Archiwa Security - Page 2 of 2

Checking SSL certyfikat date using nmap and curl

Posted on October 14, 2021October 14, 2021 by soban

This time I will use Kali Linux it is a great distro for pentesters. After all, nothing prevents you from using another distribution, such as Debian Linux.

Sometimes we need to check the certificate issuance date. Nmap and curl are a very good tool for this.
Both of these tools allow for advanced analysis of the SSL connection. Let’s try to check the certificate date with nmap:

$ nmap -p 443 --script ssl-cert soban.pl

1	$ nmap -p 443 --script ssl-cert soban.pl

To be more precise, let’s leave the date and time alone:

$ nmap -p 443 --script ssl-cert soban.pl | grep after | awk '{ print $5 }'

1	$ nmap -p 443 --script ssl-cert soban.pl \| grep after \| awk '{ print $5 }'

Here is the result:

In my experience nmap is a very good tool – however curl is much faster, to use it, do the following:

$ curl -X GET -i 'https://google.com' | grep -i 'date:' | grep GMT

1	$ curl -X GET -i 'https://google.com' \| grep -i 'date:' \| grep GMT

This is the effect:

It is worth getting acquainted with both tools. Besides checking the date of the certificate, they offer a number of other possibilities.

keytools add new alias to keystor (jceks) and delete old

Posted on October 13, 2021February 25, 2023 by soban

Java Keytool is a command-line tool that is used for managing cryptographic keys, certificates, and keystores in Java-based applications. In Linux, Java Keytool is often used for managing SSL/TLS certificates and securing web applications that run on Java-based servers like Tomcat, GlassFish, and JBoss.

Some of the key features of Java Keytool in Linux include:

Generating key pairs: Java Keytool can be used to generate key pairs, which are used for encryption, decryption, and digital signatures.
Importing and exporting certificates: Java Keytool can import and export certificates, which are used for verifying the authenticity of digital signatures and ensuring secure communications.
Managing keystores: Java Keytool can create, modify, and delete keystores, which are containers for cryptographic keys and certificates.
Configuring SSL/TLS: Java Keytool can be used to configure SSL/TLS connections for Java-based web applications, which are essential for securing data communications.

Some of the most commonly used Java Keytool commands in Linux include:

keytool -genkeypair: This command is used to generate a new key pair.
keytool -import: This command is used to import a certificate into a keystore.
keytool -list: This command is used to list the contents of a keystore.
keytool -delete: This command is used to delete a key or certificate from a keystore.

Overall, Java Keytool is an important tool for managing cryptographic keys and certificates in Java-based applications in Linux, and it is essential for securing web applications and ensuring the privacy and integrity of sensitive information.

Before we begin make copy of old keystor like this:

$ cp /path/to/keystore.jceks cp /path/to/keystore.jceks.backup.$(date +%F)

1	$ cp /path/to/keystore.jceks cp /path/to/keystore.jceks.backup.$(date +%F)

and then we can remove alias:

$ /opt/java/bin/keytool -delete -alias name_alias  -keystore /path/to/keystore.jceks -storetype JCEKS

1	$ /opt/java/bin/keytool -delete -alias name_alias -keystore /path/to/keystore.jceks -storetype JCEKS

when you gonna add new alias by keytool:

$ /opt/java/bin/keytool -import -file /path/to/cert.pem  -alias mc -keystore /path/to/keystore.jceks

1	$ /opt/java/bin/keytool -import -file /path/to/cert.pem -alias mc -keystore /path/to/keystore.jceks

To be sure, you can check it and see more information like date or fingerprint:

$ /opt/java/bin/keytool -list -keystore /path/to/keystore.jceks -storetype JCEKS -v | less

1	$ /opt/java/bin/keytool -list -keystore /path/to/keystore.jceks -storetype JCEKS -v \| less

When sometings go wrong, you can also copy backup file.

Good luck!

Check DNS and more information about domain

Posted on October 12, 2021October 12, 2021 by soban

The best way to check information about domain and DNS configuration is “whois” and “dig”. This tools can provide a lot of informations. Lets try use it. First we must check that package is installed.
I have already installed “dig”:

# which dig
/usr/bin/dig

1 2	# which dig /usr/bin/dig

In debian, you can use “dpkg -S”

# dpkg -S /usr/bin/dig
dnsutils: /usr/bin/dig

1 2	# dpkg -S /usr/bin/dig dnsutils: /usr/bin/dig

if you don’t have it then you should install:

# apt install dnsutils

1	# apt install dnsutils

Now we can check “dig” in “soban.pl” domain:

The same case in “whois”:

# which dig
/usr/bin/dig

1 2	# which dig /usr/bin/dig

Check what package provide:

# dpkg -S /usr/bin/whois
whois: /usr/bin/whois

1 2	# dpkg -S /usr/bin/whois whois: /usr/bin/whois

And if you don’t have it, then install:

# which dig
/usr/bin/dig

1 2	# which dig /usr/bin/dig

In debian, you can use “dpkg -S”

# dpkg -S /usr/bin/dig
dnsutils: /usr/bin/dig

1 2	# dpkg -S /usr/bin/dig dnsutils: /usr/bin/dig

if you don’t have it then you should install:

# apt install dnsutils

1	# apt install dnsutils

Now we can check “dig” on “soban.pl” domain:

The same case in “whois”:

# which dig
/usr/bin/dig

1 2	# which dig /usr/bin/dig

Check what package provide:

# dpkg -S /usr/bin/whois
whois: /usr/bin/whois

1 2	# dpkg -S /usr/bin/whois whois: /usr/bin/whois

And if you don’t have it, then install:

# apt install whois

1	# apt install whois

As you can see, the domain “soban.pl” is currently using cloudflare DNS – which I highly recommend.

Pointing DNS to a different IP address

Posted on October 11, 2021October 11, 2021 by soban

Sometimes it is necessary to change the DNS name indication to a different IP address. As you can see in the example below, google.com currently points to:

To change google.com indication to, for example – 37.187.101.239, edit the file: “/etc/resolv.conf” as root:

# cat /etc/resolv.conf
google.com 37.187.101.239

1 2	# cat /etc/resolv.conf google.com 37.187.101.239

After making this change, the effect is as follows:

Windows as you see there is similar situation:

File must be edited as administrator “C:\Windows\System32\drivers\etc\hosts”:

After saving the file, the effect is as follows:

Automatic update of the Debian Linux test environment

Posted on October 8, 2021October 8, 2021 by soban

A convenient way to maintain the test environment is automatic updating.
However, remember to set the backup, e.g. the day before – I always set it like that in proxmoxe.
The script that updates the Debian system looks like this:

# cat /root/update.sh
#!/bin/bash
apt-get update
apt-get upgrade -q -y
apt-get autoremove -y -q
rm -rf /var/cache/apt/archives/*.deb

# cat /root/update.sh

#!/bin/bash

apt-get update

apt-get upgrade -q -y

apt-get autoremove -y -q

rm -rf /var/cache/apt/archives/*.deb

You can download the script from:

$ cd /root/
$ wget https://soban.pl/bash/update.sh

1 2	$ cd /root/ $ wget https://soban.pl/bash/update.sh

The script cleans unnecessary deb files after the update.
Keep in mind the permissions and capabilities of the script:

# chmod +x /root/update.sh

1	# chmod +x /root/update.sh

In crontab, I set the day after automatic backup in proxmoxe:

10 4 * * 3 /root/update.sh > /dev/null 2>&1

1	10 4 * * 3 /root/update.sh > /dev/null 2>&1

Of course, the script can be added in the production environment, but it should not be added to the crontab.

E-mail notification about new updates Proxmox

Posted on October 8, 2021October 8, 2021 by soban

This script send you e-mail notification about new updates:

# cat /root/check_update.sh
#!/bin/bash
email=soban@soban.pl
hostnam=`hostname`
apt-get update
# sometimes change number of lines (for example proxmox 4.4 - 4; proxmox 5 - 5)
if [ `apt-get --just-print upgrade | wc -l` != 5 ]
then
        apt-get --just-print upgrade |  mail -s "Update checker $hostnam" $email
fi

# cat /root/check_update.sh

#!/bin/bash

email=soban@soban.pl

hostnam=`hostname`

apt-get update

# sometimes change number of lines (for example proxmox 4.4 - 4; proxmox 5 - 5)

if [ `apt-get --just-print upgrade | wc -l` != 5 ]

then

apt-get --just-print upgrade | mail -s "Update checker $hostnam" $email

You can download the script from:

$ cd /root/
$ wget https://soban.pl/bash/check_update.sh

1 2	$ cd /root/ $ wget https://soban.pl/bash/check_update.sh

You should set the correct e-mail address in the script, for now it is soban@soban.pl
Notification it’s looks something like that:

Should the script be executed:

# chmod +x /root/check_update.sh

1	# chmod +x /root/check_update.sh

Also added to the crontab, every day to extend a new update:

00 06 * * * /root/check_update.sh > /dev/null 2>&1

1	00 06 * * * /root/check_update.sh > /dev/null 2>&1

Remember don’t to upgrade your system on Friday! Good luck!

Upgrade Debian GNU/Linux 10 (buster) to 11 (bullseye)

Posted on October 1, 2021October 12, 2021 by soban

Before we start upgrading the Debian system version, please make a snapshot or a possible backup of the system. Such a change entails significant changes that can damage the system. Of course, before you upgrade the system in production, it is best to upgrade to the testing environment first. The upgrade process affects the entire system. Services may not be available at this time. If the system is doing the hosting for your website then it may not be available!

Always bear in mind that the production environment is different from test environment, so I recommend that you do it carefully. A good practice is to keep a time interval between the upgrade of test and production environment, in my case it is a week. Remember not to make changes to production on Friday!

This is how we check the version of the system:

And now, we going to update OS, but before we do that – we will make copy of:

cp /etc/apt/sources.list /root/sources.list_buster

1	cp /etc/apt/sources.list /root/sources.list_buster

There is sorces setup for buster:

# cat /etc/apt/sources.list
deb http://ftp.debian.org/debian buster main contrib
deb http://ftp.debian.org/debian buster-updates main contrib
deb http://security.debian.org buster/updates main contrib
deb http://nginx.org/packages/debian/ buster nginx
deb-src http://nginx.org/packages/debian/ buster nginx

# cat /etc/apt/sources.list

deb http://ftp.debian.org/debian buster main contrib

deb http://ftp.debian.org/debian buster-updates main contrib

deb http://security.debian.org buster/updates main contrib

deb http://nginx.org/packages/debian/ buster nginx

deb-src http://nginx.org/packages/debian/ buster nginx

Before we upgrade the debian system version to 11, we need to do a full upgrade:

# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

1	# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

Then we use sed to replace “buster” on “bullseye”:

# sed -i 's/buster/bullseye/g' /etc/apt/sources.list

1	# sed -i 's/buster/bullseye/g' /etc/apt/sources.list

There here’s the effect:

# cat /etc/apt/sources.list

1	# cat /etc/apt/sources.list

To be sure, we will do a comparison of the backed up file:

And then we can do update:

# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

1	# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

So that it is not too easy, to start the task in the form of:

Specifically about this error:

Err:5 http://security.debian.org bullseye/updates Release
  404  Not Found [IP: 199.232.150.132 80]
Reading package lists... Done
E: The repository 'http://security.debian.org bullseye/updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Err:5 http://security.debian.org bullseye/updates Release

404 Not Found [IP: 199.232.150.132 80]

Reading package lists... Done

E: The repository 'http://security.debian.org bullseye/updates Release' does not have a Release file.

N: Updating from such a repository can't be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

To fix it, use any editor on the file (vi in my case):

# vi /etc/apt/sources.list

1	# vi /etc/apt/sources.list

We remove line 4 – “deb http://security.debian.org buster/updates main contrib” as you can see, we go out and save :

Of course, any other editor like nano is also good for this case.
The contents of the /etc/apt/sources.list file now looks like this:

# cat /etc/apt/sources.list
deb http://ftp.debian.org/debian bullseye main contrib
deb http://ftp.debian.org/debian bullseye-updates main contrib
deb http://nginx.org/packages/debian/ bullseye nginx
deb-src http://nginx.org/packages/debian/ bullseye nginx

# cat /etc/apt/sources.list

deb http://ftp.debian.org/debian bullseye main contrib

deb http://ftp.debian.org/debian bullseye-updates main contrib

deb http://nginx.org/packages/debian/ bullseye nginx

deb-src http://nginx.org/packages/debian/ bullseye nginx

We can try to update the system again:

# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

1	# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

Now you need get some the system upgrade process has started. You can go for a coffee, or not 😉
There will be questions.
And more information, albout apt listchanges:

Just press ‘q’ and enter.

In this case we press enter.

Services to restart:

Enter agien.

This is question, about ssh deamon configuration:

In my case, I press enter because I don’t want to make changes to its configuration.

If all went well, we can reboot the system:

# reboot

# reboot

Now check the system:

Congratulations, we are on the new version of the system!
At this point, we can verify all services, for example whether the website is working properly. If it is OK, upgrade the production environment.

In my cases, I have problem PHP new version.
PHP have no persmision on nginx to user – when I try enter to page:

# tail -f /var/log/nginx/error-*.log 
unix:/var/run/php/php-fpm.sock failed (13: Permission denied)

1 2	# tail -f /var/log/nginx/error-*.log unix:/var/run/php/php-fpm.sock failed (13: Permission denied)

So we need to fix that in this way:

# service php7.4-fpm status
* php7.4-fpm.service - The PHP 7.4 FastCGI Process Manager
     Loaded: loaded (/lib/systemd/system/php7.4-fpm.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-10-01 14:59:14 CEST; 3min 28s ago
       Docs: man:php-fpm7.4(8)
    Process: 289 ExecStartPost=/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/7.4/fpm/pool.d/www.conf 74 (code=exited, status=0/S>
   Main PID: 116 (php-fpm7.4)
     Status: "Processes active: 0, idle: 2, Requests: 0, slow: 0, Traffic: 0req/sec"
        CPU: 364ms
     CGroup: /system.slice/php7.4-fpm.service
             |-116 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
             |-287 php-fpm: pool www
             `-288 php-fpm: pool www

Oct 01 14:59:11 soban-pl systemd[1]: Starting The PHP 7.4 FastCGI Process Manager...
Oct 01 14:59:14 soban-pl systemd[1]: Started The PHP 7.4 FastCGI Process Manager.

# service php7.4-fpm status

* php7.4-fpm.service - The PHP 7.4 FastCGI Process Manager

Loaded: loaded (/lib/systemd/system/php7.4-fpm.service; enabled; vendor preset: enabled)

Active: active (running) since Fri 2021-10-01 14:59:14 CEST; 3min 28s ago

Docs: man:php-fpm7.4(8)

Process: 289 ExecStartPost=/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/7.4/fpm/pool.d/www.conf 74 (code=exited, status=0/S>

Main PID: 116 (php-fpm7.4)

Status: "Processes active: 0, idle: 2, Requests: 0, slow: 0, Traffic: 0req/sec"

CPU: 364ms

CGroup: /system.slice/php7.4-fpm.service

|-116 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)

|-287 php-fpm: pool www

`-288 php-fpm: pool www

Oct 01 14:59:11 soban-pl systemd[1]: Starting The PHP 7.4 FastCGI Process Manager...

Oct 01 14:59:14 soban-pl systemd[1]: Started The PHP 7.4 FastCGI Process Manager.

There is something wrong with the permissions:

# grep www-data /etc/php/7.4/fpm/pool.d/www.conf
user = www-data
group = www-data
listen.owner = www-data
listen.group = www-data

# grep www-data /etc/php/7.4/fpm/pool.d/www.conf

user = www-data

group = www-data

listen.owner = www-data

listen.group = www-data

Let’s make some backup:

# cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.conf.backup.$(date +%F)

1	# cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.conf.backup.$(date +%F)

I will replace www-data to nginx:

# sed -i 's/www-data/nginx/g' /etc/php/7.4/fpm/pool.d/www.conf

1	# sed -i 's/www-data/nginx/g' /etc/php/7.4/fpm/pool.d/www.conf

Now it’s looks better:

# grep nginx /etc/php/7.4/fpm/pool.d/www.conf
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx

# grep nginx /etc/php/7.4/fpm/pool.d/www.conf

user = nginx

group = nginx

listen.owner = nginx

listen.group = nginx

And restart services:

# service php7.4-fpm restart

1	# service php7.4-fpm restart

Also checking status:

Another problem is that, mariadb was removed, so I install it agien:

# apt-get install mariadb-server mariadb-client -y

1	# apt-get install mariadb-server mariadb-client -y

and that resolved all my problems.

To be 100% sure, I reloaded the entire machine.

nmap scaning ciphers and ssl

Posted on September 30, 2021September 30, 2021 by soban

In debian 11:

# cat /etc/issue
Debian GNU/Linux 11 \n \l

1 2	# cat /etc/issue Debian GNU/Linux 11 \n \l

Nmap is one of more powerfull tools to scaning network.
We start the installation on debian as root:

# apt install nmap
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  ncat zenmap
The following NEW packages will be installed:
  nmap
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,899 kB of archives.
After this operation, 4,617 kB of additional disk space will be used.
Get:1 http://ftp.debian.org/debian bullseye/main amd64 nmap amd64 7.91+dfsg1+really7.80+dfsg1-2 [1,899 kB]
Fetched 1,899 kB in 0s (5,967 kB/s)
Selecting previously unselected package nmap.
(Reading database ... 65055 files and directories currently installed.)
Preparing to unpack .../nmap_7.91+dfsg1+really7.80+dfsg1-2_amd64.deb ...
Unpacking nmap (7.91+dfsg1+really7.80+dfsg1-2) ...
Setting up nmap (7.91+dfsg1+really7.80+dfsg1-2) ...
Processing triggers for man-db (2.9.4-2) ...

# apt install nmap

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

Suggested packages:

ncat zenmap

The following NEW packages will be installed:

nmap

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 1,899 kB of archives.

After this operation, 4,617 kB of additional disk space will be used.

Get:1 http://ftp.debian.org/debian bullseye/main amd64 nmap amd64 7.91+dfsg1+really7.80+dfsg1-2 [1,899 kB]

Fetched 1,899 kB in 0s (5,967 kB/s)

Selecting previously unselected package nmap.

(Reading database ... 65055 files and directories currently installed.)

Preparing to unpack .../nmap_7.91+dfsg1+really7.80+dfsg1-2_amd64.deb ...

Unpacking nmap (7.91+dfsg1+really7.80+dfsg1-2) ...

Setting up nmap (7.91+dfsg1+really7.80+dfsg1-2) ...

Processing triggers for man-db (2.9.4-2) ...

and than we can check for example google.com:

~# nmap -sV --script ssl-enum-ciphers -p 443 google.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-30 09:58 CEST
Nmap scan report for google.com (142.250.179.78)
Host is up (0.0045s latency).
Other addresses for google.com (not scanned): 2a00:1450:4007:80c::200e
rDNS record for 142.250.179.78: par21s19-in-f14.1e100.net

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https gws
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 200 OK
|     Date: Thu, 30 Sep 2021 07:58:20 GMT
|     Expires: -1
|     Cache-Control: private, max-age=0
|     Content-Type: text/html; charset=ISO-8859-1
|     P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
|     Server: gws
|     X-XSS-Protection: 0
|     X-Frame-Options: SAMEORIGIN
|     Set-Cookie: CONSENT=PENDING+585; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
|     Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"
; ma=2592000,quic=":443"; ma=2592000; v="46,43"
|     Accept-Ranges: none
|     Vary: Accept-Encoding
|     <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="fr"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Typ
e"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</titl
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: GET, HEAD
|     Date: Thu, 30 Sep 2021 07:58:21 GMT
|     Content-Type: text/html; charset=UTF-8
|     Server: gws
|     Content-Length: 1592
|     X-XSS-Protection: 0
|     X-Frame-Options: SAMEORIGIN
|     Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"
; ma=2592000,quic=":443"; ma=2592000; v="46,43"
|     <!DOCTYPE html>
|     <html lang=en>
|     <meta charset=utf-8>
|     <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
|     <title>Error 405 (Method Not Allowed)!!1</title>
|     <style>
|_    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-h
eight:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-righ
|_http-server-header: gws
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cg
i?new-service :
SF-Port443-TCP:V=7.80%T=SSL%I=7%D=9/30%Time=61556E1D%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,4C58,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Thu,\x2030\x20Se
SF:p\x202021\x2007:58:20\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\x20pri
SF:vate,\x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-8859-1
SF:\r\nP3P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20policy!\x20See\x20g\.
SF:co/p3phelp\x20for\x20more\x20info\.\"\r\nServer:\x20gws\r\nX-XSS-Protec
SF:tion:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSet-Cookie:\x20CONSENT=
SF:PENDING\+585;\x20expires=Fri,\x2001-Jan-2038\x2000:00:00\x20GMT;\x20pat
SF:h=/;\x20domain=\.google\.com;\x20Secure\r\nAlt-Svc:\x20h3=\":443\";\x20
SF:ma=2592000,h3-29=\":443\";\x20ma=2592000,h3-T051=\":443\";\x20ma=259200
SF:0,h3-Q050=\":443\";\x20ma=2592000,h3-Q046=\":443\";\x20ma=2592000,h3-Q0
SF:43=\":443\";\x20ma=2592000,quic=\":443\";\x20ma=2592000;\x20v=\"46,43\"
SF:\r\nAccept-Ranges:\x20none\r\nVary:\x20Accept-Encoding\r\n\r\n<!doctype
SF:\x20html><html\x20itemscope=\"\"\x20itemtype=\"http://schema\.org/WebPa
SF:ge\"\x20lang=\"fr\"><head><meta\x20content=\"text/html;\x20charset=UTF-
SF:8\"\x20http-equiv=\"Content-Type\"><meta\x20content=\"/images/branding/
SF:googleg/1x/googleg_standard_color_128dp\.png\"\x20itemprop=\"image\"><t
SF:itle>Google</titl")%r(HTTPOptions,7D7,"HTTP/1\.0\x20405\x20Method\x20No
SF:t\x20Allowed\r\nAllow:\x20GET,\x20HEAD\r\nDate:\x20Thu,\x2030\x20Sep\x2
SF:02021\x2007:58:21\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-
SF:8\r\nServer:\x20gws\r\nContent-Length:\x201592\r\nX-XSS-Protection:\x20
SF:0\r\nX-Frame-Options:\x20SAMEORIGIN\r\nAlt-Svc:\x20h3=\":443\";\x20ma=2
SF:592000,h3-29=\":443\";\x20ma=2592000,h3-T051=\":443\";\x20ma=2592000,h3
SF:-Q050=\":443\";\x20ma=2592000,h3-Q046=\":443\";\x20ma=2592000,h3-Q043=\
SF:":443\";\x20ma=2592000,quic=\":443\";\x20ma=2592000;\x20v=\"46,43\"\r\n
SF:\r\n<!DOCTYPE\x20html>\n<html\x20lang=en>\n\x20\x20<meta\x20charset=utf
SF:-8>\n\x20\x20<meta\x20name=viewport\x20content=\"initial-scale=1,\x20mi
SF:nimum-scale=1,\x20width=device-width\">\n\x20\x20<title>Error\x20405\x2
SF:0\(Method\x20Not\x20Allowed\)!!1</title>\n\x20\x20<style>\n\x20\x20\x20
SF:\x20\*{margin:0;padding:0}html,code{font:15px/22px\x20arial,sans-serif}
SF:html{background:#fff;color:#222;padding:15px}body{margin:7%\x20auto\x20
SF:0;max-width:390px;min-height:180px;padding:30px\x200\x2015px}\*\x20>\x2
SF:0body{background:url\(//www\.google\.com/images/errors/robot\.png\)\x20
SF:100%\x205px\x20no-repeat;padding-righ");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.76 seconds

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

~# nmap -sV --script ssl-enum-ciphers -p 443 google.com

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-30 09:58 CEST

Nmap scan report for google.com (142.250.179.78)

Host is up (0.0045s latency).

Other addresses for google.com (not scanned): 2a00:1450:4007:80c::200e

rDNS record for 142.250.179.78: par21s19-in-f14.1e100.net

PORT STATE SERVICE VERSION

443/tcp open ssl/https gws

| fingerprint-strings:

| GetRequest:

| HTTP/1.0 200 OK

| Date: Thu, 30 Sep 2021 07:58:20 GMT

| Expires: -1

| Cache-Control: private, max-age=0

| Content-Type: text/html; charset=ISO-8859-1

| P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."

| Server: gws

| X-XSS-Protection: 0

| X-Frame-Options: SAMEORIGIN

| Set-Cookie: CONSENT=PENDING+585; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure

| Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"

; ma=2592000,quic=":443"; ma=2592000; v="46,43"

| Accept-Ranges: none

| Vary: Accept-Encoding

| <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="fr"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Typ

e"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</titl

| HTTPOptions:

| HTTP/1.0 405 Method Not Allowed

| Allow: GET, HEAD

| Date: Thu, 30 Sep 2021 07:58:21 GMT

| Content-Type: text/html; charset=UTF-8

| Server: gws

| Content-Length: 1592

| X-XSS-Protection: 0

| X-Frame-Options: SAMEORIGIN

| Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"

; ma=2592000,quic=":443"; ma=2592000; v="46,43"

| <!DOCTYPE html>

| <html lang=en>

| <meta charset=utf-8>

| <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">

| <title>Error 405 (Method Not Allowed)!!1</title>

| <style>

|_ *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-h

eight:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-righ

|_http-server-header: gws

| ssl-enum-ciphers:

| TLSv1.0:

| ciphers:

| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

| compressors:

| NULL

| cipher preference: server

| warnings:

| 64-bit block cipher 3DES vulnerable to SWEET32 attack

| TLSv1.1:

| ciphers:

| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

| compressors:

| NULL

| cipher preference: server

| warnings:

| 64-bit block cipher 3DES vulnerable to SWEET32 attack

| TLSv1.2:

| ciphers:

| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A

| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A

| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A

| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

| compressors:

| NULL

| cipher preference: client

| warnings:

| 64-bit block cipher 3DES vulnerable to SWEET32 attack

|_ least strength: C

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cg

i?new-service :

SF-Port443-TCP:V=7.80%T=SSL%I=7%D=9/30%Time=61556E1D%P=x86_64-pc-linux-gnu

SF:%r(GetRequest,4C58,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Thu,\x2030\x20Se

SF:p\x202021\x2007:58:20\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\x20pri

SF:vate,\x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-8859-1

SF:\r\nP3P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20policy!\x20See\x20g\.

SF:co/p3phelp\x20for\x20more\x20info\.\"\r\nServer:\x20gws\r\nX-XSS-Protec

SF:tion:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSet-Cookie:\x20CONSENT=

SF:PENDING\+585;\x20expires=Fri,\x2001-Jan-2038\x2000:00:00\x20GMT;\x20pat

SF:h=/;\x20domain=\.google\.com;\x20Secure\r\nAlt-Svc:\x20h3=\":443\";\x20

SF:ma=2592000,h3-29=\":443\";\x20ma=2592000,h3-T051=\":443\";\x20ma=259200

SF:0,h3-Q050=\":443\";\x20ma=2592000,h3-Q046=\":443\";\x20ma=2592000,h3-Q0

SF:43=\":443\";\x20ma=2592000,quic=\":443\";\x20ma=2592000;\x20v=\"46,43\"

SF:\r\nAccept-Ranges:\x20none\r\nVary:\x20Accept-Encoding\r\n\r\n<!doctype

SF:\x20html><html\x20itemscope=\"\"\x20itemtype=\"http://schema\.org/WebPa

SF:ge\"\x20lang=\"fr\"><head><meta\x20content=\"text/html;\x20charset=UTF-

SF:8\"\x20http-equiv=\"Content-Type\"><meta\x20content=\"/images/branding/

SF:googleg/1x/googleg_standard_color_128dp\.png\"\x20itemprop=\"image\"><t

SF:itle>Google</titl")%r(HTTPOptions,7D7,"HTTP/1\.0\x20405\x20Method\x20No

SF:t\x20Allowed\r\nAllow:\x20GET,\x20HEAD\r\nDate:\x20Thu,\x2030\x20Sep\x2

SF:02021\x2007:58:21\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-

SF:8\r\nServer:\x20gws\r\nContent-Length:\x201592\r\nX-XSS-Protection:\x20

SF:0\r\nX-Frame-Options:\x20SAMEORIGIN\r\nAlt-Svc:\x20h3=\":443\";\x20ma=2

SF:592000,h3-29=\":443\";\x20ma=2592000,h3-T051=\":443\";\x20ma=2592000,h3

SF:-Q050=\":443\";\x20ma=2592000,h3-Q046=\":443\";\x20ma=2592000,h3-Q043=\

SF:":443\";\x20ma=2592000,quic=\":443\";\x20ma=2592000;\x20v=\"46,43\"\r\n

SF:\r\n<!DOCTYPE\x20html>\n<html\x20lang=en>\n\x20\x20<meta\x20charset=utf

SF:-8>\n\x20\x20<meta\x20name=viewport\x20content=\"initial-scale=1,\x20mi

SF:nimum-scale=1,\x20width=device-width\">\n\x20\x20<title>Error\x20405\x2

SF:0$Method\x20Not\x20Allowed$!!1</title>\n\x20\x20<style>\n\x20\x20\x20

SF:\x20\*{margin:0;padding:0}html,code{font:15px/22px\x20arial,sans-serif}

SF:html{background:#fff;color:#222;padding:15px}body{margin:7%\x20auto\x20

SF:0;max-width:390px;min-height:180px;padding:30px\x200\x2015px}\*\x20>\x2

SF:0body{background:url$//www\.google\.com/images/errors/robot\.png$\x20

SF:100%\x205px\x20no-repeat;padding-righ");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 67.76 seconds

It’s much slower than sslscan, but result is the same (tls 1.1, 1.2 and tls 1.3).

TLS 1.0:

TLS 1.1:

TLS 1.2:

The most important thing is don’t using vulnerable ciphers, and reading output of nmap, for example in this case:
“64-bit block cipher 3DES vulnerable to SWEET32 attack” – on SWEET32 vulnerability.
When we testing external website available from internet you can use www.ssllabs.com/ssltest/ but if we have internal server nmap in this case is very good solution to use.

sslscan tool for scaning SSL

Posted on September 29, 2021February 25, 2023 by soban

SSLScan is a command-line tool used for SSL/TLS vulnerability scanning. It is used to detect SSL/TLS vulnerabilities and weaknesses on servers that use SSL/TLS. SSLScan supports all SSL and TLS protocols and cipher suites, including new ones such as TLS 1.3.

SSLScan can be used to identify various SSL/TLS vulnerabilities, such as weak ciphers and encryption algorithms, insecure renegotiation, and Heartbleed attacks. It can also identify unsupported SSL/TLS versions and protocols, as well as expired or self-signed certificates.

SSLScan works by connecting to the target server and sending a series of SSL/TLS handshake messages to determine the supported protocols and cipher suites. It then checks for vulnerabilities and weaknesses by trying various attacks against the server, such as malformed SSL/TLS packets and invalid certificates.

SSLScan can be run from the command line and supports various options and flags to customize the scan. For example, it can be used to scan a specific port, specify the SSL/TLS version, or use a specific cipher suite.

Overall, SSLScan is a useful tool for checking SSL/TLS vulnerabilities and ensuring that servers are secure. It is commonly used by security professionals and system administrators to identify and mitigate SSL/TLS vulnerabilities on their networks.

In debian 11:

# cat /etc/issue
Debian GNU/Linux 11 \n \l

1 2	# cat /etc/issue Debian GNU/Linux 11 \n \l

One of the best tool for scaning ssl is sslscan in Linux.
You can install on debian like this as root of course:

# apt install sslscan
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  sslscan
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 53.4 kB of archives.
After this operation, 182 kB of additional disk space will be used.
Get:1 http://ftp.debian.org/debian bullseye/main amd64 sslscan amd64 2.0.7-1 [53.4 kB]
Fetched 53.4 kB in 0s (509 kB/s)
Selecting previously unselected package sslscan.
(Reading database ... 65077 files and directories currently installed.)
Preparing to unpack .../sslscan_2.0.7-1_amd64.deb ...
Unpacking sslscan (2.0.7-1) ...
Setting up sslscan (2.0.7-1) ...
Processing triggers for man-db (2.9.4-2) ...

# apt install sslscan

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following NEW packages will be installed:

sslscan

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 53.4 kB of archives.

After this operation, 182 kB of additional disk space will be used.

Get:1 http://ftp.debian.org/debian bullseye/main amd64 sslscan amd64 2.0.7-1 [53.4 kB]

Fetched 53.4 kB in 0s (509 kB/s)

Selecting previously unselected package sslscan.

(Reading database ... 65077 files and directories currently installed.)

Preparing to unpack .../sslscan_2.0.7-1_amd64.deb ...

Unpacking sslscan (2.0.7-1) ...

Setting up sslscan (2.0.7-1) ...

Processing triggers for man-db (2.9.4-2) ...

and than we can check for example google.com:

$ sslscan google.com:443
Version: 2.0.7
OpenSSL 1.1.1k  25 Mar 2021

Connected to 142.250.179.78

Testing SSL server google.com on port 443 using SNI name google.com

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   enabled
TLSv1.1   enabled
TLSv1.2   enabled
TLSv1.3   enabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

  Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Preferred TLSv1.2  256 bits  ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA        Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-SHA        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Preferred TLSv1.2  256 bits  ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA        Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-SHA        Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-CHACHA20-POLY1305   Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  256 bits  AES256-SHA
Accepted  TLSv1.2  112 bits  TLS_RSA_WITH_3DES_EDE_CBC_SHA
Preferred TLSv1.1  128 bits  ECDHE-ECDSA-AES128-SHA        Curve 25519 DHE 253
Accepted  TLSv1.1  256 bits  ECDHE-ECDSA-AES256-SHA        Curve 25519 DHE 253
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve 25519 DHE 253
Accepted  TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve 25519 DHE 253
Accepted  TLSv1.1  128 bits  AES128-SHA
Accepted  TLSv1.1  256 bits  AES256-SHA
Accepted  TLSv1.1  112 bits  TLS_RSA_WITH_3DES_EDE_CBC_SHA
Preferred TLSv1.0  128 bits  ECDHE-ECDSA-AES128-SHA        Curve 25519 DHE 253
Accepted  TLSv1.0  256 bits  ECDHE-ECDSA-AES256-SHA        Curve 25519 DHE 253
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve 25519 DHE 253
Accepted  TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve 25519 DHE 253
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  256 bits  AES256-SHA
Accepted  TLSv1.0  112 bits  TLS_RSA_WITH_3DES_EDE_CBC_SHA

  Server Key Exchange Group(s):
TLSv1.3  128 bits  secp256r1 (NIST P-256)
TLSv1.3  128 bits  x25519
TLSv1.2  128 bits  secp256r1 (NIST P-256)
TLSv1.2  128 bits  x25519

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
ECC Curve Name:      prime256v1
ECC Key Strength:    128

Subject:  *.google.com
Altnames: DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.datacompute.google.com, DN
S:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DN
S:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.g
oogle.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gsta
tic-cn.com, DNS:*.gstaticcnapps.cn, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecn
apps.cn, DNS:googledownloads.cn, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:widevine.cn, DNS:*.widevine.cn, DNS:ampproject.o
rg.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.ampproject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:googleadservi
ces-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleoptimize
-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubleclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:doublec
lick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-c
n.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager
-cn.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safeframe.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measur
ement-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com, DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.goo
gleflights-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:*.gstatic.com, DNS:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com,
DNS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn,
 DNS:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com,
DNS:*.googlecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:youtubeeducat
ion.com, DNS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be, DNS:*.yt.be, DNS:android.clients.google.com, DNS:developer.androi
d.google.cn, DNS:developers.android.google.cn, DNS:source.android.google.cn
Issuer:   GTS CA 1C3

Not valid before: Aug 30 01:36:08 2021 GMT
Not valid after:  Nov 22 01:36:07 2021 GMT

100

101

102

103

104

105

106

107

108

$ sslscan google.com:443

Version: 2.0.7

OpenSSL 1.1.1k 25 Mar 2021

Connected to 142.250.179.78

Testing SSL server google.com on port 443 using SNI name google.com

SSL/TLS Protocols:

SSLv2 disabled

SSLv3 disabled

TLSv1.0 enabled

TLSv1.1 enabled

TLSv1.2 enabled

TLSv1.3 enabled

TLS Fallback SCSV:

Server supports TLS Fallback SCSV

TLS renegotiation:

Secure session renegotiation supported

TLS Compression:

OpenSSL version does not support compression

Rebuild with zlib1g-dev package for zlib support

Heartbleed:

TLSv1.3 not vulnerable to heartbleed

TLSv1.2 not vulnerable to heartbleed

TLSv1.1 not vulnerable to heartbleed

TLSv1.0 not vulnerable to heartbleed

Supported Server Cipher(s):

Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253

Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253

Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253

Preferred TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253

Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253

Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA Curve 25519 DHE 253

Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253

Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253

Preferred TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253

Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253

Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253

Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253

Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253

Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253

Accepted TLSv1.2 128 bits AES128-GCM-SHA256

Accepted TLSv1.2 256 bits AES256-GCM-SHA384

Accepted TLSv1.2 128 bits AES128-SHA

Accepted TLSv1.2 256 bits AES256-SHA

Accepted TLSv1.2 112 bits TLS_RSA_WITH_3DES_EDE_CBC_SHA

Preferred TLSv1.1 128 bits ECDHE-ECDSA-AES128-SHA Curve 25519 DHE 253

Accepted TLSv1.1 256 bits ECDHE-ECDSA-AES256-SHA Curve 25519 DHE 253

Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253

Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253

Accepted TLSv1.1 128 bits AES128-SHA

Accepted TLSv1.1 256 bits AES256-SHA

Accepted TLSv1.1 112 bits TLS_RSA_WITH_3DES_EDE_CBC_SHA

Preferred TLSv1.0 128 bits ECDHE-ECDSA-AES128-SHA Curve 25519 DHE 253

Accepted TLSv1.0 256 bits ECDHE-ECDSA-AES256-SHA Curve 25519 DHE 253

Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253

Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253

Accepted TLSv1.0 128 bits AES128-SHA

Accepted TLSv1.0 256 bits AES256-SHA

Accepted TLSv1.0 112 bits TLS_RSA_WITH_3DES_EDE_CBC_SHA

Server Key Exchange Group(s):

TLSv1.3 128 bits secp256r1 (NIST P-256)

TLSv1.3 128 bits x25519

TLSv1.2 128 bits secp256r1 (NIST P-256)

TLSv1.2 128 bits x25519

SSL Certificate:

Signature Algorithm: sha256WithRSAEncryption

ECC Curve Name: prime256v1

ECC Key Strength: 128

Subject: *.google.com

Altnames: DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.datacompute.google.com, DN

S:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DN

S:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.g

oogle.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gsta

tic-cn.com, DNS:*.gstaticcnapps.cn, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecn

apps.cn, DNS:googledownloads.cn, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:widevine.cn, DNS:*.widevine.cn, DNS:ampproject.o

rg.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.ampproject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:googleadservi

ces-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleoptimize

-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubleclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:doublec

lick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-c

n.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager

-cn.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safeframe.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measur

ement-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com, DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.goo

gleflights-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:*.gstatic.com, DNS:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com,

DNS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn,

DNS:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com,

DNS:*.googlecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:youtubeeducat

ion.com, DNS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be, DNS:*.yt.be, DNS:android.clients.google.com, DNS:developer.androi

d.google.cn, DNS:developers.android.google.cn, DNS:source.android.google.cn

Issuer: GTS CA 1C3

Not valid before: Aug 30 01:36:08 2021 GMT

Not valid after: Nov 22 01:36:07 2021 GMT

As you see, google use now tls 1.0, 1.1, 1.2 and 1.3: