Created
March 30, 2016 05:38
-
-
Save alopresto/ff9bbe693b0e7043a7c468bb2ca5adfa to your computer and use it in GitHub Desktop.
Results of cipherscan and analysis for default secure NiFi 0.6.0.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| hw12203:/Users/alopresto/Workspace/cipherscan alopresto | |
| π 1s @ 21:57:02 $ python analyze.py -t nifi.nifi.apache.org:8443 | |
| nifi.nifi.apache.org:8443 has bad ssl/tls | |
| Things that are bad: | |
| * don't use an untrusted or self-signed certificate | |
| Changes needed to match the old level: | |
| * enable SSLv3 | |
| * use a certificate with sha1WithRSAEncryption signature | |
| * use DHE of 1024bits and ECC of 160bits | |
| * consider enabling OCSP Stapling | |
| * enforce server side ordering | |
| Changes needed to match the intermediate level: | |
| * consider using DHE of at least 2048bits and ECC of at least 256bits | |
| * consider enabling OCSP Stapling | |
| * enforce server side ordering | |
| * increase priority of DHE-RSA-AES256-GCM-SHA384 over ECDHE-RSA-AES256-SHA | |
| * increase priority of ECDHE-RSA-AES128-GCM-SHA256 over AES256-SHA | |
| * increase priority of DHE-RSA-AES128-GCM-SHA256 over ECDHE-RSA-AES128-SHA | |
| * increase priority of ECDHE-RSA-DES-CBC3-SHA over AES128-SHA | |
| * fix ciphersuite ordering, use recommended intermediate ciphersuite | |
| Changes needed to match the modern level: | |
| * remove cipher ECDHE-RSA-AES256-SHA | |
| * remove cipher DHE-RSA-AES256-GCM-SHA384 | |
| * remove cipher DHE-RSA-AES256-SHA256 | |
| * remove cipher DHE-RSA-AES256-SHA | |
| * remove cipher AES256-GCM-SHA384 | |
| * remove cipher AES256-SHA256 | |
| * remove cipher AES256-SHA | |
| * remove cipher ECDHE-RSA-AES128-SHA | |
| * remove cipher DHE-RSA-AES128-GCM-SHA256 | |
| * remove cipher DHE-RSA-AES128-SHA256 | |
| * remove cipher DHE-RSA-AES128-SHA | |
| * remove cipher AES128-GCM-SHA256 | |
| * remove cipher AES128-SHA256 | |
| * remove cipher AES128-SHA | |
| * remove cipher ECDHE-RSA-DES-CBC3-SHA | |
| * remove cipher EDH-RSA-DES-CBC3-SHA | |
| * remove cipher DES-CBC3-SHA | |
| * disable TLSv1.1 | |
| * disable TLSv1 | |
| * use DHE of at least 2048bits and ECC of at least 256bits | |
| * consider enabling OCSP Stapling | |
| * enforce server side ordering | |
| hw12203:/Users/alopresto/Workspace/cipherscan alopresto | |
| π 33s @ 21:57:42 $ ./cipherscan nifi.nifi.apache.org:8443 | |
| .............................................................................................................................................................................................................................. | |
| Target: nifi.nifi.apache.org:8443 | |
| prio ciphersuite protocols pfs curves | |
| 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1 | |
| 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1 | |
| 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1 | |
| 4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits None | |
| 5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None | |
| 6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None | |
| 7 AES256-GCM-SHA384 TLSv1.2 None None | |
| 8 AES256-SHA256 TLSv1.2 None None | |
| 9 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None | |
| 10 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1 | |
| 11 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1 | |
| 12 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1 | |
| 13 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None | |
| 14 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None | |
| 15 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None | |
| 16 AES128-GCM-SHA256 TLSv1.2 None None | |
| 17 AES128-SHA256 TLSv1.2 None None | |
| 18 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None | |
| 19 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1 | |
| 20 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None | |
| 21 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None | |
| Certificate: untrusted, 4096 bits, sha256WithRSAEncryption signature | |
| TLS ticket lifetime hint: None | |
| OCSP stapling: not supported | |
| Cipher ordering: client | |
| Curves ordering: client - fallback: no | |
| Server supports secure renegotiation | |
| Server supported compression methods: NONE | |
| TLS Tolerance: yes | |
| hw12203:/Users/alopresto/Workspace/cipherscan alopresto | |
| π 32s @ 21:58:35 $ which openssl | |
| /usr/bin/openssl | |
| hw12203:/Users/alopresto/Workspace/cipherscan alopresto | |
| π 0s @ 22:05:53 $ openssl version | |
| OpenSSL 0.9.8zg 14 July 2015 | |
| hw12203:/Users/alopresto/Workspace/cipherscan alopresto | |
| π 0s @ 22:05:57 $ ossl version | |
| OpenSSL 1.0.2g 1 Mar 2016 | |
| hw12203:/Users/alopresto/Workspace/cipherscan alopresto | |
| π 0s @ 22:19:32 $ ossl s_client -connect nifi.nifi.apache.org:8443 -debug -state -CAfile /Users/alopresto/Workspace/certificates/nifi_secure/kerberos/rootCA.pem </dev/null | |
| CONNECTED(00000003) | |
| SSL_connect:before/connect initialization | |
| write to 0x7fad8961fa30 [0x7fad8a805e00] (308 bytes => 308 (0x134)) | |
| 0000 - 16 03 01 01 2f 01 00 01-2b 03 03 8b 17 72 66 ec ..../...+....rf. | |
| ... | |
| 0120 - 02 04 03 03 01 03 02 03-03 02 01 02 02 02 03 00 ................ | |
| 0130 - 0f 00 01 01 .... | |
| SSL_connect:SSLv2/v3 write client hello A | |
| read from 0x7fad8961fa30 [0x7fad8a80b400] (7 bytes => 7 (0x7)) | |
| 0000 - 16 03 03 0f d8 02 ...... | |
| 0007 - <SPACES/NULS> | |
| read from 0x7fad8961fa30 [0x7fad8a80b40a] (4054 bytes => 4054 (0xFD6)) | |
| 0000 - 00 4d 03 03 56 fb 62 2b-8a 87 8b f3 d6 be b5 b3 .M..V.b+........ | |
| ... | |
| 0fc0 - 6f 2e 61 70 61 63 68 65-40 67 6d 61 69 6c 2e 63 [email protected] | |
| 0fd0 - 6f 6d 0e om. | |
| 0fd6 - <SPACES/NULS> | |
| SSL_connect:SSLv3 read server hello A | |
| depth=1 C = US, ST = California, L = Santa Monica, O = Apache NiFi, OU = CA, CN = rootca.nifi.apache.org, emailAddress = [email protected] | |
| verify return:1 | |
| depth=0 C = US, ST = California, L = Santa Monica, O = Apache NiFi, OU = Security, CN = nifi.nifi.apache.org | |
| verify return:1 | |
| SSL_connect:SSLv3 read server certificate A | |
| SSL_connect:SSLv3 read server key exchange A | |
| SSL_connect:SSLv3 read server certificate request A | |
| SSL_connect:SSLv3 read server done A | |
| write to 0x7fad8961fa30 [0x7fad8980a200] (12 bytes => 12 (0xC)) | |
| 0000 - 16 03 03 00 07 0b 00 00-03 ......... | |
| 000c - <SPACES/NULS> | |
| SSL_connect:SSLv3 write client certificate A | |
| write to 0x7fad8961fa30 [0x7fad8980a200] (75 bytes => 75 (0x4B)) | |
| 0000 - 16 03 03 00 46 10 00 00-42 41 04 59 9d 41 7a 1f ....F...BA.Y.Az. | |
| ... | |
| 0040 - ad 96 e7 49 52 bd 05 a7-b8 92 10 ...IR...... | |
| SSL_connect:SSLv3 write client key exchange A | |
| write to 0x7fad8961fa30 [0x7fad8980a200] (6 bytes => 6 (0x6)) | |
| 0000 - 14 03 03 00 01 01 ...... | |
| SSL_connect:SSLv3 write change cipher spec A | |
| write to 0x7fad8961fa30 [0x7fad8980a200] (45 bytes => 45 (0x2D)) | |
| 0000 - 16 03 03 00 28 75 00 80-a4 51 4b f5 28 75 af 6d ....(u...QK.(u.m | |
| ... | |
| 0020 - ec e5 de 34 be 18 cf 4d-48 d8 d7 e8 e0 ...4...MH.... | |
| SSL_connect:SSLv3 write finished A | |
| SSL_connect:SSLv3 flush data | |
| read from 0x7fad8961fa30 [0x7fad8a80b403] (5 bytes => 5 (0x5)) | |
| 0000 - 14 03 03 00 01 ..... | |
| read from 0x7fad8961fa30 [0x7fad8a80b408] (1 bytes => 1 (0x1)) | |
| 0000 - 01 . | |
| read from 0x7fad8961fa30 [0x7fad8a80b403] (5 bytes => 5 (0x5)) | |
| 0000 - 16 03 03 00 28 ....( | |
| read from 0x7fad8961fa30 [0x7fad8a80b408] (40 bytes => 40 (0x28)) | |
| 0000 - 00 00 00 00 00 00 00 00-00 2c cc a0 20 f9 ff 5f .........,.. .._ | |
| ... | |
| 0020 - 2c 60 04 97 e0 32 1c d6- ,`...2.. | |
| SSL_connect:SSLv3 read finished A | |
| --- | |
| Certificate chain | |
| 0 s:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=Security/CN=nifi.nifi.apache.org | |
| i:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/[email protected] | |
| 1 s:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/[email protected] | |
| i:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/[email protected] | |
| --- | |
| Server certificate | |
| -----BEGIN CERTIFICATE----- | |
| MIIFpzCCA48CCQDWgsqP/Y3K/jANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMC | |
| ... | |
| GZJzFs6BSGM2mHCGgo7U6B9M6La0/uJy4pDqkgpP8UURZb3V7t7PqQoptB9DerLq | |
| Wn9AYQnKfSnfRVY= | |
| -----END CERTIFICATE----- | |
| subject=/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=Security/CN=nifi.nifi.apache.org | |
| issuer=/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/[email protected] | |
| --- | |
| Acceptable client certificate CA names | |
| /C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=Security/CN=nifi.nifi.apache.org | |
| /C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/[email protected] | |
| Client Certificate Types: RSA sign, DSA sign, ECDSA sign | |
| Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 | |
| Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 | |
| Peer signing digest: SHA512 | |
| Server Temp Key: ECDH, P-256, 256 bits | |
| --- | |
| SSL handshake has read 4112 bytes and written 446 bytes | |
| --- | |
| New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 | |
| Server public key is 4096 bit | |
| Secure Renegotiation IS supported | |
| Compression: NONE | |
| Expansion: NONE | |
| No ALPN negotiated | |
| SSL-Session: | |
| Protocol : TLSv1.2 | |
| Cipher : ECDHE-RSA-AES256-GCM-SHA384 | |
| Session-ID: 56FB622B... | |
| Session-ID-ctx: | |
| Master-Key: ... | |
| Key-Arg : None | |
| PSK identity: None | |
| PSK identity hint: None | |
| SRP username: None | |
| Start Time: 1459315243 | |
| Timeout : 300 (sec) | |
| Verify return code: 0 (ok) | |
| --- | |
| DONE | |
| write to 0x7fad8961fa30 [0x7fad8a80fa03] (31 bytes => 31 (0x1F)) | |
| 0000 - 15 03 03 00 1a 75 00 80-a4 51 4b f5 29 9d 1d 07 .....u...QK.)... | |
| 0010 - 02 19 86 8b aa 83 5c a4-96 b5 48 de 06 43 bf ......\...H..C. | |
| SSL3 alert write:warning:close notify | |
| hw12203:/Users/alopresto/Workspace/cipherscan alopresto | |
| π 0s @ 22:20:44 $ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment