Forum Discussion

jaikumar_f5_226's avatar
jaikumar_f5_226
Icon for Nimbostratus rankNimbostratus
Jul 22, 2017

Find SSL/Tls Versions Supported || Script

Hi Folks,

Well I'm in need of some offline tool or some script that could help me complete my analysis on the SSL/TLs protocols that my end servers are supporting.

Currently I have some default serverssl profiles to most of the VS. Everything seem to go good. But I'm going to move away default and start using custom serverssl profile which would have just TLs1_2 supporting.

Dont intend to apply this before verifying that end servers are stopped supporting tls1 & tls1_1 and just support tls1_2. At present, I'm using the below one by one to confirm it. Note there are 1000's of servers to be tested.

openssl s_client -host  -port 443 -sslv3
openssl s_client -host  -port 443 -tls1
openssl s_client -host  -port 443 -tls1_1
openssl s_client -host  -port 443 -tls1_2

I tried with nmap, its taking time. Is there any simpler script that can verify all SSL/TLs protocols of multiple provided serverip's running on different ports as an input.

Also tried to use curl and grep something, had bad luck with it...

BIG-IP
LTM
security
  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jul 22, 2017

    Editing this post and truncating it to how to get the pool members instead since the script was not working as is and the original poster had a better script further below:

    tmsh -c "cd /;list ltm pool recursive" | awk '/:/{ split($1, memberArr, /:/)} /address/ { print $2 ":" memberArr[2] }'

    /Patrik

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for Noctilucent rankNoctilucent
    Jul 23, 2017

    Here's something that I came up with yesterday, I used csv format to separate using comma and the output file looks fast & good too.

    Initialize the output file
> Tls_Output.csv
Creating the output file with Headings
echo "Server,SSL3,TLS1,TLS1_1,TLS1_2" >> Tls_Output.csv
Have a serverlist file created with IP:Port details in it
for i in `cat serverlist`;
do
SSL3 Testing
openssl s_client -connect $i -ssl3 < /dev/null
if [ $? -eq 0 ];then
SSL3_state="PASS"
else
SSL3_state="FAIL"
fi
TLS1 Testing
openssl s_client -connect $i -tls1 < /dev/null
if [ $? -eq 0 ];then
TLS1_state="PASS"
else
TLS1_state="FAIL"
fi
Tls1_1 Testing
openssl s_client -connect $i -tls1_1 < /dev/null
if [ $? -eq 0 ];then
TLS1_1_state="PASS"
else
TLS1_1_state="FAIL"
fi
Tls1_2 Testing
openssl s_client -connect $i -tls1_2 < /dev/null
if [ $? -eq 0 ];then
TLS1_2_state="PASS"
else
TLS1_2_state="FAIL"
fi
Display all the SSL results in the output file
echo "$i,$SSL3_state,$TLS1_state,$TLS1_1_state,$TLS1_2_state" >> Tls_Output.csv
done

    Drawback:

    I could see the openssl command executing in the console. Have to pass this to a variable to run on the background. A bit of tweak should do the work.

    Output File:

    Edit: The script has been updated, refer the comments to find the latest.