sslfp is an SSL/TLS fingerprinting tool. While there are several such tools and even online services, this tool is
- multi-platform as it's written in Java,
- fast making only the minimal possible number of requests,
- works behind proxy servers even with basic authentication,
- supports StartTLS for SMTP, POP3, IMAP.
sslfp works by making connections to the server with a set of ciphersuites offered. If the connection is established, the chosen ciphersuite is supported and in turn excluded from future requests. If the connection cannot be established due to not having a common ciphersuite for client (sslfp) and server, all remaining ciphersuites are known to be not supported by the server.
Classification of protocols and ciphersuites as secure or insecure is based on the following criteria:
- SSL version 2 is broken, thus insecure, later protocols, i.e. SSL v3, TLS 1.0 and later, are assumed as secure.
- Ciphersuites not authenticating the server ("anon") are insecure.
- Ciphersuites with less than 128 bit keylength are insecure.
- Ciphersuites with CBC mode are marked as problematic for protocols prior to TLS 1.1 due to the BEAST attack.
- Ciphersuites with RC4 are marked as problematic due to recent cryptanalytic results by Bernstein et al.
- Ciphersuites using RC2 are insecure.
- Ciphersuites employing "null" ciphers or "null" message authentication codes are insecure.
Type "ant".
To analyse a single ssl-enabled server run
java -jar sslfp.jar server[:port]
or, for verbose output, run
java -jar sslfp.jar -v server[:port]
You may want the output formatted in XML, then use
java -jar sslfp.jar -v server[:port]
-c | Check only if SSL is supported at all, output as CSV. |
-x | Output as XML. |
-v | Print verbose output. Repeat for even more verbose output. |
-d n | Wait for n milliseconds between requests. |
-m | Compute hash of modulus (instead of all key data), compatible to debians openssl-vulnkey database (use right half of hash). |
-a | Enable all supported ciphersuites for fingerprinting, instead of using only the ciphersuites enabled by default (except Kerberos ciphersuites which are controlled by the -k option). |
-k | Do NOT disable Kerberos ciphersuites. |
-f file | Read names of host[:port] from file instead of taking it from the command line. Use - for stdin. |
-V, -h, -? | Print version, help and exit. |
-p proto | Handle protocol proto where proto is one of plain, smtp, imap, pop3 (for plain ssl, starttls in smtp and imap, stls in pop3). |
-P p-spec | Use proxy given in p-spec as HTTP proxy, where proxy-spec can be either in format proxy[:port[:uid[:pw]]] or [uid[:pw]]@proxy[:port]. |
sslfp is developed by Ulrich Kuehn (ukuehn AT acm.org) and is released under the GPL v2 or later.