tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

index.rst (2901B)

      1 .. _mozilla_projects_nss_tools_nss_tools_sslstrength:
      2 
      3 NSS Tools sslstrength
      4 =====================
      5 
      6 `sslstrength <#sslstrength>`__
      7 ------------------------------
      8 
      9 .. container::
     10 
     11 `Summary <#summary>`__
     12 ~~~~~~~~~~~~~~~~~~~~~~
     13 
     14 .. container::
     15 
     16   A simple command-line client which connects to an SSL-server, and reports back the encryption
     17   cipher and strength used.
     18 
     19 `Synopsis <#synopsis>`__
     20 ~~~~~~~~~~~~~~~~~~~~~~~~
     21 
     22 .. container::
     23 
     24   1) sslstrength ciphers
     25 
     26   2) sslstrength hostname[:port] [ciphers=xyz] [debug] [verbose] [policy=export|domestic]
     27 
     28 `Description <#description>`__
     29 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     30 
     31 .. container::
     32 
     33   The first form simple lists out the possible ciphers. The letter in the first column of the
     34   output is used to identify the cipher preferences in the ciphers=  command.
     35 
     36   The second form attempts to connect to the named ssl host. The hostname argument must be present.
     37   However, the port number is an optional argument, and if not given, will default to the https
     38   port (443).
     39 
     40   .. rubric:: Restricting Ciphers
     41      :name: restricting_ciphers
     42 
     43   By default, sslstrength assumes that all the preferences are on, so it will use any preferences
     44   in your policy. The enabled ciphersuites will always be printed out before the connection is
     45   made. If you want to test out a particular cipher, there are two ways to affect which ciphers are
     46   available. Firstly, you can set **policy** to be either domestic or export. This restricts the
     47   available ciphers to the same set used by Communicator. In addition to this, the **ciphers**
     48   command can be used to further restrict the ciphers available. The argument to the ciphers
     49   command is a string of characters, where each single character represents a cipher. You can
     50   obtain this list of character->cipher mappings by doing 'sslstrength ciphers'. For example,
     51 
     52   **    ciphers=bfi** will turn on these cipher preferences and turn off all others.
     53 
     54   **    policy=export** or **policy=domestic** will set your policies appropriately.
     55 
     56   | **    policy** will default to domestic if not specified.
     57   |  
     58 
     59   .. rubric:: Step-up
     60      :name: step-up
     61 
     62   Step up is a mode where the connection starts out with 40-bit encryption, but due to a
     63   'change-cipher-spec' handshake, changes to 128-bit encryption. This is only done in 'export
     64   mode', with servers with a special certificate. You can tell if you stepped-up, because the
     65   output will says 'using export policy', and you'll find the secret key size was 128-bits.
     66 
     67 `Prerequisites <#prerequisites>`__
     68 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     69 
     70 .. container::
     71 
     72   | You should have a cert7.db in the directory in which you run sslstrength.
     73   |  
     74 
     75 `Other <#other>`__
     76 ~~~~~~~~~~~~~~~~~~
     77 
     78 .. container::
     79 
     80   | For references, here is a table of well-known SSL port numbers:
     81   |  
     82 
     83   ===== ===
     84   HTTPS 443
     85   IMAPS 993
     86   NNTPS 563
     87   ===== ===