joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

AdFind SSL/TLS Certificate / Session Info

by @ 6:15 pm on 4/8/2017. Filed under general, tech

I think I have settled on the data I want to make available for the –sslinfo switch. If someone thinks there would be some additional info that would be useful please let me know.

Below is what I have for output so far for the –sslinfo switch. I am thinking the switch will initially be in BETA mode even with the release version of V01.50.00 until I sort out exactly how I want it formatted and how it might be used. I also have to sort out how to add the CSV/TSV functionality for it since when it runs in this mode it doesn’t actually get anywhere near the normal output stage of the code. I know for a mass scan of a forest that would likely be the preferred output model.

My original thinking was that the bit strength, cert version, dates, and issuer would be the most valuable bits of info. I visualize being able to tear through an entire forest looking at this info for every DC with a simple for /f loop like

for /f %i in (‘adfind -gcb -dclist’) do adfind -hh %i -sslinfo 

Like so:

[Sat 04/08/2017 18:10:11.39]
E:\DEV\cpp\vs\AdFind>for /f %i in (‘release\adfind -gcb -sc dclist’) do release\adfind -hh %i -sslinfo -utc

[Sat 04/08/2017 18:10:22.83]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TST-DC1.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-16:11:31 UTC
  NotAfter      = 2018/04/08-16:11:31 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TST-DC1.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:22.90]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TST-DC2.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-16:15:53 UTC
  NotAfter      = 2018/04/08-16:15:53 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TST-DC2.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:22.98]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TSTCHLD-DC1.k16tstchld.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-21:19:19 UTC
  NotAfter      = 2018/04/08-21:19:19 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TSTCHLD-DC1.k16tstchld.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:23.11]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TSTCHLD-DC2.k16tstchld.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-21:27:51 UTC
  NotAfter      = 2018/04/08-21:27:51 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TSTCHLD-DC2.k16tstchld.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:23.24]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TST-RODC1.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-16:27:19 UTC
  NotAfter      = 2018/04/08-16:27:19 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TST-RODC1.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

 

And if you have a machine that doesn’t have a valid cert installed it will give the standard connection failure you already get.

[Sat 04/08/2017 18:10:23.35]
E:\DEV\cpp\vs\AdFind>release\adfind -hh k16tst2-dc1.k16tst2.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

LDAP_BIND: [k16tst2-dc1.k16tst2.test.loc] Error 0x51 (81) – Server Down
Terminating program.
And if you have a machine that doesn’t have a valid cert installed it will give the standard connection failure you already get.

 

     joe

Rating 3.67 out of 5

Leave a Reply

Please note: Comment moderation is currently enabled so there will be a delay between when you post your comment and when it shows up. Patience is a virtue; there is no need to re-submit your comment.

[joeware – never stop exploring… :) is proudly powered by WordPress.]