Features¶
SSH¶
Differentiators¶
checks supported Diffie-Hellman (group exchange) key sizes
checks supported host certificates, X.509 certificates and chains
analyzes server protocol version string to identify application server vendor and version
Versions¶
Analyzers¶
Supported analyzers by cryptographic protocol versions
Analyzers |
SSH 2.0 |
---|---|
Cipher Suites ( |
✓ |
Diffie-Hellman parameters ( |
✓ |
Host Keys, Host/X.509 Certificates and Chains ( |
|
Vulnerabilities ( |
Vulnerabilities¶
SSL/TLS¶
Differentiators¶
checks 10+ application layer protocols with opportunistic TLS capability
checks 400+ cipher suites, more than discussed on ciphersuite.info, or supported by GnuTls, LibreSSL, OpenSSL, or wolfSSL
checks GOST (national standards of the Russian Federation and CIS countries) cipher suites
checks post-quantum elliptic curves (Kyber)
checks TLS 1.3 draft versions, not just finnal version
checks whether Diffie-Hellman
public parameter is a safe prime
public parameter is defined in an RFC (e.g., FFDHE, MODP) or used by an application server as a builtin parameter
key exchange supports RFC 7919 (FFDHE)
key is reused
Analyzers¶
Supported analyzers by cryptographic protocol versions
Analyzers |
SSL |
TLS |
||||
---|---|---|---|---|---|---|
2.0 |
3.0 |
1.0 |
1.1 |
1.2 |
1.3 |
|
Cipher Suites ( |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
X.509 Public Keys ( |
✓ |
✓ |
✓ |
✓ |
✓ |
✗ |
X.509 Public Keys Request ( |
n/a |
✓ |
✓ |
✓ |
✓ |
✗ |
Elliptic-Curves ( |
n/a |
n/a |
✓ |
✓ |
✓ |
✓ |
Diffie-Hellman parameters ( |
n/a |
n/a |
✓ |
✓ |
✓ |
✓ |
Signature Algorithms ( |
n/a |
n/a |
n/a |
✓ |
✓ |
✓ |
Extensions ( |
n/a |
n/a |
n/a |
n/a |
✓ |
✓ |
Vulnerabilities ( |
n/a |
n/a |
n/a |
n/a |
n/a |
n/a |
Simulations ( |
n/a |
n/a |
n/a |
n/a |
n/a |
n/a |
Versions¶
Transport Layer
Application Layer
Opportunistic TLS or STARTTLS) is an extension of an application layer protocol, whichs offer a way to upgrade a plain text connection to an encrypted ione without using a separate port.
Extensions¶
Public Keys¶
validation against notable trusted root CA certificates stores
revocation check
extensions
TLS feature (e.g. OCSP must staple)
-
timestamp information
transparency log information
Vulnerabilities¶
Simulated Clients¶
Fingerprinting¶
Hypertext Transfer Protocol (HTTP)¶
Analyzers¶
Headers¶
generic headers
NEL (Network Error Logging)
caching headers
security headers
DNS¶
Differentiators¶
extract (public key) and analyze (key type, size) DNSSEC signing keys
Analyzers¶
e-mail authentication, reporting related records
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Sender Policy Framework (SPF)
SMTP MTA Strict Transport Security (MTA-STS)
SMTP TLS Reporting (TLSRPT)
DNSSEC records