Has anyone created any fixlets that leverage https://testssl.sh ?
What I am looking for is something that will iterate through the open ports on linux box (probably need Windows as well) and then spit out whether the port only accepts TLS 1.2 and which cypher.
For example
lous-mbp:~ fossl$ testssl.sh -E 192.168.86.171:52311
No mapping file found
###########################################################
testssl.sh 2.8 from https://testssl.sh/
(1.582 2017/05/10 19:04:47)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using “OpenSSL 1.0.2l 25 May 2017” [~125 ciphers]
on lous-mbp:/usr/local/opt/openssl/bin/openssl
(built: “reproducible build, date unspecified”, platform: “darwin64-x86_64-cc”)
Start 2017-07-31 20:43:56 -->> 192.168.86.171:52311 (192.168.86.171) <<–
rDNS (192.168.86.171): bigfix01.lan.
Service detected: HTTP
Testing all locally available ciphers per protocol against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits
SSLv2 Local problem: /usr/local/opt/openssl/bin/openssl doesn’t support "s_client -ssl2"
SSLv3
TLS 1
x35 AES256-SHA RSA AES 256
x2f AES128-SHA RSA AES 128
TLS 1.1
x35 AES256-SHA RSA AES 256
x2f AES128-SHA RSA AES 128
TLS 1.2
x9d AES256-GCM-SHA384 RSA AESGCM 256
x3d AES256-SHA256 RSA AES 256
x35 AES256-SHA RSA AES 256
x9c AES128-GCM-SHA256 RSA AESGCM 128
x3c AES128-SHA256 RSA AES 128
x2f AES128-SHA RSA AES 128
Done 2017-07-31 20:44:01 -->> 192.168.86.171:52311 (192.168.86.171) <<–