. function fixed_gethostbyname($host) { $ip = gethostbyname($host); if ($ip != $host) { return $ip; } else { return false; } } function get(&$var, $default=null) { return isset($var) ? $var : $default; } function server_http_headers($host, $port){ stream_context_set_default( array("ssl" => array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, "allow_self_signed" => true, "sni_enabled" => true), 'http' => array( 'method' => 'GET' ) ) ); $headers = get_headers("https://$host:$port", 1); if (!empty($headers)) { $headers = array_change_key_case($headers, CASE_LOWER); return $headers; } } function ssl_conn_ciphersuites($host, $port, $ciphersuites){ $old_error_reporting = error_reporting(); error_reporting($old_error_reporting ^ E_WARNING); $results = array(); foreach ($ciphersuites as $value) { $results[$value] = false; $stream = stream_context_create (array("ssl" => array("verify_peer" => false, "verify_peer_name" => false, "allow_self_signed" => true, 'ciphers' => $value, "sni_enabled" => true))); $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); if ( $read_stream === false ) { $results[$value] = false; } else { $results[$value] = true; } } error_reporting($old_error_reporting); return $results; } function ssl_conn_protocols($host, $port){ $old_error_reporting = error_reporting(); error_reporting($old_error_reporting ^ E_WARNING); $results = array('sslv3' => false, 'tlsv1.0' => false, 'tlsv1.1' => false, 'tlsv1.2' => false); $stream_sslv3 = stream_context_create (array("ssl" => array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, "allow_self_signed" => true, 'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_CLIENT, "sni_enabled" => true))); $read_stream_sslv3 = stream_socket_client("sslv3://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_sslv3); if ( $read_stream_sslv3 === false ) { $results['sslv3'] = false; } else { $results['sslv3'] = true; } $stream_tlsv10 = stream_context_create (array("ssl" => array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, "allow_self_signed" => true, 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_0_CLIENT, "sni_enabled" => true))); $read_stream_tlsv10 = stream_socket_client("tlsv1.0://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv10); if ( $read_stream_tlsv10 === false ) { $results['tlsv1.0'] = false; } else { $results['tlsv1.0'] = true; } $stream_tlsv11 = stream_context_create (array("ssl" => array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, "allow_self_signed" => true, 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_1_CLIENT, "sni_enabled" => true))); $read_stream_tlsv11 = stream_socket_client("tlsv1.1://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv11); if ( $read_stream_tlsv11 === false ) { $results['tlsv1.1'] = false; } else { $results['tlsv1.1'] = true; } $stream_tlsv12 = stream_context_create (array("ssl" => array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, "allow_self_signed" => true, 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv_1_2_CLIENT, "sni_enabled" => true))); $read_stream_tlsv12 = stream_socket_client("tlsv1.2://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream_tlsv12); if ( $read_stream_tlsv12 === false ) { $results['tlsv1.2'] = false; } else { $results['tlsv1.2'] = true; } error_reporting($old_error_reporting); return $results; } function ssl_conn_metadata($host, $port, $chain=null) { global $random_blurp; global $current_folder; $stream = stream_context_create (array("ssl" => array("verify_peer" => false, "capture_session_meta" => true, "verify_peer_name" => false, "allow_self_signed" => true, "sni_enabled" => true))); $read_stream = stream_socket_client("ssl://$host:$port", $errno, $errstr, 2, STREAM_CLIENT_CONNECT, $stream); if ( $read_stream === false ) { return false; } else { $context = stream_context_get_params($read_stream); $context_meta = stream_context_get_options($read_stream)['ssl']['session_meta']; $cert_data = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"])[0]; if ($context_meta) { ?>

Connection Data

"; } } echo "
Connection Data
Chain sent by Server (in server order) "; echo htmlspecialchars(openssl_x509_parse($chain[$i])['subject']['CN']); echo "
Issued by......: "; echo htmlspecialchars(openssl_x509_parse($chain[$i])['issuer']['CN']); echo "
"; $export_pem = ""; openssl_x509_export($chain[$i], $export_pem); array_push($certificate_chain, $export_pem); if (openssl_x509_parse($chain[$i])['issuer']['CN'] == openssl_x509_parse($chain[$i + 1])['subject']['CN']){ continue; } else { if ($i != $chain_length - 1) { echo " - Error: Issuer does not match the next certificate CN. Chain order is probaby wrong.

"; } } } } echo "
"; } else { echo "Error: Certificate chain to large.
"; } file_put_contents('/tmp/verify_cert.' . $random_blurp . '.pem', implode("\n", array_reverse($certificate_chain)).PHP_EOL , FILE_APPEND); $verify_output = 0; $verify_exit_code = 0; $verify_exec = exec(escapeshellcmd('openssl verify -verbose -purpose any -CAfile ' . getcwd() . '/cacert.pem /tmp/verify_cert.' . $random_blurp . '.pem') . "| grep -v OK", $verify_output, $verify_exit_code); if ($verify_exit_code != 1) { echo " - Error: Validating certificate chain failed:
"; echo "
";
              echo str_replace('/tmp/verify_cert.' . $random_blurp . '.pem: ', '', implode("\n", $verify_output));
              echo "
"; } else { echo " - Sucessfully validated certificate chain.
"; } unlink('/tmp/verify_cert.' . $random_blurp . '.pem'); ?>
IP / Hostname / Port
Protocol $value) { if ( $value == true ) { if ( $key == "tlsv1.2") { echo '

- TLSv1.2 (Supported)

'; } else if ( $key == "tlsv1.1") { echo '

- TLSv1.1 (Supported)

'; } else if ( $key == "tlsv1.0") { echo '

- TLSv1.0 (Supported)

'; } else if ( $key == "sslv3") { echo '

- SSLv3 (Supported)

'; } else { echo '

- '.$key.' (Supported)

'; } } else { if ( $key == "tlsv1.2") { echo '

- TLSv1.2 (Not supported)

'; } else if ( $key == "tlsv1.1") { echo '

- TLSv1.1 (Not supported)

'; } else if ( $key == "tlsv1.0") { echo '

- TLSv1.0 (Not supported)

'; } else if ( $key == "sslv3") { echo '

- SSLv3 (Not supported)

'; } else { echo '

- '.$key.'(Not supported)

'; } } } ?>
Ciphersuites supported by server $value) { if($value == true){ if (in_array($key, $bad_ciphersuites)) { $bad_ciphersuite = 1; echo ""; echo " "; } else { echo " "; } echo htmlspecialchars($key); echo "
"; } else { echo ""; } } if ($bad_ciphersuite) { ?>


Ciphersuites containing NULL, EXP(ort), DES and RC4 are marked RED because they are suboptimal.
Ciphersuite
Strict Transport Security - "; if ( is_array($headers["strict-transport-security"])) { echo htmlspecialchars(substr($headers["strict-transport-security"][0], 0, 50)); echo "
HSTS header was found multiple times. Only showing the first one."; } else { echo htmlspecialchars(substr($headers["strict-transport-security"], 0, 50)); } echo ""; } else { echo ' - Not Set'; } ?>
HTTP Public Key Pinning Extension (HPKP) - "; if ( is_array($headers["public-key-pins"])) { echo htmlspecialchars(substr($headers["public-key-pins"][0], 0, 255)); echo "
HPKP header was found multiple times. Only showing the first one."; echo ""; } else { echo htmlspecialchars(substr($headers["public-key-pins"], 0, 255)); } } else { echo 'Not Set'; } ?> Report Only: "; if ( is_array($headers["public-key-pins-report-only"])) { echo htmlspecialchars(substr($headers["public-key-pins-report-only"][0], 0, 255)); echo "
HPKP Report Only header was found multiple times. Only showing the first one."; } else { echo htmlspecialchars(substr($headers["public-key-pins-report-only"], 0, 255)); } } ?>
OCSP Stapling "; foreach ($stapling as $key => $value) { if ($key != "working") { echo "
" . $key . "" . $value . "
"; } else { echo "No response received."; } ?> This Server' OpenSSL Version This Server' Date (RFC 2822)