如何得知网站SSL协议中使用了哪些加密套件

有时网站会被报告有SSL相关的漏洞，这个时候需要知道对应网站的SSL协议中使用了什么套件，从而进行相应评估。方法是用nmap的ssl-enum-ciphers：

nmap -sV --script ssl-enum-ciphers -p 【端口】 【ip或者域名】

例子

nmap -sV --script ssl-enum-ciphers -p 443 www.baidu.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-14 17:22 CST
Nmap scan report for www.baidu.com (xxx.xxx.xxx.xxx)
Host is up (0.012s latency).
Other addresses for www.baidu.com (not scanned): xxx.xxx.xxx.xxx 240e:ff:xxxxx

PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache httpd
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|     warnings: 
|       Broken cipher RC4 is deprecated by RFC 7465
|       Forward Secrecy not supported by any cipher
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Broken cipher RC4 is deprecated by RFC 7465
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Broken cipher RC4 is deprecated by RFC 7465
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Broken cipher RC4 is deprecated by RFC 7465
|_  least strength: C
|_http-server-header: BWS/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.84 seconds

本页永久链接：https://www.orztip.com/?p=805&article_title=nmap-ssl-enum-ciphers