marcobellaccini / tlsprobe Goto Github PK

tlsprobe - a TLS/SSL testing utility (by Marco Bellaccini - marco.bellaccini[at!]gmail.com)

tlsprobe is a simple program that tests a server for TLS/SSL Cipher Suites support (client mode) or, listening for incoming TLS/SSL connections, discovers Cipher Suites offered by a client (server mode).
tlsprobe is Free Software, released under the Apache License, Version 2.0.

GitHub project page: https://github.com/marcobellaccini/tlsprobe

In client mode, tlsprobe just sends ClientHello messages, and, by looking at server's reply (if any), determines whether the selected Cipher Suite(s) is supported or not.
tlsprobe builds TLS/SSL messages in a "byte-by-byte" fashion and so does not need any external library (i.e.: no OpenSSL, no GnuTLS, no libNSS).
The program supports both single Cipher Suite support check and a full-scan mode (in which it checks for support of all the cipher suites listed in the IANA TLS Cipher Suite Registry - http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 ).
In server mode, it waits for a ClientHello to arrive and parse it, discovering offered Cipher Suites.

tlsprobe provides you with a visual feedback of the security/compatibility level of the various TLS/SSL Cipher Suites, based on Mozilla Server-Side-TLS Recommendations: https://wiki.mozilla.org/Security/Server_Side_TLS .
It highlights the discovered Cipher Suites with different colors, depending on the estimated security and compatibility level.

Working at TLS/SSL level, tlsprobe is generic and also supports probing non-https services (you just have to specify the right port for the higher-level protocol with the -p option).

tlsprobe supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2.

Note for Windows users: yeah, this tool can be run on Windows 10 through Windows Subsystem for Linux. 

Here follows some usage examples.

>>Client mode

List all Cipher Suites supported by www.google.com through TLS and SSL protocols (https, tcp port 443):

tlsprobe -F www.google.com

List all TLS Cipher Suites (i.e.: skip SSL3 scanning phase) supported by www.google.com (https, tcp port 443):

tlsprobe -j -F www.google.com

Tests if www.google.com (https, tcp port 443) supports cipher suite TLS_RSA_WITH_AES_128_CBC_SHA:

tlsprobe -c TLS_RSA_WITH_AES_128_CBC_SHA www.google.com

Tests if www.google.com (https, tcp port 443) supports cipher suite SSL_RSA_WITH_AES_128_CBC_SHA (with SSL 3.0 protocol):

tlsprobe -c SSL_RSA_WITH_AES_128_CBC_SHA www.google.com

List all Cipher Suites supported by Active Directory Domain Controller 10.0.0.5 with LDAP over ssl/tls (ldaps, tcp port 636):

tlsprobe -F -p 636 10.0.0.5

>>Server mode

Listen for TLS connections on TCP port 443 and print Cipher Suites offered by the client:

tlsprobe -S 0.0.0.0

Listen for TLS connections on TCP port 8443 and print Cipher Suites offered by the client:

tlsprobe -S -p 8443 0.0.0.0

For more help about possible options, try:

tlsprobe --help