Informations :
Dates
- Publish : : Tuesday 14 november 2023
- Modification : Monday 27 november 2023
- 194 views
Share :
NdM : 2023/11/14 - Ébauche d'article.
Bonjour, aujourd'hui J'écris ce mémo sur quelques commandes concernant OpenSSL pour intéroger, pour vérifier les suites de chiffrement d'un protocol de communication.
Je vais utiliser OpenSSL, Nmap, Telnet et parler de Postfix le serveur MTA de mails.
Vérifier la suites des algorithmes de chiffrements autorisés sur un serveur.
Avec la commande de scann → nmap
← et leur script ssl-enum-ciphers
.
Script avec 33 lignes
001$ nmap --script ssl-enum-ciphers -p 443 www.zw3b.eu -6
002 003Starting Nmap 7.40 ( https://nmap.org ) at 2023-11-14 17:16 CET
004Nmap scan report for www.zw3b.eu (2607:5300:60:9389::1)
005Host is up (0.10s latency).
006Other addresses for www.zw3b.eu (not scanned): 158.69.126.137
007rDNS record for 2607:5300:60:9389::1: wan.ipv10.net
008PORT STATE SERVICE
009443/tcp open https
010| ssl-enum-ciphers:
011| TLSv1.2:
012| ciphers:
013| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp384r1) - A
014| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp384r1) - A
015| TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp384r1) - A
016| TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (secp384r1) - A
017| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A
018| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp384r1) - A
019| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
020| TLS_ECDHE_ECDSA_WITH_AES_256_CCM (secp384r1) - A
021| TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (secp384r1) - A
022| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
023| TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (secp384r1) - A
024| TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (secp384r1) - A
025| TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (secp384r1) - A
026| TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (secp384r1) - A
027| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A
028| compressors:
029| NULL
030| cipher preference: client
031|_ least strength: A
032 033Nmap done: 1 IP address (1 host up) scanned in 9.54 seconds
Je peut utiliser la commande → openssl s_client
Je peut essayer de me conecter au site s'il dispose d'un certificat tls1_3
, tls1_2
, tls1_1
Script avec 57 lignes
001echo | openssl s_client -showcerts -connect www.zw3b.eu:443 -servername www.zw3b.eu -tls1_3
002CONNECTED(00000003)
003depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
004verify return:1
005depth=1 C = US, O = Let's Encrypt, CN = R3
006verify return:1
007depth=0 CN = zw3b.eu
008verify return:1
009---
010Certificate chain
0110 s:CN = zw3b.eu
012i:C = US, O = Let's Encrypt, CN = R3
013-----BEGIN CERTIFICATE-----
014MIIEOTCCAyGgAwIBAgISBLozcwPm7Dwnu132Z9sR/uHyMA0GCSqGSIb3DQEBCwUA
015[...]
016s41KxazyA1yD0dnXPE9u9m5i3Uu8nZrGOuHcJxM=
017-----END CERTIFICATE-----
0181 s:C = US, O = Let's Encrypt, CN = R3
019i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
020-----BEGIN CERTIFICATE-----
021MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
022[...]
023MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
024nLRbwHOoq7hHwg==
025-----END CERTIFICATE-----
0262 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
027i:O = Digital Signature Trust Co., CN = DST Root CA X3
028-----BEGIN CERTIFICATE-----
029MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
030[...]
031Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
032-----END CERTIFICATE-----
033---
034Server certificate
035subject=CN = zw3b.eu
036 037issuer=C = US, O = Let's Encrypt, CN = R3
038 039---
040No client certificate CA names sent
041Peer signing digest: SHA384
042Peer signature type: ECDSA
043Server Temp Key: X25519, 253 bits
044---
045SSL handshake has read 4188 bytes and written 315 bytes
046Verification: OK
047---
048New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
049Server public key is 384 bit
050Secure Renegotiation IS NOT supported
051Compression: NONE
052Expansion: NONE
053No ALPN negotiated
054Early data was not sent
055Verify return code: 0 (ok)
056---
057DONE
Voir le certificat d'un site avec en plus openssl x509
et les options -text -noout
(pour un certificat local utiliser l'option -in file.pem
).
Script avec 94 lignes
001$ echo | openssl s_client -showcerts -connect www.zw3b.eu:443 -servername www.zw3b.eu -tls1_3 | openssl x509 -text -noout
002depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
003verify return:1
004depth=1 C = US, O = Let's Encrypt, CN = R3
005verify return:1
006depth=0 CN = zw3b.eu
007verify return:1
008Certificate:
009Data:
010Version: 3 (0x2)
011Serial Number:
01204:ba:33:73:03:e6:ec:3c:27:bb:5d:f6:67:db:11:fe:e1:f2
013Signature Algorithm: sha256WithRSAEncryption
014Issuer: C = US, O = Let's Encrypt, CN = R3
015Validity
016Not Before: Sep 24 21:39:12 2023 GMT
017Not After : Dec 23 21:39:11 2023 GMT
018Subject: CN = zw3b.eu
019Subject Public Key Info:
020Public Key Algorithm: id-ecPublicKey
021Public-Key: (384 bit)
022pub:
02304:c3:77:94:e0:af:ca:10:c4:c4:0e:ab:e4:16:14:
0246a:79:00:3e:d2:20:a3:8a:f4:e2:13:06:3b:ce:67:
02538:93:ff:57:69:77:7f:d5:5d:dd:d5:6e:c2:f3:b4:
026bb:59:7b:5d:f3:00:92:c8:c4:2d:91:15:aa:70:14:
02722:7d:f3:cc:d5:0a:04:85:33:48:88:f7:ab:cf:3c:
028f2:73:6c:34:3f:50:e0:78:e1:88:56:83:f9:cc:fa:
0299d:89:c9:8b:58:bc:e9
030ASN1 OID: secp384r1
031NIST CURVE: P-384
032X509v3 extensions:
033X509v3 Key Usage: critical
034Digital Signature
035X509v3 Extended Key Usage:
036TLS Web Server Authentication, TLS Web Client Authentication
037X509v3 Basic Constraints: critical
038CA:FALSE
039X509v3 Subject Key Identifier:
04018:7A:A8:66:84:77:A4:B8:BD:44:19:09:B2:9C:74:06:48:5D:AB:36
041X509v3 Authority Key Identifier:
042keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
043 044Authority Information Access:
045OCSP - URI:http://r3.o.lencr.org
046CA Issuers - URI:http://r3.i.lencr.org/
047 048X509v3 Subject Alternative Name:
049DNS:*.zw3b.eu, DNS:zw3b.eu
050X509v3 Certificate Policies:
051Policy: 2.23.140.1.2.1
052 053CT Precertificate SCTs:
054Signed Certificate Timestamp:
055Version : v1 (0x0)
056Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
0575D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
058Timestamp : Sep 24 22:39:13.014 2023 GMT
059Extensions: none
060Signature : ecdsa-with-SHA256
06130:45:02:21:00:D1:84:23:8C:C2:68:20:52:97:2E:FA:
0621A:B5:88:A4:F8:1A:46:78:38:17:24:63:90:C8:BB:13:
06330:DD:99:1B:E5:02:20:29:19:0B:8E:A0:8D:61:BE:5C:
064F4:34:97:BF:98:94:13:43:17:86:B5:3B:75:10:75:62:
065CD:1A:3D:0D:E0:3D:D3
066Signed Certificate Timestamp:
067Version : v1 (0x0)
068Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
06916:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
070Timestamp : Sep 24 22:39:13.078 2023 GMT
071Extensions: none
072Signature : ecdsa-with-SHA256
07330:46:02:21:00:C4:19:58:41:52:FF:84:DD:4C:C2:10:
07494:EF:01:F6:FE:A3:5F:BB:97:91:55:F7:BF:94:3F:8C:
075A0:AD:C6:A7:28:02:21:00:C5:03:34:4B:3E:2A:C8:27:
076F0:B6:E6:C2:DF:5D:13:26:D1:01:D8:CA:70:8C:8C:77:
07774:68:87:79:FC:67:DB:BD
078Signature Algorithm: sha256WithRSAEncryption
07909:fa:05:97:8f:9f:87:5e:06:0e:26:25:94:ca:c4:1e:51:13:
080e7:14:e1:6d:74:b0:24:05:b9:60:4d:75:48:b4:49:8f:92:14:
081aa:b6:2d:ac:43:fd:5e:07:1a:20:b7:7a:53:f6:23:16:68:34:
0826e:9f:79:cb:bc:52:bb:74:a0:a0:20:ff:ab:ba:f7:67:aa:8f:
0832d:fc:e3:55:92:f3:c6:dd:f3:f3:31:22:0f:ce:03:b6:82:d1:
08472:0b:50:de:1b:9f:e2:6e:56:fa:22:c6:ee:b6:d0:1a:da:fd:
085db:bd:be:92:69:3d:59:fa:2c:04:0d:09:dc:60:c0:75:d8:7d:
0862c:79:71:e3:1a:3a:77:40:de:8f:60:40:69:d6:1f:1d:2b:08:
08767:90:7a:ea:1e:9c:13:20:d4:ca:8b:0e:06:23:18:11:92:64:
08867:46:aa:45:12:08:4d:a3:43:2b:85:6f:8a:11:2c:38:67:ca:
08962:7d:6b:e9:1e:28:b2:83:0c:cd:e2:1f:71:97:df:f6:6b:b7:
090ed:77:81:48:2d:94:0f:ae:d5:62:d4:3c:f7:e0:52:a1:60:55:
0913e:f7:8c:cf:b1:35:96:af:ff:60:66:b3:8d:4a:c5:ac:f2:03:
0925c:83:d1:d9:d7:3c:4f:6e:f6:6e:62:dd:4b:bc:9d:9a:c6:3a:
093e1:dc:27:13
094DONE
Note : Voir un certificat local openssl x509 -text -noout -in file.pem
.
On peut visualiser d'autres protocoles que le HTTPS (port 443).
Après cette introduction, je vais vous parler des procotoles SMTPs IMAPs POPs...
Par exemple le service STMP (port 25) ou SMTPs (port 465) ou SMTPS with StartTLS (port 587)
Ci-dessous, j'envoie un commande sur le port 25 (SMTP) sans sécurité avec en option "starttls" pour activer la transmission sécurisée.
Script avec 67 lignes
001$ echo | openssl s_client -starttls smtp -showcerts -connect smtp.zw3b.eu:25 -servername smtp.zw3b.eu
002CONNECTED(00000003)
003depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
004verify return:1
005depth=1 C = US, O = Let's Encrypt, CN = R3
006verify return:1
007depth=0 CN = mail.zw3b.eu
008verify return:1
009---
010Certificate chain
0110 s:CN = mail.zw3b.eu
012i:C = US, O = Let's Encrypt, CN = R3
013-----BEGIN CERTIFICATE-----
014MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA
015[...]
016GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj
0172qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=
018-----END CERTIFICATE-----
0191 s:CN = mail.zw3b.eu
020i:C = US, O = Let's Encrypt, CN = R3
021-----BEGIN CERTIFICATE-----
022MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA
023[...]
024GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj
0252qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=
026-----END CERTIFICATE-----
0272 s:C = US, O = Let's Encrypt, CN = R3
028i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
029-----BEGIN CERTIFICATE-----
030MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
031[...]
032MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
033nLRbwHOoq7hHwg==
034-----END CERTIFICATE-----
0353 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
036i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
037-----BEGIN CERTIFICATE-----
038MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
039[...]
040emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
041-----END CERTIFICATE-----
042---
043Server certificate
044subject=CN = mail.zw3b.eu
045 046issuer=C = US, O = Let's Encrypt, CN = R3
047 048---
049No client certificate CA names sent
050Peer signing digest: SHA384
051Peer signature type: ECDSA
052Server Temp Key: X25519, 253 bits
053---
054SSL handshake has read 6536 bytes and written 417 bytes
055Verification: OK
056---
057New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
058Server public key is 384 bit
059Secure Renegotiation IS NOT supported
060Compression: NONE
061Expansion: NONE
062No ALPN negotiated
063Early data was not sent
064Verify return code: 0 (ok)
065---
066250 CHUNKING
067DONE
Ci-dessous, j'envoie une commande sur le port 465 (SMTPs) donc sécurisée.
Script avec 67 lignes
001echo | openssl s_client -showcerts -connect smtp.zw3b.eu:465 -servername smtp.zw3b.eu
002CONNECTED(00000003)
003depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
004verify return:1
005depth=1 C = US, O = Let's Encrypt, CN = R3
006verify return:1
007depth=0 CN = mail.zw3b.eu
008verify return:1
009---
010Certificate chain
0110 s:CN = mail.zw3b.eu
012i:C = US, O = Let's Encrypt, CN = R3
013-----BEGIN CERTIFICATE-----
014MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA
015[...]
016GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj
0172qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=
018-----END CERTIFICATE-----
0191 s:CN = mail.zw3b.eu
020i:C = US, O = Let's Encrypt, CN = R3
021-----BEGIN CERTIFICATE-----
022MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA
023[...]
024GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj
0252qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=
026-----END CERTIFICATE-----
0272 s:C = US, O = Let's Encrypt, CN = R3
028i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
029-----BEGIN CERTIFICATE-----
030MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
031[...]
032MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
033nLRbwHOoq7hHwg==
034-----END CERTIFICATE-----
0353 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
036i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
037-----BEGIN CERTIFICATE-----
038MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
039TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
040[...]
041emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
042-----END CERTIFICATE-----
043---
044Server certificate
045subject=CN = mail.zw3b.eu
046 047issuer=C = US, O = Let's Encrypt, CN = R3
048 049---
050No client certificate CA names sent
051Peer signing digest: SHA384
052Peer signature type: ECDSA
053Server Temp Key: X25519, 253 bits
054---
055SSL handshake has read 6336 bytes and written 384 bytes
056Verification: OK
057---
058New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
059Server public key is 384 bit
060Secure Renegotiation IS NOT supported
061Compression: NONE
062Expansion: NONE
063No ALPN negotiated
064Early data was not sent
065Verify return code: 0 (ok)
066---
067DONE
Ci-dessous, j'envoie une commande sur le port 587 (SMTPs) (dans un serveur MAIL comme Postfix, la demande StartTLS est automatique). Ici, c'est "openssl" le client, il faut lui envoyer l'opion nous même, tout comme nous l'avons fait en se connectant sur le port 25.
Script avec 67 lignes
001$ echo | openssl s_client -starttls smtp -showcerts -connect smtp.zw3b.eu:587 -servername smtp.zw3b.eu
002CONNECTED(00000003)
003depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
004verify return:1
005depth=1 C = US, O = Let's Encrypt, CN = R3
006verify return:1
007depth=0 CN = mail.zw3b.eu
008verify return:1
009---
010Certificate chain
0110 s:CN = mail.zw3b.eu
012i:C = US, O = Let's Encrypt, CN = R3
013-----BEGIN CERTIFICATE-----
014MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA
015[...]
016GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj
0172qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=
018-----END CERTIFICATE-----
0191 s:CN = mail.zw3b.eu
020i:C = US, O = Let's Encrypt, CN = R3
021-----BEGIN CERTIFICATE-----
022MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA
023[...]
024GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj
0252qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=
026-----END CERTIFICATE-----
0272 s:C = US, O = Let's Encrypt, CN = R3
028i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
029-----BEGIN CERTIFICATE-----
030MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
031[...]
032MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
033nLRbwHOoq7hHwg==
034-----END CERTIFICATE-----
0353 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
036i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
037-----BEGIN CERTIFICATE-----
038MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
039[...]
040emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
041-----END CERTIFICATE-----
042---
043Server certificate
044subject=CN = mail.zw3b.eu
045 046issuer=C = US, O = Let's Encrypt, CN = R3
047 048---
049No client certificate CA names sent
050Peer signing digest: SHA384
051Peer signature type: ECDSA
052Server Temp Key: X25519, 253 bits
053---
054SSL handshake has read 6537 bytes and written 417 bytes
055Verification: OK
056---
057New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
058Server public key is 384 bit
059Secure Renegotiation IS NOT supported
060Compression: NONE
061Expansion: NONE
062No ALPN negotiated
063Early data was not sent
064Verify return code: 0 (ok)
065---
066250 CHUNKING
067DONE
On peut utiliser telnet
pour se connecter au serveur SMTP :
Script avec 5 lignes
001$ telnet mail.zw3b.eu 25
002Trying 2607:5300:60:9389:17:4c1:0:1a...
003Connected to mail.zw3b.eu.
004Escape character is '^]'.
005220 mail.zw3b.eu ESMTP Postfix
Il faut envoyer un "nom de domaine" avec la commande SMTP :
Script avec 1 ligne
001EHLO zw3b.eu
Qui nous connecte au serveur et retourne ces informations en attente d'une authentification :
Script avec 9 lignes
001250-mail.zw3b.eu
002250-PIPELINING
003250-SIZE 20480000
004250-ETRN
005250-STARTTLS
006250-ENHANCEDSTATUSCODES
007250-8BITMIME
008250-DSN
009250 CHUNKING
On peut s'identifier sur le serveur comme expliquer sur cette page → test-smtp-with-telnet-or-openssl .
...
- Algorithmes de chiffrement pour les connexions TLS SMTP Gmail - Règles SSL pour les protocoles SSL et TLS
- Suites de chiffrement dans TLS/SSL (SSP Schannel)