Informations :
Dates
- Publish : : Tuesday 14 november 2023
- Modification : Monday 27 november 2023
- 683 views
Share :
NdM : 2023/11/14 - Ébauche d'article.
Bonjour, aujourd'hui J'écris ce mémo sur quelques commandes concernant OpenSSL pour intéroger, pour vérifier les suites de chiffrement d'un protocol de communication.
Je vais utiliser OpenSSL, Nmap, Telnet et parler de Postfix le serveur MTA de mails.
Vérifier la suites des algorithmes de chiffrements autorisés sur un serveur.
Avec la commande de scann → nmap ← et leur script ssl-enum-ciphers.
Script avec 33 lignes
001$ nmap --script ssl-enum-ciphers -p 443 www.zw3b.eu -6002 003Starting Nmap 7.40 ( https://nmap.org ) at 2023-11-14 17:16 CET004Nmap scan report for www.zw3b.eu (2607:5300:60:9389::1)005Host is up (0.10s latency).006Other addresses for www.zw3b.eu (not scanned): 158.69.126.137007rDNS record for 2607:5300:60:9389::1: wan.ipv10.net008PORT STATE SERVICE009443/tcp open https010| ssl-enum-ciphers:011| TLSv1.2:012| ciphers:013| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp384r1) - A014| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp384r1) - A015| TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp384r1) - A016| TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (secp384r1) - A017| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A018| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp384r1) - A019| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A020| TLS_ECDHE_ECDSA_WITH_AES_256_CCM (secp384r1) - A021| TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (secp384r1) - A022| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A023| TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (secp384r1) - A024| TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (secp384r1) - A025| TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (secp384r1) - A026| TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (secp384r1) - A027| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A028| compressors:029| NULL030| cipher preference: client031|_ least strength: A032 033Nmap done: 1 IP address (1 host up) scanned in 9.54 seconds
Je peut utiliser la commande → openssl s_client
Je peut essayer de me conecter au site s'il dispose d'un certificat tls1_3, tls1_2, tls1_1
Script avec 57 lignes
001echo | openssl s_client -showcerts -connect www.zw3b.eu:443 -servername www.zw3b.eu -tls1_3002CONNECTED(00000003)003depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1004verify return:1005depth=1 C = US, O = Let's Encrypt, CN = R3006verify return:1007depth=0 CN = zw3b.eu008verify return:1009---010Certificate chain0110 s:CN = zw3b.eu012i:C = US, O = Let's Encrypt, CN = R3013-----BEGIN CERTIFICATE-----014MIIEOTCCAyGgAwIBAgISBLozcwPm7Dwnu132Z9sR/uHyMA0GCSqGSIb3DQEBCwUA015[...]016s41KxazyA1yD0dnXPE9u9m5i3Uu8nZrGOuHcJxM=017-----END CERTIFICATE-----0181 s:C = US, O = Let's Encrypt, CN = R3019i:C = US, O = Internet Security Research Group, CN = ISRG Root X1020-----BEGIN CERTIFICATE-----021MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw022[...]023MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX024nLRbwHOoq7hHwg==025-----END CERTIFICATE-----0262 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1027i:O = Digital Signature Trust Co., CN = DST Root CA X3028-----BEGIN CERTIFICATE-----029MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/030[...]031Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5032-----END CERTIFICATE-----033---034Server certificate035subject=CN = zw3b.eu036 037issuer=C = US, O = Let's Encrypt, CN = R3038 039---040No client certificate CA names sent041Peer signing digest: SHA384042Peer signature type: ECDSA043Server Temp Key: X25519, 253 bits044---045SSL handshake has read 4188 bytes and written 315 bytes046Verification: OK047---048New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384049Server public key is 384 bit050Secure Renegotiation IS NOT supported051Compression: NONE052Expansion: NONE053No ALPN negotiated054Early data was not sent055Verify return code: 0 (ok)056---057DONE
Voir le certificat d'un site avec en plus openssl x509 et les options -text -noout (pour un certificat local utiliser l'option -in file.pem).
Script avec 94 lignes
001$ echo | openssl s_client -showcerts -connect www.zw3b.eu:443 -servername www.zw3b.eu -tls1_3 | openssl x509 -text -noout002depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1003verify return:1004depth=1 C = US, O = Let's Encrypt, CN = R3005verify return:1006depth=0 CN = zw3b.eu007verify return:1008Certificate:009Data:010Version: 3 (0x2)011Serial Number:01204:ba:33:73:03:e6:ec:3c:27:bb:5d:f6:67:db:11:fe:e1:f2013Signature Algorithm: sha256WithRSAEncryption014Issuer: C = US, O = Let's Encrypt, CN = R3015Validity016Not Before: Sep 24 21:39:12 2023 GMT017Not After : Dec 23 21:39:11 2023 GMT018Subject: CN = zw3b.eu019Subject Public Key Info:020Public Key Algorithm: id-ecPublicKey021Public-Key: (384 bit)022pub:02304:c3:77:94:e0:af:ca:10:c4:c4:0e:ab:e4:16:14:0246a:79:00:3e:d2:20:a3:8a:f4:e2:13:06:3b:ce:67:02538:93:ff:57:69:77:7f:d5:5d:dd:d5:6e:c2:f3:b4:026bb:59:7b:5d:f3:00:92:c8:c4:2d:91:15:aa:70:14:02722:7d:f3:cc:d5:0a:04:85:33:48:88:f7:ab:cf:3c:028f2:73:6c:34:3f:50:e0:78:e1:88:56:83:f9:cc:fa:0299d:89:c9:8b:58:bc:e9030ASN1 OID: secp384r1031NIST CURVE: P-384032X509v3 extensions:033X509v3 Key Usage: critical034Digital Signature035X509v3 Extended Key Usage:036TLS Web Server Authentication, TLS Web Client Authentication037X509v3 Basic Constraints: critical038CA:FALSE039X509v3 Subject Key Identifier:04018:7A:A8:66:84:77:A4:B8:BD:44:19:09:B2:9C:74:06:48:5D:AB:36041X509v3 Authority Key Identifier:042keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6043 044Authority Information Access:045OCSP - URI:http://r3.o.lencr.org046CA Issuers - URI:http://r3.i.lencr.org/047 048X509v3 Subject Alternative Name:049DNS:*.zw3b.eu, DNS:zw3b.eu050X509v3 Certificate Policies:051Policy: 2.23.140.1.2.1052 053CT Precertificate SCTs:054Signed Certificate Timestamp:055Version : v1 (0x0)056Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:0575D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99058Timestamp : Sep 24 22:39:13.014 2023 GMT059Extensions: none060Signature : ecdsa-with-SHA25606130:45:02:21:00:D1:84:23:8C:C2:68:20:52:97:2E:FA:0621A:B5:88:A4:F8:1A:46:78:38:17:24:63:90:C8:BB:13:06330:DD:99:1B:E5:02:20:29:19:0B:8E:A0:8D:61:BE:5C:064F4:34:97:BF:98:94:13:43:17:86:B5:3B:75:10:75:62:065CD:1A:3D:0D:E0:3D:D3066Signed Certificate Timestamp:067Version : v1 (0x0)068Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:06916:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52070Timestamp : Sep 24 22:39:13.078 2023 GMT071Extensions: none072Signature : ecdsa-with-SHA25607330:46:02:21:00:C4:19:58:41:52:FF:84:DD:4C:C2:10:07494:EF:01:F6:FE:A3:5F:BB:97:91:55:F7:BF:94:3F:8C:075A0:AD:C6:A7:28:02:21:00:C5:03:34:4B:3E:2A:C8:27:076F0:B6:E6:C2:DF:5D:13:26:D1:01:D8:CA:70:8C:8C:77:07774:68:87:79:FC:67:DB:BD078Signature Algorithm: sha256WithRSAEncryption07909:fa:05:97:8f:9f:87:5e:06:0e:26:25:94:ca:c4:1e:51:13:080e7:14:e1:6d:74:b0:24:05:b9:60:4d:75:48:b4:49:8f:92:14:081aa:b6:2d:ac:43:fd:5e:07:1a:20:b7:7a:53:f6:23:16:68:34:0826e:9f:79:cb:bc:52:bb:74:a0:a0:20:ff:ab:ba:f7:67:aa:8f:0832d:fc:e3:55:92:f3:c6:dd:f3:f3:31:22:0f:ce:03:b6:82:d1:08472:0b:50:de:1b:9f:e2:6e:56:fa:22:c6:ee:b6:d0:1a:da:fd:085db:bd:be:92:69:3d:59:fa:2c:04:0d:09:dc:60:c0:75:d8:7d:0862c:79:71:e3:1a:3a:77:40:de:8f:60:40:69:d6:1f:1d:2b:08:08767:90:7a:ea:1e:9c:13:20:d4:ca:8b:0e:06:23:18:11:92:64:08867:46:aa:45:12:08:4d:a3:43:2b:85:6f:8a:11:2c:38:67:ca:08962:7d:6b:e9:1e:28:b2:83:0c:cd:e2:1f:71:97:df:f6:6b:b7:090ed:77:81:48:2d:94:0f:ae:d5:62:d4:3c:f7:e0:52:a1:60:55:0913e:f7:8c:cf:b1:35:96:af:ff:60:66:b3:8d:4a:c5:ac:f2:03:0925c:83:d1:d9:d7:3c:4f:6e:f6:6e:62:dd:4b:bc:9d:9a:c6:3a:093e1:dc:27:13094DONE
Note : Voir un certificat local openssl x509 -text -noout -in file.pem.
On peut visualiser d'autres protocoles que le HTTPS (port 443).
Après cette introduction, je vais vous parler des procotoles SMTPs IMAPs POPs...
Par exemple le service STMP (port 25) ou SMTPs (port 465) ou SMTPS with StartTLS (port 587)
Ci-dessous, j'envoie un commande sur le port 25 (SMTP) sans sécurité avec en option "starttls" pour activer la transmission sécurisée.
Script avec 67 lignes
001$ echo | openssl s_client -starttls smtp -showcerts -connect smtp.zw3b.eu:25 -servername smtp.zw3b.eu002CONNECTED(00000003)003depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1004verify return:1005depth=1 C = US, O = Let's Encrypt, CN = R3006verify return:1007depth=0 CN = mail.zw3b.eu008verify return:1009---010Certificate chain0110 s:CN = mail.zw3b.eu012i:C = US, O = Let's Encrypt, CN = R3013-----BEGIN CERTIFICATE-----014MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA015[...]016GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj0172qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=018-----END CERTIFICATE-----0191 s:CN = mail.zw3b.eu020i:C = US, O = Let's Encrypt, CN = R3021-----BEGIN CERTIFICATE-----022MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA023[...]024GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj0252qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=026-----END CERTIFICATE-----0272 s:C = US, O = Let's Encrypt, CN = R3028i:C = US, O = Internet Security Research Group, CN = ISRG Root X1029-----BEGIN CERTIFICATE-----030MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw031[...]032MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX033nLRbwHOoq7hHwg==034-----END CERTIFICATE-----0353 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1036i:C = US, O = Internet Security Research Group, CN = ISRG Root X1037-----BEGIN CERTIFICATE-----038MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw039[...]040emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=041-----END CERTIFICATE-----042---043Server certificate044subject=CN = mail.zw3b.eu045 046issuer=C = US, O = Let's Encrypt, CN = R3047 048---049No client certificate CA names sent050Peer signing digest: SHA384051Peer signature type: ECDSA052Server Temp Key: X25519, 253 bits053---054SSL handshake has read 6536 bytes and written 417 bytes055Verification: OK056---057New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384058Server public key is 384 bit059Secure Renegotiation IS NOT supported060Compression: NONE061Expansion: NONE062No ALPN negotiated063Early data was not sent064Verify return code: 0 (ok)065---066250 CHUNKING067DONE
Ci-dessous, j'envoie une commande sur le port 465 (SMTPs) donc sécurisée.
Script avec 67 lignes
001echo | openssl s_client -showcerts -connect smtp.zw3b.eu:465 -servername smtp.zw3b.eu002CONNECTED(00000003)003depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1004verify return:1005depth=1 C = US, O = Let's Encrypt, CN = R3006verify return:1007depth=0 CN = mail.zw3b.eu008verify return:1009---010Certificate chain0110 s:CN = mail.zw3b.eu012i:C = US, O = Let's Encrypt, CN = R3013-----BEGIN CERTIFICATE-----014MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA015[...]016GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj0172qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=018-----END CERTIFICATE-----0191 s:CN = mail.zw3b.eu020i:C = US, O = Let's Encrypt, CN = R3021-----BEGIN CERTIFICATE-----022MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA023[...]024GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj0252qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=026-----END CERTIFICATE-----0272 s:C = US, O = Let's Encrypt, CN = R3028i:C = US, O = Internet Security Research Group, CN = ISRG Root X1029-----BEGIN CERTIFICATE-----030MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw031[...]032MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX033nLRbwHOoq7hHwg==034-----END CERTIFICATE-----0353 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1036i:C = US, O = Internet Security Research Group, CN = ISRG Root X1037-----BEGIN CERTIFICATE-----038MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw039TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh040[...]041emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=042-----END CERTIFICATE-----043---044Server certificate045subject=CN = mail.zw3b.eu046 047issuer=C = US, O = Let's Encrypt, CN = R3048 049---050No client certificate CA names sent051Peer signing digest: SHA384052Peer signature type: ECDSA053Server Temp Key: X25519, 253 bits054---055SSL handshake has read 6336 bytes and written 384 bytes056Verification: OK057---058New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384059Server public key is 384 bit060Secure Renegotiation IS NOT supported061Compression: NONE062Expansion: NONE063No ALPN negotiated064Early data was not sent065Verify return code: 0 (ok)066---067DONE
Ci-dessous, j'envoie une commande sur le port 587 (SMTPs) (dans un serveur MAIL comme Postfix, la demande StartTLS est automatique). Ici, c'est "openssl" le client, il faut lui envoyer l'opion nous même, tout comme nous l'avons fait en se connectant sur le port 25.
Script avec 67 lignes
001$ echo | openssl s_client -starttls smtp -showcerts -connect smtp.zw3b.eu:587 -servername smtp.zw3b.eu002CONNECTED(00000003)003depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1004verify return:1005depth=1 C = US, O = Let's Encrypt, CN = R3006verify return:1007depth=0 CN = mail.zw3b.eu008verify return:1009---010Certificate chain0110 s:CN = mail.zw3b.eu012i:C = US, O = Let's Encrypt, CN = R3013-----BEGIN CERTIFICATE-----014MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA015[...]016GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj0172qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=018-----END CERTIFICATE-----0191 s:CN = mail.zw3b.eu020i:C = US, O = Let's Encrypt, CN = R3021-----BEGIN CERTIFICATE-----022MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA023[...]024GpjuiyV0VMVKFUUPfTKf2BDeQkQlPWUdnZj1W7ROCES6TB4CUv/IVbr1DI6M1Erj0252qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=026-----END CERTIFICATE-----0272 s:C = US, O = Let's Encrypt, CN = R3028i:C = US, O = Internet Security Research Group, CN = ISRG Root X1029-----BEGIN CERTIFICATE-----030MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw031[...]032MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX033nLRbwHOoq7hHwg==034-----END CERTIFICATE-----0353 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1036i:C = US, O = Internet Security Research Group, CN = ISRG Root X1037-----BEGIN CERTIFICATE-----038MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw039[...]040emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=041-----END CERTIFICATE-----042---043Server certificate044subject=CN = mail.zw3b.eu045 046issuer=C = US, O = Let's Encrypt, CN = R3047 048---049No client certificate CA names sent050Peer signing digest: SHA384051Peer signature type: ECDSA052Server Temp Key: X25519, 253 bits053---054SSL handshake has read 6537 bytes and written 417 bytes055Verification: OK056---057New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384058Server public key is 384 bit059Secure Renegotiation IS NOT supported060Compression: NONE061Expansion: NONE062No ALPN negotiated063Early data was not sent064Verify return code: 0 (ok)065---066250 CHUNKING067DONE
On peut utiliser telnet pour se connecter au serveur SMTP :
Script avec 5 lignes
001$ telnet mail.zw3b.eu 25002Trying 2607:5300:60:9389:17:4c1:0:1a...003Connected to mail.zw3b.eu.004Escape character is '^]'.005220 mail.zw3b.eu ESMTP Postfix
Il faut envoyer un "nom de domaine" avec la commande SMTP :
Script avec 1 ligne
001EHLO zw3b.eu
Qui nous connecte au serveur et retourne ces informations en attente d'une authentification :
Script avec 9 lignes
001250-mail.zw3b.eu002250-PIPELINING003250-SIZE 20480000004250-ETRN005250-STARTTLS006250-ENHANCEDSTATUSCODES007250-8BITMIME008250-DSN009250 CHUNKING
On peut s'identifier sur le serveur comme expliquer sur cette page → test-smtp-with-telnet-or-openssl.
...
- Algorithmes de chiffrement pour les connexions TLS SMTP Gmail - Règles SSL pour les protocoles SSL et TLS
- Suites de chiffrement dans TLS/SSL (SSP Schannel)
