com CA Issuers - URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt Verify Certificate: unable to get local issuer certificate 

编辑 ：

嗯，看看这个页面： http ： //prefetch.net/articles/debuggingssl.html

所以，您可以使用该工具来查看握手以及密码是什么。

您可以使用nmap中的ssl-enum-ciphers脚本来获得对密码充分性的估计。

一个例子：

 $ nmap --script ssl-enum-ciphers.nse mail.google.com Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-22 14:09 CET Nmap scan report for mail.google.com (173.194.34.245) Host is up (0.0050s latency). Other addresses for mail.google.com (not scanned): 173.194.34.246 173.194.34.247 rDNS record for 173.194.34.245: mad01s09-in-f21.1e100.net Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https | ssl-enum-ciphers: | SSLv3 | Ciphers (9) | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength | TLS_RSA_WITH_RC4_128_MD5 - unknown strength | TLS_RSA_WITH_RC4_128_SHA - strong | Compressors (1) | NULL | TLSv1.0 | Ciphers (9) | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength | TLS_RSA_WITH_RC4_128_MD5 - unknown strength | TLS_RSA_WITH_RC4_128_SHA - strong | Compressors (1) | NULL |_ Least strength = unknown strength Nmap done: 1 IP address (1 host up) scanned in 16.38 seconds