Senza categoria

Ormai è bene mantenere attiva solo la versione TLS 1.2 (o superiore) sul certificato HTTPS del sito. Un modo semplice per recuperare l’elenco delle versioni TLS attive è usare nmap, ad esempio:

~$ nmap --script ssl-enum-ciphers -p 443 blog.smsoft.it

1	~$ nmap --script ssl-enum-ciphers -p 443 blog.smsoft.it

ed avremo come risposta:

Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-16 13:22 CET
Nmap scan report for blog.smsoft.it (185.81.4.127)
Host is up (0.056s latency).
rDNS record for 185.81.4.127: encke.dnshigh.com
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A
Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds

Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-16 13:22 CET

Nmap scan report for blog.smsoft.it (185.81.4.127)

Host is up (0.056s latency).

rDNS record for 185.81.4.127: encke.dnshigh.com

PORT STATE SERVICE

443/tcp open https

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

| compressors:

| NULL

| cipher preference: client

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds

In alternativa…

Verifica versione SSL/TLS con openssl o nmap

Esportare le password dal portachiavi di OSX