如何扫描并验证网站的TLS版本?
我一直在寻找可以自动扫描我们公司所有端点网站域的解决方案。 SSL 实验室有一个手动在线解决方案
https://www.ssllabs.com/ssltest/index.html
如何以编程方式实现此功能?
最佳答案
我有同样的问题。在 GitHub 上创建了免费的开源项目 https://github.com/JocysCom/SslScanner ,其中包含:
- 可移植独立 SSL、TLS、STARTTLS 扫描工具。
- /Tool/Common/Test_SSL_Support.cs - 将检查 SSL/TLS 版本的 C# 代码
- /Tool/Common/Test_SSL_Support.bat - 像 Windows 命令行上的脚本一样运行 C# 的简单批处理脚本。注意:我在 Windows 上使用 PowerShell 和 Batch 来像脚本语言一样运行 C#,以便自动执行大量操作。
Test_SSL_Support.cs 具有“TestTCP”方法,如果连接支持指定的协议(protocol)版本,该方法返回“true”:
static bool TestTCP(string host, int port, SslProtocols protocol, out bool connected)
{
var success = false;
var client = new TcpClient();
var asyncResult = client.BeginConnect(host, port, null, null);
// 5 seconds timeout.
connected = asyncResult.AsyncWaitHandle.WaitOne(TimeSpan.FromSeconds(5));
// Connected.
if (connected)
{
var stream = client.GetStream();
// Don't dispose underlying stream.
using (var sslStream = new SslStream(stream, true, ValidateServerCertificate))
{
sslStream.ReadTimeout = 15000;
sslStream.WriteTimeout = 15000;
sslStream.AuthenticateAsClient(host, null, protocol, false);
result.UpdateFromSslStream(sslStream);
success = true;
}
client.EndConnect(asyncResult);
}
return success;
}
Test_SSL_Support.cs 也支持 StartTLS 协议(protocol)。寻找方法:
static bool TestStarTLS(string host, int port, SslProtocols protocol, out bool connected)
您可以将多个主机和端口添加到 Test_SSL_Support.bat 进行扫描:
:: Test SSL/TLS.
CALL:PS www.google.com 443
:: Test StartTLS.
CALL:PS mail.jocys.com 110
命令行结果表示为:
172.217.169.4 www.google.com:443
Ssl2 = False | The client and server cannot communicate, because they do not possess a common algorithm
Ssl3 = False | The client and server cannot communicate, because they do not possess a common algorithm
Tls = True | Exchange = ECC-256 | Cipher = AES128 | Hash = SHA1
Tls11 = True | Exchange = ECC-256 | Cipher = AES128 | Hash = SHA1
Tls12 = True | Exchange = ECC-256 | Cipher = AES128 | Hash = SHA256
Tls13 = True | Exchange = ECC-256 | Cipher = AES256 | Hash = SHA384
62.30.149.144 mail.jocys.com:110
Ssl2 = False | The client and server cannot communicate, because they do not possess a common algorithm
Ssl3 = False | The client and server cannot communicate, because they do not possess a common algorithm
Tls = False | Authentication failed because the remote party has closed the transport stream.
Tls11 = False | Authentication failed because the remote party has closed the transport stream.
Tls12 = True | Exchange = ECC-384 | Cipher = AES256 | Hash = SHA384
Tls13 = False | Authentication failed because the remote party has closed the transport stream.
关于c# - 如何扫描和验证网站的 TLS 版本?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58774212/