| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624 |
- THE SCAN ENDPOINT
- Endpoint: /api/v1/cfssl/scan
- Method: GET
- Required parameters:
- * host: the hostname (optionally including port) to scan
- Optional parameters:
- * ip: IP Address to override DNS lookup of host
- * timeout: The amount of time allotted for the scan to complete (default: 1 minute)
- The following parameters are used by the scanner to select which
- scans to run.
- * family: regular expression specifying scan famil(ies) to run
- * scanner: regular expression specifying scanner(s) to run
- Result:
- The returned result is a JSON object with keys for each scan family. Each
- of these objects contains keys for each scanner run in that family pointing
- to objects possibly containing the following keys:
- * grade: a string describing the exit status of the scan. Can be:
- * "Good": host performing the expected state-of-the-art
- * "Warning": host with non-ideal configuration,
- possibly maintaining support for legacy clients
- * "Bad": host with serious misconfiguration or vulnerability
- * "Skipped": indicates that the scan was not performed for some reason
- * error: any error encountered during the scan process
- * output: arbitrary JSON data retrieved during the scan
- Example:
- $ curl ${CFSSL_HOST}/api/v1/cfssl/scan?host=cloudflare.com |python -m json.tool
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 2358 0 2358 0 0 833 0 --:--:-- 0:00:02 --:--:-- 833
- {
- "errors": [],
- "messages": [],
- "result": {
- "Broad": {
- "IntermediateCAs": {
- "grade": "Skipped"
- }
- },
- "Connectivity": {
- "CloudFlareStatus": {
- "grade": "Good",
- "output": {
- "198.41.214.163": true,
- "198.41.215.163": true,
- "2400:cb00:2048:1::c629:d49d": true,
- "2400:cb00:2048:1::c629:d59d": true
- }
- },
- "DNSLookup": {
- "grade": "Good",
- "output": [
- "2400:cb00:2048:1::c629:d49d",
- "2400:cb00:2048:1::c629:d59d",
- "198.41.214.163",
- "198.41.215.163"
- ]
- },
- "TCPDial": {
- "grade": "Good"
- },
- "TLSDial": {
- "grade": "Good"
- }
- },
- "PKI": {
- "ChainExpiration": {
- "grade": "Good",
- "output": "2015-12-31T23:59:59Z"
- },
- "ChainValidation": {
- "grade": "Warning",
- "output": [
- " is signed by RSAWithSHA1",
- "COMODO Extended Validation Secure Server CA is signed by RSAWithSHA1"
- ]
- },
- "MultipleCerts": {
- "grade": "Good"
- }
- },
- "TLSHandshake": {
- "CipherSuite": {
- "grade": "Good",
- "output": [
- {
- "ECDHE-RSA-AES128-GCM-SHA256": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "ECDHE-RSA-AES128-SHA256": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "ECDHE-RSA-AES128-SHA": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.1": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.0": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "AES128-GCM-SHA256": [
- "TLS 1.2"
- ]
- },
- {
- "AES128-SHA256": [
- "TLS 1.2"
- ]
- },
- {
- "AES128-SHA": [
- "TLS 1.2",
- "TLS 1.1",
- "TLS 1.0"
- ]
- },
- {
- "ECDHE-RSA-AES256-GCM-SHA384": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "ECDHE-RSA-AES256-SHA384": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "ECDHE-RSA-AES256-SHA": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.1": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.0": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "AES256-GCM-SHA384": [
- "TLS 1.2"
- ]
- },
- {
- "AES256-SHA256": [
- "TLS 1.2"
- ]
- },
- {
- "AES256-SHA": [
- "TLS 1.2",
- "TLS 1.1",
- "TLS 1.0"
- ]
- },
- {
- "ECDHE-RSA-DES-CBC3-SHA": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.1": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.0": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "DES-CBC3-SHA": [
- "TLS 1.2",
- "TLS 1.1",
- "TLS 1.0"
- ]
- }
- ]
- },
- "SigAlgs": {
- "grade": "Good",
- "output": [
- {
- "hash": "SHA1",
- "signature": "RSA"
- },
- {
- "hash": "SHA1",
- "signature": "DSA"
- },
- {
- "hash": "SHA1",
- "signature": "ECDSA"
- },
- {
- "hash": "SHA224",
- "signature": "RSA"
- },
- {
- "hash": "SHA224",
- "signature": "DSA"
- },
- {
- "hash": "SHA224",
- "signature": "ECDSA"
- },
- {
- "hash": "SHA256",
- "signature": "RSA"
- },
- {
- "hash": "SHA256",
- "signature": "DSA"
- },
- {
- "hash": "SHA256",
- "signature": "ECDSA"
- },
- {
- "hash": "SHA384",
- "signature": "RSA"
- },
- {
- "hash": "SHA384",
- "signature": "DSA"
- },
- {
- "hash": "SHA384",
- "signature": "ECDSA"
- },
- {
- "hash": "SHA512",
- "signature": "RSA"
- },
- {
- "hash": "SHA512",
- "signature": "DSA"
- },
- {
- "hash": "SHA512",
- "signature": "ECDSA"
- }
- ]
- }
- },
- "TLSSession": {
- "SessionResume": {
- "grade": "Good",
- "output": {
- "198.41.214.163": true,
- "198.41.215.163": true,
- "2400:cb00:2048:1::c629:d49d": true,
- "2400:cb00:2048:1::c629:d59d": true
- }
- }
- }
- },
- "success": true
- }
- $ curl "${CFSSL_HOST}/api/v1/cfssl/scan?host=cloudflare.com&ip=2400:cb00:2048:1::c629:d49d" |python -m json.tool
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 3602 0 3602 0 0 337 0 --:--:-- 0:00:10 --:--:-- 1044
- {
- "errors": [],
- "messages": [],
- "result": {
- "Connectivity": {
- "CloudFlareStatus": {
- "grade": "Good",
- "output": {
- "198.41.214.163": true,
- "198.41.215.163": true,
- "2400:cb00:2048:1::c629:d49d": true,
- "2400:cb00:2048:1::c629:d59d": true
- }
- },
- "DNSLookup": {
- "grade": "Good",
- "output": [
- "2400:cb00:2048:1::c629:d59d",
- "2400:cb00:2048:1::c629:d49d",
- "198.41.215.163",
- "198.41.214.163"
- ]
- },
- "TCPDial": {
- "grade": "Good"
- },
- "TLSDial": {
- "grade": "Good"
- }
- },
- "PKI": {
- "ChainExpiration": {
- "grade": "Good",
- "output": "2015-12-31T23:59:59Z"
- },
- "ChainValidation": {
- "grade": "Warning",
- "output": [
- " is signed by RSAWithSHA1",
- "Certificate for COMODO Extended Validation Secure Server CA is valid for too long",
- "COMODO Extended Validation Secure Server CA is signed by RSAWithSHA1"
- ]
- },
- "MultipleCerts": {
- "grade": "Good"
- }
- },
- "TLSHandshake": {
- "CertsByCiphers": {
- "grade": "Good",
- "output": {
- "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": "SHA1WithRSA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": "SHA1WithRSA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": "SHA1WithRSA",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": "SHA1WithRSA",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": "SHA1WithRSA",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384": "SHA1WithRSA",
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": "SHA1WithRSA",
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": "SHA1WithRSA",
- "TLS_RSA_WITH_3DES_EDE_CBC_SHA": "SHA1WithRSA",
- "TLS_RSA_WITH_AES_128_CBC_SHA": "SHA1WithRSA",
- "TLS_RSA_WITH_AES_128_CBC_SHA256": "SHA1WithRSA",
- "TLS_RSA_WITH_AES_128_GCM_SHA256": "SHA1WithRSA",
- "TLS_RSA_WITH_AES_256_CBC_SHA": "SHA1WithRSA",
- "TLS_RSA_WITH_AES_256_CBC_SHA256": "SHA1WithRSA",
- "TLS_RSA_WITH_AES_256_GCM_SHA384": "SHA1WithRSA"
- }
- },
- "CertsBySigAlgs": {
- "grade": "Good",
- "output": {
- "{DSA,SHA1}": "SHA1WithRSA",
- "{DSA,SHA224}": "SHA1WithRSA",
- "{DSA,SHA256}": "SHA1WithRSA",
- "{DSA,SHA384}": "SHA1WithRSA",
- "{DSA,SHA512}": "SHA1WithRSA",
- "{ECDSA,SHA1}": "SHA1WithRSA",
- "{ECDSA,SHA224}": "SHA1WithRSA",
- "{ECDSA,SHA256}": "SHA1WithRSA",
- "{ECDSA,SHA384}": "SHA1WithRSA",
- "{ECDSA,SHA512}": "SHA1WithRSA",
- "{RSA,SHA1}": "SHA1WithRSA",
- "{RSA,SHA224}": "SHA1WithRSA",
- "{RSA,SHA256}": "SHA1WithRSA",
- "{RSA,SHA384}": "SHA1WithRSA",
- "{RSA,SHA512}": "SHA1WithRSA"
- }
- },
- "CipherSuite": {
- "grade": "Good",
- "output": [
- {
- "ECDHE-RSA-AES128-GCM-SHA256": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "ECDHE-RSA-AES128-SHA256": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "ECDHE-RSA-AES128-SHA": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.1": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.0": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "AES128-GCM-SHA256": [
- "TLS 1.2"
- ]
- },
- {
- "AES128-SHA256": [
- "TLS 1.2"
- ]
- },
- {
- "AES128-SHA": [
- "TLS 1.2",
- "TLS 1.1",
- "TLS 1.0"
- ]
- },
- {
- "ECDHE-RSA-AES256-GCM-SHA384": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "ECDHE-RSA-AES256-SHA384": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "ECDHE-RSA-AES256-SHA": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.1": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.0": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "AES256-GCM-SHA384": [
- "TLS 1.2"
- ]
- },
- {
- "AES256-SHA256": [
- "TLS 1.2"
- ]
- },
- {
- "AES256-SHA": [
- "TLS 1.2",
- "TLS 1.1",
- "TLS 1.0"
- ]
- },
- {
- "ECDHE-RSA-DES-CBC3-SHA": [
- {
- "TLS 1.2": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.1": [
- "secp256r1"
- ]
- },
- {
- "TLS 1.0": [
- "secp256r1"
- ]
- }
- ]
- },
- {
- "DES-CBC3-SHA": [
- "TLS 1.2",
- "TLS 1.1",
- "TLS 1.0"
- ]
- }
- ]
- },
- "SigAlgs": {
- "grade": "Good",
- "output": [
- {
- "hash": "SHA1",
- "signature": "RSA"
- },
- {
- "hash": "SHA1",
- "signature": "DSA"
- },
- {
- "hash": "SHA1",
- "signature": "ECDSA"
- },
- {
- "hash": "SHA224",
- "signature": "RSA"
- },
- {
- "hash": "SHA224",
- "signature": "DSA"
- },
- {
- "hash": "SHA224",
- "signature": "ECDSA"
- },
- {
- "hash": "SHA256",
- "signature": "RSA"
- },
- {
- "hash": "SHA256",
- "signature": "DSA"
- },
- {
- "hash": "SHA256",
- "signature": "ECDSA"
- },
- {
- "hash": "SHA384",
- "signature": "RSA"
- },
- {
- "hash": "SHA384",
- "signature": "DSA"
- },
- {
- "hash": "SHA384",
- "signature": "ECDSA"
- },
- {
- "hash": "SHA512",
- "signature": "RSA"
- },
- {
- "hash": "SHA512",
- "signature": "DSA"
- },
- {
- "hash": "SHA512",
- "signature": "ECDSA"
- }
- ]
- }
- },
- "TLSSession": {
- "SessionResume": {
- "grade": "Good",
- "output": {
- "2400:cb00:2048:1::c629:d49d": true
- }
- }
- }
- },
- "success": true
- }
|
