How to report the ciphers used for TrueSight Presentation Server and Infrastructure Server |
There are several external utilities to list the ciphers used in TSPS and TSIM. This article will illustrate use of nmap and openssl : a) Using nmap utility nmap -sV --script ssl-enum-ciphers.nse -p <<port number>> <<hostname>> nmap -sV --script ssl-enum-ciphers.nse -p 8443 myhostname.bmc.com Output of this command looks like the following: Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-27 21:13 CDT Nmap scan report for myhostname.bmc.com (12.345.67.890) Host is up (0.23s latency). PORT STATE SERVICE VERSION 8443/tcp open ssl/https-alt? | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong These are the supported ciphers for TSIM 11.x b) Using the openssl Utility Below is the sample shell script to check the matching ciphers ########## serverport=$1 echo testing against $serverport for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do openssl s_client -connect $serverport \ -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c" done done ############ [root@myhost bmc]# ./checkcipher.sh myhostname.bmc.com:8443 testing against myhostname.bmc.com:8443 tls1_2: ECDHE-RSA-AES256-GCM-SHA384 tls1_2: ECDHE-RSA-AES256-SHA384 tls1_2: ECDHE-RSA-AES256-SHA tls1_2: DHE-RSA-AES256-GCM-SHA384 tls1_2: DHE-RSA-AES256-SHA256 tls1_2: DHE-RSA-AES256-SHA tls1_2: ECDHE-RSA-AES128-GCM-SHA256 tls1_2: ECDHE-RSA-AES128-SHA256 tls1_2: ECDHE-RSA-AES128-SHA tls1_2: DHE-RSA-AES128-GCM-SHA256 tls1_2: DHE-RSA-AES128-SHA256 tls1_2: DHE-RSA-AES128-SHA Note: The TSPS server server also has cipher list mentioned in the server.xml located under /TrueSightPServer/truesightpserver/modules/tomcat/conf cat server.xml |grep cipher <Connector SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" compression="on" compressionMinSize="1024" keystoreFile="/opt/bmc/TrueSightPServer/truesightpserver/conf/secure/loginvault.ks" keystorePass="changeit" maxThreads="150" port="8043" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLSv1.2" useServerCipherSuitesOrder="true"/> |