Check TLS

### web https://www.ssllabs.com/ssltest/ ### curl ```bash $ curl -v -s --tlsv1.0 "https://www.google.com" > /dev/null * Rebuilt URL to: https://www.google.com/ * Trying 2404:6800:400a:808::2004... * TCP_NODELAY set * Connected to www.google.com (2404:6800:400a:808::2004) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.0 (OUT), TLS handshake, Client hello (1): } [220 bytes data] * TLSv1.0 (IN), TLS handshake, Server hello (2): { [96 bytes data] * TLSv1.0 (IN), TLS handshake, Certificate (11): { [2104 bytes data] : ``` * `--sslv2` SSL2.0 * `--sslv3` SSL3.0 * `--tlsv1.0` TLS1.0 * `--tlsv1.1` TLS1.1 * `--tlsv1.2` TLS1.2 ### nmap ```bash brew install nmap ``` 　 ```bash $ nmap --script ssl-enum-ciphers -p 443 www.google.com Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-19 14:14 JST Nmap scan report for www.google.com (172.217.161.196) Host is up (0.0097s latency). Other addresses for www.google.com (not scanned): 2404:6800:400a:80b::2004 rDNS record for 172.217.161.196: kix07s03-in-f4.1e100.net PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack : ``` ## 参考 * https://qiita.com/greymd/items/68b0c40044a88171235a * https://www.cloudibee.com/disabling-tls-1-0-on-nginx/