alopresto/cipherscan.txt

## cipherscan.txt
hw12203:/Users/alopresto/Workspace/cipherscan alopresto
🔓 1s @ 21:57:02 $ python analyze.py -t nifi.nifi.apache.org:8443
nifi.nifi.apache.org:8443 has bad ssl/tls

Things that are bad:
* don't use an untrusted or self-signed certificate

Changes needed to match the old level:
* enable SSLv3
* use a certificate with sha1WithRSAEncryption signature
* use DHE of 1024bits and ECC of 160bits
* consider enabling OCSP Stapling
* enforce server side ordering

Changes needed to match the intermediate level:
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
* increase priority of DHE-RSA-AES256-GCM-SHA384 over ECDHE-RSA-AES256-SHA
* increase priority of ECDHE-RSA-AES128-GCM-SHA256 over AES256-SHA
* increase priority of DHE-RSA-AES128-GCM-SHA256 over ECDHE-RSA-AES128-SHA
* increase priority of ECDHE-RSA-DES-CBC3-SHA over AES128-SHA
* fix ciphersuite ordering, use recommended intermediate ciphersuite

Changes needed to match the modern level:
* remove cipher ECDHE-RSA-AES256-SHA
* remove cipher DHE-RSA-AES256-GCM-SHA384
* remove cipher DHE-RSA-AES256-SHA256
* remove cipher DHE-RSA-AES256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher ECDHE-RSA-AES128-SHA
* remove cipher DHE-RSA-AES128-GCM-SHA256
* remove cipher DHE-RSA-AES128-SHA256
* remove cipher DHE-RSA-AES128-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher ECDHE-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1.1
* disable TLSv1
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
hw12203:/Users/alopresto/Workspace/cipherscan alopresto
🔓 33s @ 21:57:42 $ ./cipherscan nifi.nifi.apache.org:8443
..............................................................................................................................................................................................................................
Target: nifi.nifi.apache.org:8443

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits         None
5     DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits         None
6     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
7     AES256-GCM-SHA384            TLSv1.2                None                None
8     AES256-SHA256                TLSv1.2                None                None
9     AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
10    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
11    ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
12    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
13    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits         None
14    DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits         None
15    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
16    AES128-GCM-SHA256            TLSv1.2                None                None
17    AES128-SHA256                TLSv1.2                None                None
18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
19    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
20    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
21    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: untrusted, 4096 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: client - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
hw12203:/Users/alopresto/Workspace/cipherscan alopresto
🔓 32s @ 21:58:35 $ which openssl
/usr/bin/openssl
hw12203:/Users/alopresto/Workspace/cipherscan alopresto
🔓 0s @ 22:05:53 $ openssl version
OpenSSL 0.9.8zg 14 July 2015
hw12203:/Users/alopresto/Workspace/cipherscan alopresto
🔓 0s @ 22:05:57 $ ossl version
OpenSSL 1.0.2g  1 Mar 2016
hw12203:/Users/alopresto/Workspace/cipherscan alopresto
🔓 0s @ 22:19:32 $ ossl s_client -connect nifi.nifi.apache.org:8443 -debug -state -CAfile /Users/alopresto/Workspace/certificates/nifi_secure/kerberos/rootCA.pem </dev/null
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7fad8961fa30 [0x7fad8a805e00] (308 bytes => 308 (0x134))
0000 - 16 03 01 01 2f 01 00 01-2b 03 03 8b 17 72 66 ec   ..../...+....rf.
...
0120 - 02 04 03 03 01 03 02 03-03 02 01 02 02 02 03 00   ................
0130 - 0f 00 01 01                                       ....
SSL_connect:SSLv2/v3 write client hello A
read from 0x7fad8961fa30 [0x7fad8a80b400] (7 bytes => 7 (0x7))
0000 - 16 03 03 0f d8 02                                 ......
0007 - <SPACES/NULS>
read from 0x7fad8961fa30 [0x7fad8a80b40a] (4054 bytes => 4054 (0xFD6))
0000 - 00 4d 03 03 56 fb 62 2b-8a 87 8b f3 d6 be b5 b3   .M..V.b+........
...
0fc0 - 6f 2e 61 70 61 63 68 65-40 67 6d 61 69 6c 2e 63   o.apache@gmail.c
0fd0 - 6f 6d 0e                                          om.
0fd6 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
depth=1 C = US, ST = California, L = Santa Monica, O = Apache NiFi, OU = CA, CN = rootca.nifi.apache.org, emailAddress = alopresto.apache@gmail.com
verify return:1
depth=0 C = US, ST = California, L = Santa Monica, O = Apache NiFi, OU = Security, CN = nifi.nifi.apache.org
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
write to 0x7fad8961fa30 [0x7fad8980a200] (12 bytes => 12 (0xC))
0000 - 16 03 03 00 07 0b 00 00-03                        .........
000c - <SPACES/NULS>
SSL_connect:SSLv3 write client certificate A
write to 0x7fad8961fa30 [0x7fad8980a200] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 59 9d 41 7a 1f   ....F...BA.Y.Az.
...
0040 - ad 96 e7 49 52 bd 05 a7-b8 92 10                  ...IR......
SSL_connect:SSLv3 write client key exchange A
write to 0x7fad8961fa30 [0x7fad8980a200] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01                                 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x7fad8961fa30 [0x7fad8980a200] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 75 00 80-a4 51 4b f5 28 75 af 6d   ....(u...QK.(u.m
...
0020 - ec e5 de 34 be 18 cf 4d-48 d8 d7 e8 e0            ...4...MH....
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x7fad8961fa30 [0x7fad8a80b403] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01                                    .....
read from 0x7fad8961fa30 [0x7fad8a80b408] (1 bytes => 1 (0x1))
0000 - 01                                                .
read from 0x7fad8961fa30 [0x7fad8a80b403] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28                                    ....(
read from 0x7fad8961fa30 [0x7fad8a80b408] (40 bytes => 40 (0x28))
0000 - 00 00 00 00 00 00 00 00-00 2c cc a0 20 f9 ff 5f   .........,.. .._
...
0020 - 2c 60 04 97 e0 32 1c d6-                          ,`...2..
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=Security/CN=nifi.nifi.apache.org
   i:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
 1 s:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
   i:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFpzCCA48CCQDWgsqP/Y3K/jANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMC
...
GZJzFs6BSGM2mHCGgo7U6B9M6La0/uJy4pDqkgpP8UURZb3V7t7PqQoptB9DerLq
Wn9AYQnKfSnfRVY=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=Security/CN=nifi.nifi.apache.org
issuer=/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
---
Acceptable client certificate CA names
/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=Security/CN=nifi.nifi.apache.org
/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4112 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 56FB622B...
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1459315243
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
write to 0x7fad8961fa30 [0x7fad8a80fa03] (31 bytes => 31 (0x1F))
0000 - 15 03 03 00 1a 75 00 80-a4 51 4b f5 29 9d 1d 07   .....u...QK.)...
0010 - 02 19 86 8b aa 83 5c a4-96 b5 48 de 06 43 bf      ......\...H..C.
SSL3 alert write:warning:close notify
hw12203:/Users/alopresto/Workspace/cipherscan alopresto
🔓 0s @ 22:20:44 $
	hw12203:/Users/alopresto/Workspace/cipherscan alopresto
	🔓 1s @ 21:57:02 $ python analyze.py -t nifi.nifi.apache.org:8443
	nifi.nifi.apache.org:8443 has bad ssl/tls

	Things that are bad:
	* don't use an untrusted or self-signed certificate

	Changes needed to match the old level:
	* enable SSLv3
	* use a certificate with sha1WithRSAEncryption signature
	* use DHE of 1024bits and ECC of 160bits
	* consider enabling OCSP Stapling
	* enforce server side ordering

	Changes needed to match the intermediate level:
	* consider using DHE of at least 2048bits and ECC of at least 256bits
	* consider enabling OCSP Stapling
	* enforce server side ordering
	* increase priority of DHE-RSA-AES256-GCM-SHA384 over ECDHE-RSA-AES256-SHA
	* increase priority of ECDHE-RSA-AES128-GCM-SHA256 over AES256-SHA
	* increase priority of DHE-RSA-AES128-GCM-SHA256 over ECDHE-RSA-AES128-SHA
	* increase priority of ECDHE-RSA-DES-CBC3-SHA over AES128-SHA
	* fix ciphersuite ordering, use recommended intermediate ciphersuite

	Changes needed to match the modern level:
	* remove cipher ECDHE-RSA-AES256-SHA
	* remove cipher DHE-RSA-AES256-GCM-SHA384
	* remove cipher DHE-RSA-AES256-SHA256
	* remove cipher DHE-RSA-AES256-SHA
	* remove cipher AES256-GCM-SHA384
	* remove cipher AES256-SHA256
	* remove cipher AES256-SHA
	* remove cipher ECDHE-RSA-AES128-SHA
	* remove cipher DHE-RSA-AES128-GCM-SHA256
	* remove cipher DHE-RSA-AES128-SHA256
	* remove cipher DHE-RSA-AES128-SHA
	* remove cipher AES128-GCM-SHA256
	* remove cipher AES128-SHA256
	* remove cipher AES128-SHA
	* remove cipher ECDHE-RSA-DES-CBC3-SHA
	* remove cipher EDH-RSA-DES-CBC3-SHA
	* remove cipher DES-CBC3-SHA
	* disable TLSv1.1
	* disable TLSv1
	* use DHE of at least 2048bits and ECC of at least 256bits
	* consider enabling OCSP Stapling
	* enforce server side ordering
	hw12203:/Users/alopresto/Workspace/cipherscan alopresto
	🔓 33s @ 21:57:42 $ ./cipherscan nifi.nifi.apache.org:8443
	..............................................................................................................................................................................................................................
	Target: nifi.nifi.apache.org:8443

	prio ciphersuite protocols pfs curves
	1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
	2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
	3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
	4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits None
	5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None
	6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None
	7 AES256-GCM-SHA384 TLSv1.2 None None
	8 AES256-SHA256 TLSv1.2 None None
	9 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None
	10 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
	11 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
	12 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
	13 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None
	14 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None
	15 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None
	16 AES128-GCM-SHA256 TLSv1.2 None None
	17 AES128-SHA256 TLSv1.2 None None
	18 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None
	19 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
	20 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None
	21 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None

	Certificate: untrusted, 4096 bits, sha256WithRSAEncryption signature
	TLS ticket lifetime hint: None
	OCSP stapling: not supported
	Cipher ordering: client
	Curves ordering: client - fallback: no
	Server supports secure renegotiation
	Server supported compression methods: NONE
	TLS Tolerance: yes
	hw12203:/Users/alopresto/Workspace/cipherscan alopresto
	🔓 32s @ 21:58:35 $ which openssl
	/usr/bin/openssl
	hw12203:/Users/alopresto/Workspace/cipherscan alopresto
	🔓 0s @ 22:05:53 $ openssl version
	OpenSSL 0.9.8zg 14 July 2015
	hw12203:/Users/alopresto/Workspace/cipherscan alopresto
	🔓 0s @ 22:05:57 $ ossl version
	OpenSSL 1.0.2g 1 Mar 2016
	hw12203:/Users/alopresto/Workspace/cipherscan alopresto
	🔓 0s @ 22:19:32 $ ossl s_client -connect nifi.nifi.apache.org:8443 -debug -state -CAfile /Users/alopresto/Workspace/certificates/nifi_secure/kerberos/rootCA.pem </dev/null
	CONNECTED(00000003)
	SSL_connect:before/connect initialization
	write to 0x7fad8961fa30 [0x7fad8a805e00] (308 bytes => 308 (0x134))
	0000 - 16 03 01 01 2f 01 00 01-2b 03 03 8b 17 72 66 ec ..../...+....rf.
	...
	0120 - 02 04 03 03 01 03 02 03-03 02 01 02 02 02 03 00 ................
	0130 - 0f 00 01 01 ....
	SSL_connect:SSLv2/v3 write client hello A
	read from 0x7fad8961fa30 [0x7fad8a80b400] (7 bytes => 7 (0x7))
	0000 - 16 03 03 0f d8 02 ......
	0007 - <SPACES/NULS>
	read from 0x7fad8961fa30 [0x7fad8a80b40a] (4054 bytes => 4054 (0xFD6))
	0000 - 00 4d 03 03 56 fb 62 2b-8a 87 8b f3 d6 be b5 b3 .M..V.b+........
	...
	0fc0 - 6f 2e 61 70 61 63 68 65-40 67 6d 61 69 6c 2e 63 o.apache@gmail.c
	0fd0 - 6f 6d 0e om.
	0fd6 - <SPACES/NULS>
	SSL_connect:SSLv3 read server hello A
	depth=1 C = US, ST = California, L = Santa Monica, O = Apache NiFi, OU = CA, CN = rootca.nifi.apache.org, emailAddress = alopresto.apache@gmail.com
	verify return:1
	depth=0 C = US, ST = California, L = Santa Monica, O = Apache NiFi, OU = Security, CN = nifi.nifi.apache.org
	verify return:1
	SSL_connect:SSLv3 read server certificate A
	SSL_connect:SSLv3 read server key exchange A
	SSL_connect:SSLv3 read server certificate request A
	SSL_connect:SSLv3 read server done A
	write to 0x7fad8961fa30 [0x7fad8980a200] (12 bytes => 12 (0xC))
	0000 - 16 03 03 00 07 0b 00 00-03 .........
	000c - <SPACES/NULS>
	SSL_connect:SSLv3 write client certificate A
	write to 0x7fad8961fa30 [0x7fad8980a200] (75 bytes => 75 (0x4B))
	0000 - 16 03 03 00 46 10 00 00-42 41 04 59 9d 41 7a 1f ....F...BA.Y.Az.
	...
	0040 - ad 96 e7 49 52 bd 05 a7-b8 92 10 ...IR......
	SSL_connect:SSLv3 write client key exchange A
	write to 0x7fad8961fa30 [0x7fad8980a200] (6 bytes => 6 (0x6))
	0000 - 14 03 03 00 01 01 ......
	SSL_connect:SSLv3 write change cipher spec A
	write to 0x7fad8961fa30 [0x7fad8980a200] (45 bytes => 45 (0x2D))
	0000 - 16 03 03 00 28 75 00 80-a4 51 4b f5 28 75 af 6d ....(u...QK.(u.m
	...
	0020 - ec e5 de 34 be 18 cf 4d-48 d8 d7 e8 e0 ...4...MH....
	SSL_connect:SSLv3 write finished A
	SSL_connect:SSLv3 flush data
	read from 0x7fad8961fa30 [0x7fad8a80b403] (5 bytes => 5 (0x5))
	0000 - 14 03 03 00 01 .....
	read from 0x7fad8961fa30 [0x7fad8a80b408] (1 bytes => 1 (0x1))
	0000 - 01 .
	read from 0x7fad8961fa30 [0x7fad8a80b403] (5 bytes => 5 (0x5))
	0000 - 16 03 03 00 28 ....(
	read from 0x7fad8961fa30 [0x7fad8a80b408] (40 bytes => 40 (0x28))
	0000 - 00 00 00 00 00 00 00 00-00 2c cc a0 20 f9 ff 5f .........,.. .._
	...
	0020 - 2c 60 04 97 e0 32 1c d6- ,`...2..
	SSL_connect:SSLv3 read finished A
	---
	Certificate chain
	0 s:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=Security/CN=nifi.nifi.apache.org
	i:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
	1 s:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
	i:/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
	---
	Server certificate
	-----BEGIN CERTIFICATE-----
	MIIFpzCCA48CCQDWgsqP/Y3K/jANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMC
	...
	GZJzFs6BSGM2mHCGgo7U6B9M6La0/uJy4pDqkgpP8UURZb3V7t7PqQoptB9DerLq
	Wn9AYQnKfSnfRVY=
	-----END CERTIFICATE-----
	subject=/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=Security/CN=nifi.nifi.apache.org
	issuer=/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
	---
	Acceptable client certificate CA names
	/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=Security/CN=nifi.nifi.apache.org
	/C=US/ST=California/L=Santa Monica/O=Apache NiFi/OU=CA/CN=rootca.nifi.apache.org/emailAddress=alopresto.apache@gmail.com
	Client Certificate Types: RSA sign, DSA sign, ECDSA sign
	Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
	Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
	Peer signing digest: SHA512
	Server Temp Key: ECDH, P-256, 256 bits
	---
	SSL handshake has read 4112 bytes and written 446 bytes
	---
	New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
	Server public key is 4096 bit
	Secure Renegotiation IS supported
	Compression: NONE
	Expansion: NONE
	No ALPN negotiated
	SSL-Session:
	Protocol : TLSv1.2
	Cipher : ECDHE-RSA-AES256-GCM-SHA384
	Session-ID: 56FB622B...
	Session-ID-ctx:
	Master-Key: ...
	Key-Arg : None
	PSK identity: None
	PSK identity hint: None
	SRP username: None
	Start Time: 1459315243
	Timeout : 300 (sec)
	Verify return code: 0 (ok)
	---
	DONE
	write to 0x7fad8961fa30 [0x7fad8a80fa03] (31 bytes => 31 (0x1F))
	0000 - 15 03 03 00 1a 75 00 80-a4 51 4b f5 29 9d 1d 07 .....u...QK.)...
	0010 - 02 19 86 8b aa 83 5c a4-96 b5 48 de 06 43 bf ......\...H..C.
	SSL3 alert write:warning:close notify
	hw12203:/Users/alopresto/Workspace/cipherscan alopresto
	🔓 0s @ 22:20:44 $