search

drwetter / testssl.sh

Testing TLS/SSL encryption anywhere on any port
https://testssl.sh
GNU General Public License v2.0
7.91k stars 1.02k forks source link

testssl.sh too slow #610

Open flamecopper opened 7 years ago

flamecopper commented 7 years ago

Hi there,

I have tried to run testssl.sh however the results is too slow. I have tried to wait for 30 seconds before it continue to the current page.

Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

########################################################### testssl.sh 2.9dev from https://testssl.sh/dev/ ()

  This program is free software. Distribution and
         modification under GPLv2 permitted.
  USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

   Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2k 26 Jan 2017" [~121 ciphers] on ECOPSGN102:/usr/bin/openssl (built: "reproducible build, date unspecified", platform: "Cygwin-x86_64")

$ uname -a CYGWIN_NT-10.0 ECOPSGN102 2.6.1(0.305/5/3) 2016-12-16 11:55 x86_64 Cygwin

bknowles commented 7 years ago

@flamecopper

I think this is likely to be a local problem on your end. Maybe testssl.sh doesn't support running on Windows under CygWin?

I'm not seeing any slowness on my machine, and I just pulled down a completely fresh copy of the repo. Note that it takes about three seconds on my machine to go from startup to logging the date/time stamp showing the system we're testing against:

$ date -u && time ./testssl.sh https://testssl.sh/dev/ && date -u
Thu Feb  2 09:24:03 UTC 2017

###########################################################
    testssl.sh       2.9dev from https://testssl.sh/dev/
    (c0cf622 2017-01-30 18:29:57 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on frobgaiju:./bin/openssl.Darwin.x86_64
 (built: "Sep  7 19:34:54 2016", platform: "darwin64-x86_64-cc")

 Start 2017-02-02 03:24:06    -->> 81.169.199.25:443 (testssl.sh) <<--
bknowles commented 7 years ago

@flamecopper

And here's the bottom few lines of the command started above, running to completion in less than five minutes total wall clock time:

Running browser simulations via sockets (experimental) 

 Android 2.3.7                 No connection
 Android 4.0.4                 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 Android 4.1.1                 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 Android 4.2.2                 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 Android 4.3                   TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 Android 4.4.2                 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS
 Android 5.0.0                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256), FS
 Baidu Jan 2015                TLSv1.0 DHE-RSA-CAMELLIA256-SHA, 2048 bit DH, FS
 BingPreview Jan 2015          TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS
 Chrome 47 / OSX               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256), FS
 Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256), FS
 Firefox 42 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256), FS
 GoogleBot Feb 2015            TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256), FS
 IE 6 XP                       No connection
 IE 7 Vista                    TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 IE 8 XP                       No connection
 IE 8-10 Win 7                 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 IE 11 Win 7                   TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit DH, FS
 IE 11 Win 8.1                 TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 IE 10 Win Phone 8.0           TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 IE 11 Win Phone 8.1           TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 IE 11 Win Phone 8.1 Update    TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit DH, FS
 IE 11 Win 10                  TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS
 Edge 13 Win 10                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS
 Edge 13 Win Phone 10          TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS
 Java 6u45                     No connection
 Java 7u25                     TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256), FS
 Java 8u31                     TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256), FS
 OpenSSL 0.9.8y                TLSv1.0 DHE-RSA-AES256-SHA, 2048 bit DH, FS
 OpenSSL 1.0.1l                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS
 OpenSSL 1.0.2e                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS
 Safari 5.1.9 OS X 10.6.8      TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 Safari 6 iOS 6.0.1            TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256), FS
 Safari 6.0.4 OS X 10.8.4      TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256), FS
 Safari 7 iOS 7.1              TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256), FS
 Safari 7 OS X 10.9            TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256), FS
 Safari 8 iOS 8.4              TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256), FS
 Safari 8 OS X 10.10           TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256), FS
 Safari 9 iOS 9                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS
 Safari 9 OS X 10.11           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS
 Apple ATS 9 iOS 9             TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256), FS

 Done 2017-02-02 03:28:12    -->> 81.169.199.25:443 (testssl.sh) <<--

real    4m9.174s
user    0m15.768s
sys 0m16.906s
Thu Feb  2 09:28:12 UTC 2017
drwetter commented 7 years ago

1) you can always use --json-pretty, that gives you the run time as the last value 2) cygwin / msys is slower, yes. Probably because of emulation but I am not the expert here 3)

I have tried to run testssl.sh however the results is too slow. I have tried to wait for 30 seconds before it continue to the current page.

do you mean the startup or what excatly?

flamecopper commented 7 years ago

It has taken a total of 45 minutes to finish scanning one host externally.

Start 2017-02-07 09:46:03 -->> 65.61.137.117:443 (65.61.137.117) <<--

rDNS (65.61.137.117): -- Service detected: HTTP

Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) SPDY/NPN not offered HTTP2/ALPN not offered

Testing ~standard cipher lists

Null Ciphers not offered (OK) Anonymous NULL Ciphers not offered (OK) Anonymous DH Ciphers not offered (OK) 40 Bit encryption not offered (OK) 56 Bit encryption not offered (OK) Export Ciphers (general) not offered (OK) Low (<=64 Bit) not offered (OK) DES Ciphers not offered (OK) "Medium" grade encryption offered (NOT ok) Triple DES Ciphers offered High grade encryption offered (OK)

Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

PFS is offered (OK) ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA Elliptic curves offered: prime256v1 secp384r1

Testing server preferences

Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher AES128-SHA256 Cipher order SSLv3: RC4-SHA DES-CBC3-SHA RC4-MD5 TLSv1: AES128-SHA AES256-SHA RC4-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA RC4-MD5 TLSv1.1: AES128-SHA AES256-SHA RC4-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA RC4-MD5 TLSv1.2: AES128-SHA256 AES128-SHA AES256-SHA256 AES256-SHA RC4-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA RC4-MD5

Testing server defaults (Server Hello)

TLS extensions (standard) "renegotiation info/#65281" "extended master secret/#23" Session Tickets RFC 5077 (none) SSL Session ID support yes TLS clock skew -256 sec from localtime Signature Algorithm sha1WithRSA (FIXME: can't tell whether this is good or not) Server key size RSA 2048 bits Fingerprint / Serial SHA1 20B95A8317A9FE1627D5B7F6AC1CEE27EC73F040 / 489AF02B179CD4A44293727923080BE5 SHA256 4428215D816E528520C11CFD12A4CF84C14E0DDF56D47C6E56564E13ED6E451B Common Name (CN) demo.testfire.net subjectAltName (SAN) -- Issuer self-signed (NOT ok) Trust (hostname) certificate does not match supplied URI Chain of trust "/cygdrive/c/Users/alvin.oo/Desktop/etc/*.pem" cannot be found / not readable EV cert (experimental) no Certificate Expiration 1048 >= 60 days (2014-07-01 17:54 --> 2019-12-22 17:54 +0800)

of certificates provided 1

Certificate Revocation List -- (NOT ok) OCSP URI OCSP stapling -- DNS CAA RR (experimental) --

Testing HTTP header response @ "/"

HTTP Status Code 200 OK HTTP clock skew -244 (± 1.5) sec from localtime Strict Transport Security -- Public Key Pinning -- Server banner Microsoft-IIS/8.0 Application banner X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cookie(s) 1 issued: NOT secure, 1/1 HttpOnly Security headers -- Reverse Proxy banner --

Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK), timed out Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation likely not vulnerable (OK), timed out CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below) TLS_FALLBACK_SCSV (RFC 7507), Downgrade attack prevention NOT supported FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=4428215D816E528520C11CFD12A4CF84C14E0DDF56D47C6E56564E13ED6E451B could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected BEAST (CVE-2011-3389) SSL3: DES-CBC3-SHA TLS1: AES128-SHA AES256-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2 RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-SHA RC4-MD5

Testing 359 via OpenSSL and sockets against the server, ordered by encryption strength

Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)

xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5 x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA

Running browser simulations via sockets (experimental)

Android 2.3.7 TLSv1.0 AES128-SHA Android 4.0.4 TLSv1.0 AES128-SHA Android 4.1.1 TLSv1.0 AES128-SHA Android 4.2.2 TLSv1.0 AES128-SHA Android 4.3 TLSv1.0 AES128-SHA Android 4.4.2 TLSv1.2 AES128-SHA256 Android 5.0.0 TLSv1.2 AES128-SHA Baidu Jan 2015 TLSv1.0 AES128-SHA BingPreview Jan 2015 TLSv1.2 AES128-SHA256 Chrome 47 / OSX TLSv1.2 AES128-SHA Firefox 31.3.0ESR / Win7 TLSv1.2 AES128-SHA Firefox 42 OS X TLSv1.2 AES128-SHA GoogleBot Feb 2015 TLSv1.2 AES128-SHA IE 6 XP SSLv3 RC4-SHA IE 7 Vista TLSv1.0 AES128-SHA IE 8 XP TLSv1.0 RC4-SHA IE 8-10 Win 7 TLSv1.0 AES128-SHA IE 11 Win 7 TLSv1.2 AES128-SHA256 IE 11 Win 8.1 TLSv1.2 AES128-SHA256 IE 10 Win Phone 8.0 TLSv1.0 AES128-SHA IE 11 Win Phone 8.1 TLSv1.2 AES128-SHA256 IE 11 Win Phone 8.1 Update TLSv1.2 AES128-SHA256 IE 11 Win 10 TLSv1.2 AES128-SHA256 Edge 13 Win 10 TLSv1.2 AES128-SHA256 Edge 13 Win Phone 10 TLSv1.2 AES128-SHA256 Java 6u45 TLSv1.0 AES128-SHA Java 7u25 TLSv1.0 AES128-SHA Java 8u31 TLSv1.2 AES128-SHA256 OpenSSL 0.9.8y TLSv1.0 AES128-SHA OpenSSL 1.0.1l TLSv1.2 AES128-SHA256 OpenSSL 1.0.2e TLSv1.2 AES128-SHA256 Safari 5.1.9 OS X 10.6.8 TLSv1.0 AES128-SHA Safari 6 iOS 6.0.1 TLSv1.2 AES128-SHA256 Safari 6.0.4 OS X 10.8.4 TLSv1.0 AES128-SHA Safari 7 iOS 7.1 TLSv1.2 AES128-SHA256 Safari 7 OS X 10.9 TLSv1.2 AES128-SHA256 Safari 8 iOS 8.4 TLSv1.2 AES128-SHA256 Safari 8 OS X 10.10 TLSv1.2 AES128-SHA256 Safari 9 iOS 9 TLSv1.2 AES128-SHA256 Safari 9 OS X 10.11 TLSv1.2 AES128-SHA256 Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256), FS

Done 2017-02-07 10:27:30 -->> 65.61.137.117:443 (65.61.137.117) <<--

drwetter commented 7 years ago

We would not need the whole output. What is the OS and testssl version,  same as first post?

⁣-- Sent via mobile. Excuse my brevity, my typos and the autocorrection​

Am 7. Feb. 2017, 03:42, um 03:42, Alvin notifications@github.com schrieb:

It has taken a total of 45 minutes to finish scanning one host externally.

Start 2017-02-07 09:46:03 -->> 65.61.137.117:443 (65.61.137.117) <<--

rDNS (65.61.137.117): -- Service detected: HTTP

Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) SPDY/NPN not offered HTTP2/ALPN not offered

Testing ~standard cipher lists

Null Ciphers not offered (OK) Anonymous NULL Ciphers not offered (OK) Anonymous DH Ciphers not offered (OK) 40 Bit encryption not offered (OK) 56 Bit encryption not offered (OK) Export Ciphers (general) not offered (OK) Low (<=64 Bit) not offered (OK) DES Ciphers not offered (OK) "Medium" grade encryption offered (NOT ok) Triple DES Ciphers offered High grade encryption offered (OK)

Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

PFS is offered (OK) ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA Elliptic curves offered: prime256v1 secp384r1

Testing server preferences

Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher AES128-SHA256 Cipher order SSLv3: RC4-SHA DES-CBC3-SHA RC4-MD5 TLSv1: AES128-SHA AES256-SHA RC4-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA RC4-MD5 TLSv1.1: AES128-SHA AES256-SHA RC4-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA RC4-MD5 TLSv1.2: AES128-SHA256 AES128-SHA AES256-SHA256 AES256-SHA RC4-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA RC4-MD5

Testing server defaults (Server Hello)

TLS extensions (standard) "renegotiation info/#65281" "extended master secret/#23" Session Tickets RFC 5077 (none) SSL Session ID support yes TLS clock skew -256 sec from localtime Signature Algorithm sha1WithRSA (FIXME: can't tell whether this is good or not) Server key size RSA 2048 bits Fingerprint / Serial SHA1 20B95A8317A9FE1627D5B7F6AC1CEE27EC73F040 / 489AF02B179CD4A44293727923080BE5 SHA256 4428215D816E528520C11CFD12A4CF84C14E0DDF56D47C6E56564E13ED6E451B Common Name (CN) demo.testfire.net subjectAltName (SAN) -- Issuer self-signed (NOT ok) Trust (hostname) certificate does not match supplied URI Chain of trust
"/cygdrive/c/Users/alvin.oo/Desktop/etc/*.pem" cannot be found / not readable EV cert (experimental) no Certificate Expiration 1048 >= 60 days (2014-07-01 17:54 --> 2019-12-22 17:54 +0800)

of certificates provided 1

Certificate Revocation List -- (NOT ok) OCSP URI OCSP stapling -- DNS CAA RR (experimental) --

Testing HTTP header response @ "/"

HTTP Status Code 200 OK HTTP clock skew -244 (± 1.5) sec from localtime Strict Transport Security -- Public Key Pinning -- Server banner Microsoft-IIS/8.0 Application banner X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cookie(s) 1 issued: NOT secure, 1/1 HttpOnly Security headers -- Reverse Proxy banner --

Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK), timed out Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation likely not vulnerable (OK), timed out CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below) TLS_FALLBACK_SCSV (RFC 7507), Downgrade attack prevention NOT supported FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=4428215D816E528520C11CFD12A4CF84C14E0DDF56D47C6E56564E13ED6E451B could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected BEAST (CVE-2011-3389) SSL3: DES-CBC3-SHA TLS1: AES128-SHA AES256-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2 RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-SHA RC4-MD5

Testing 359 via OpenSSL and sockets against the server, ordered by encryption strength

Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits
Cipher Suite Name (RFC)

xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x3d AES256-SHA256 RSA AES 256
TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256
TLS_RSA_WITH_AES_256_CBC_SHA xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x3c AES128-SHA256 RSA AES 128
TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128
TLS_RSA_WITH_AES_128_CBC_SHA x05 RC4-SHA RSA RC4 128
TLS_RSA_WITH_RC4_128_SHA x04 RC4-MD5 RSA RC4 128
TLS_RSA_WITH_RC4_128_MD5 x0a DES-CBC3-SHA RSA 3DES 168
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Running browser simulations via sockets (experimental)

Android 2.3.7 TLSv1.0 AES128-SHA Android 4.0.4 TLSv1.0 AES128-SHA Android 4.1.1 TLSv1.0 AES128-SHA Android 4.2.2 TLSv1.0 AES128-SHA Android 4.3 TLSv1.0 AES128-SHA Android 4.4.2 TLSv1.2 AES128-SHA256 Android 5.0.0 TLSv1.2 AES128-SHA Baidu Jan 2015 TLSv1.0 AES128-SHA BingPreview Jan 2015 TLSv1.2 AES128-SHA256 Chrome 47 / OSX TLSv1.2 AES128-SHA Firefox 31.3.0ESR / Win7 TLSv1.2 AES128-SHA Firefox 42 OS X TLSv1.2 AES128-SHA GoogleBot Feb 2015 TLSv1.2 AES128-SHA IE 6 XP SSLv3 RC4-SHA IE 7 Vista TLSv1.0 AES128-SHA IE 8 XP TLSv1.0 RC4-SHA IE 8-10 Win 7 TLSv1.0 AES128-SHA IE 11 Win 7 TLSv1.2 AES128-SHA256 IE 11 Win 8.1 TLSv1.2 AES128-SHA256 IE 10 Win Phone 8.0 TLSv1.0 AES128-SHA IE 11 Win Phone 8.1 TLSv1.2 AES128-SHA256 IE 11 Win Phone 8.1 Update TLSv1.2 AES128-SHA256 IE 11 Win 10 TLSv1.2 AES128-SHA256 Edge 13 Win 10 TLSv1.2 AES128-SHA256 Edge 13 Win Phone 10 TLSv1.2 AES128-SHA256 Java 6u45 TLSv1.0 AES128-SHA Java 7u25 TLSv1.0 AES128-SHA Java 8u31 TLSv1.2 AES128-SHA256 OpenSSL 0.9.8y TLSv1.0 AES128-SHA OpenSSL 1.0.1l TLSv1.2 AES128-SHA256 OpenSSL 1.0.2e TLSv1.2 AES128-SHA256 Safari 5.1.9 OS X 10.6.8 TLSv1.0 AES128-SHA Safari 6 iOS 6.0.1 TLSv1.2 AES128-SHA256 Safari 6.0.4 OS X 10.8.4 TLSv1.0 AES128-SHA Safari 7 iOS 7.1 TLSv1.2 AES128-SHA256 Safari 7 OS X 10.9 TLSv1.2 AES128-SHA256 Safari 8 iOS 8.4 TLSv1.2 AES128-SHA256 Safari 8 OS X 10.10 TLSv1.2 AES128-SHA256 Safari 9 iOS 9 TLSv1.2 AES128-SHA256 Safari 9 OS X 10.11 TLSv1.2 AES128-SHA256 Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256), FS

Done 2017-02-07 10:27:30 -->> 65.61.137.117:443 (65.61.137.117) <<--

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/drwetter/testssl.sh/issues/610#issuecomment-277884484

teward commented 7 years ago

@drwetter Erm, --json-pretty is not a recognized option in latest git I believe. I can also give you confirmation a cygwin build takes a lot longer to run, emulation or other issues being the main cause. (Or at least, not in master branch, unless 2.9dev is the correct branch?)

drwetter commented 7 years ago

I should rename master maybe at a certain point to 2.8.

2.9dev is where the action takes place ;-) and where --json-pretty was developed.

drwetter commented 7 years ago

Regarding speed, that's kind of strange. I have the impression that msys2 / cygwin is way slower (>30 min) if the OS runs emulated itself (tried under virtualbox). On a customer laptop with native W7 a default run finishes < 5 min. What's your config @flamecopper ?

bash on native Windows 10 seems to belong into the first category though (which I can confirm, see your PR). Googling let me assume that the implementation of subshells currently is to blame here. Well it's beta -- hope MS will tackle this soon.

theiamdude commented 7 years ago

@drwetter, I am have the same issue with the 2.9dev version on a windows 10. I am using babun to execute the command. A work around for me was to use a docker container which performs much better. I would suggest the same @flamecopper. I am using mvance/testssl image which is based on 2.8rc3 version of testssl.sh

drwetter commented 7 years ago

Yeah, docker seems to be the best probably.

My experience so far: bash on Windows 10: 45min+, Windows 7 + MSYS: 2.8: 15min, 2.9dev: 24min.

According what google returns it's the subshells, along with fork/exec. So to all contributors: think twice before submitting a command with 12+ commands concatted with 11+ pipes. ;-) Preference are always bash internal functions, see e.g. https://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html .

Themercee commented 7 years ago

I was running the branch master on Ubuntu bash under Windows 10, and it took 20 minutes against a single domain. I switch on a real Ubuntu and it took me 2-3 minutes.