CipherScan:- Discovers the SSL ciphersuites supported by the target.
Features
- Tests the ordering of SSL/TLS ciphers.
- Extracts information on
Certificates
TLS options
OCSP stapling
Supported Operating System
- Unix
- Linux
- Darwin
Demo

Usage
./cipherscan
Options
-a | --allciphers Test all known ciphers individually at the end
-b | --benchmark Activate benchmark mode.
--capath Use cas from directory (must be in openssl cadir format)
--saveca Save intermediate certificates in CA directory
-d | --delay Pause for n seconds between connections
-D | --debug Output ALL the information.
-h | --help Shows this help text.
-j | --json Output results in JSON format.
-o | --openssl Path/to/your/openssl binary you want to use.
--savecrt Path where to save untrusted and leaf certificates
--[no-]curves Test ECC curves supported by server (req. OpenSSL 1.0.2)
--sigalg Test signature algorithms used in TLSv1.2 ephemeral ciphers (req. OpenSSL 1.0.2)
--[no-]tolerance Test TLS tolerance
--no-sni Don't use Server Name Indication
--colors Force use of colors (autodetect by default)
--no-colors Don't use terminal colors
-v | --verbose Increase verbosity
OpenSSL Options
-starttls [smtp|imap|pop3|ftp|xmpp]
Enable support and testing of the protocols that require turning TLS after initial protocol specific.
-servername name
Request SNI support for connections
-proxy proxyhost:port
Connect to the scan target via specified proxy (req. OpenSSL 1.1.0 or bundled OpenSSL)
-verify_hostname name
Request host name verification in connection (req. OpenSSL 1.0.2)
-verify_ip ip
Request host name verification for an IP address, usually not specified in certificates (req. OpenSSL 1.0.2)
Analysing Configurations
The motivation behind CipherScan is to help operators configure good TLS on their endpoints. To help this further, the script analyze.py compares the results of a CipherScan with the TLS guidelines and output a level and recommendations.
Usages
- ./analyze.py -t
Positional Arguments
infile CipherScan json results
outfile json formatted analysis
Optional Arguments
-h, --help Show this help message and exit
-d Debug output
-l LEVEL Target configuration level [old, intermediate, modern]
-t TARGET Analyze a , invokes cipherscan
-o OPENSSL Path to openssl binary, if you don't like the default
-j Output results in json format
--ops OPERATOR Optional name of the operator's team added into the JSON output (for database insertion)
--nagios Use nagios-conformant exit codes