Preferred TLSv1.1
256
bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1
256
bits DHE-RSA-AES256-SHA DHE
2048
bits
Preferred TLSv1.0
256
bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0
256
bits DHE-RSA-AES256-SHA DHE
2048
bits
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: rosebud
Issuer: rosebud
Not valid before: Nov
24
14:58:32
2017
GMT
Not valid after: Nov
22
14:58:32
2027
GMT
sslscan
will determine whether the server is vulnerable to Heartbleed, a vulnerability
that was identified and that targeted server/client encryption, leading to the exposure
of keys to malicious users. Most important, though,
sslscan
will give us the list of
ciphers supported. In the list, you will see multiple columns with information that
may not mean a lot to you. The first column is easily readable. It indicates whether
the protocol and cipher suite are accepted and whether they are preferred. You will
note that each of the versions of TLS has its own preferred cipher suite. The second
column is the protocol and version. SSL is not enabled on this server at all, as a result
of support for SSL having been removed from the underlying libraries. The next col‐
umn is the key strength.
Key sizes can’t be compared except within the same algorithm.
Rivest-Shamir-Adleman (RSA) is an asymmetric encryption algo‐
rithm and has key sizes that are multiples of 1,024. AES is a sym‐
metric encryption algorithm and has key sizes of 128 and 256. That
doesn’t mean that RSA is orders of magnitude stronger than AES,
because they use the key in different ways. Even comparing algo‐
rithms that are the same type (asymmetric versus symmetric) is
misleading because the algorithms will use the keys in entirely dif‐
ferent ways.
The next column is the cipher suite. You will note that it’s called a
cipher suite
because
it takes into account multiple algorithms that have different purposes. Let’s take this
listing as an example: DHE-RSA-AES256-SHA256. The first part, DHE, indicates that
we are using Ephemeral Diffie-Hellman for key exchange. The second part is RSA,
which stands for Rivest-Shamir-Adleman, the three men who developed the algo‐
rithm. RSA is an asymmetric-key algorithm. This is used to authenticate the parties,
since the keys are stored in certificates that also include identification information
about the server. If the client also has a certificate, there can be mutual authentication.
Otherwise, the client can authenticate the server based on the hostname the client
intended to go to and the hostname that is listed in the certificate. Asymmetric
