THE SCAN ENDPOINT Endpoint: /api/v1/cfssl/scan Method: GET Required parameters: * host: the hostname (optionally including port) to scan Optional parameters: * ip: IP Address to override DNS lookup of host * timeout: The amount of time allotted for the scan to complete (default: 1 minute) The following parameters are used by the scanner to select which scans to run. * family: regular expression specifying scan famil(ies) to run * scanner: regular expression specifying scanner(s) to run Result: The returned result is a JSON object with keys for each scan family. Each of these objects contains keys for each scanner run in that family pointing to objects possibly containing the following keys: * grade: a string describing the exit status of the scan. Can be: * "Good": host performing the expected state-of-the-art * "Warning": host with non-ideal configuration, possibly maintaining support for legacy clients * "Bad": host with serious misconfiguration or vulnerability * "Skipped": indicates that the scan was not performed for some reason * error: any error encountered during the scan process * output: arbitrary JSON data retrieved during the scan Example: $ curl ${CFSSL_HOST}/api/v1/cfssl/scan?host=cloudflare.com |python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2358 0 2358 0 0 833 0 --:--:-- 0:00:02 --:--:-- 833 { "errors": [], "messages": [], "result": { "Broad": { "IntermediateCAs": { "grade": "Skipped" } }, "Connectivity": { "CloudFlareStatus": { "grade": "Good", "output": { "198.41.214.163": true, "198.41.215.163": true, "2400:cb00:2048:1::c629:d49d": true, "2400:cb00:2048:1::c629:d59d": true } }, "DNSLookup": { "grade": "Good", "output": [ "2400:cb00:2048:1::c629:d49d", "2400:cb00:2048:1::c629:d59d", "198.41.214.163", "198.41.215.163" ] }, "TCPDial": { "grade": "Good" }, "TLSDial": { "grade": "Good" } }, "PKI": { "ChainExpiration": { "grade": "Good", "output": "2015-12-31T23:59:59Z" }, "ChainValidation": { "grade": "Warning", "output": [ " is signed by RSAWithSHA1", "COMODO Extended Validation Secure Server CA is signed by RSAWithSHA1" ] }, "MultipleCerts": { "grade": "Good" } }, "TLSHandshake": { "CipherSuite": { "grade": "Good", "output": [ { "ECDHE-RSA-AES128-GCM-SHA256": [ { "TLS 1.2": [ "secp256r1" ] } ] }, { "ECDHE-RSA-AES128-SHA256": [ { "TLS 1.2": [ "secp256r1" ] } ] }, { "ECDHE-RSA-AES128-SHA": [ { "TLS 1.2": [ "secp256r1" ] }, { "TLS 1.1": [ "secp256r1" ] }, { "TLS 1.0": [ "secp256r1" ] } ] }, { "AES128-GCM-SHA256": [ "TLS 1.2" ] }, { "AES128-SHA256": [ "TLS 1.2" ] }, { "AES128-SHA": [ "TLS 1.2", "TLS 1.1", "TLS 1.0" ] }, { "ECDHE-RSA-AES256-GCM-SHA384": [ { "TLS 1.2": [ "secp256r1" ] } ] }, { "ECDHE-RSA-AES256-SHA384": [ { "TLS 1.2": [ "secp256r1" ] } ] }, { "ECDHE-RSA-AES256-SHA": [ { "TLS 1.2": [ "secp256r1" ] }, { "TLS 1.1": [ "secp256r1" ] }, { "TLS 1.0": [ "secp256r1" ] } ] }, { "AES256-GCM-SHA384": [ "TLS 1.2" ] }, { "AES256-SHA256": [ "TLS 1.2" ] }, { "AES256-SHA": [ "TLS 1.2", "TLS 1.1", "TLS 1.0" ] }, { "ECDHE-RSA-DES-CBC3-SHA": [ { "TLS 1.2": [ "secp256r1" ] }, { "TLS 1.1": [ "secp256r1" ] }, { "TLS 1.0": [ "secp256r1" ] } ] }, { "DES-CBC3-SHA": [ "TLS 1.2", "TLS 1.1", "TLS 1.0" ] } ] }, "SigAlgs": { "grade": "Good", "output": [ { "hash": "SHA1", "signature": "RSA" }, { "hash": "SHA1", "signature": "DSA" }, { "hash": "SHA1", "signature": "ECDSA" }, { "hash": "SHA224", "signature": "RSA" }, { "hash": "SHA224", "signature": "DSA" }, { "hash": "SHA224", "signature": "ECDSA" }, { "hash": "SHA256", "signature": "RSA" }, { "hash": "SHA256", "signature": "DSA" }, { "hash": "SHA256", "signature": "ECDSA" }, { "hash": "SHA384", "signature": "RSA" }, { "hash": "SHA384", "signature": "DSA" }, { "hash": "SHA384", "signature": "ECDSA" }, { "hash": "SHA512", "signature": "RSA" }, { "hash": "SHA512", "signature": "DSA" }, { "hash": "SHA512", "signature": "ECDSA" } ] } }, "TLSSession": { "SessionResume": { "grade": "Good", "output": { "198.41.214.163": true, "198.41.215.163": true, "2400:cb00:2048:1::c629:d49d": true, "2400:cb00:2048:1::c629:d59d": true } } } }, "success": true } $ curl "${CFSSL_HOST}/api/v1/cfssl/scan?host=cloudflare.com&ip=2400:cb00:2048:1::c629:d49d" |python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3602 0 3602 0 0 337 0 --:--:-- 0:00:10 --:--:-- 1044 { "errors": [], "messages": [], "result": { "Connectivity": { "CloudFlareStatus": { "grade": "Good", "output": { "198.41.214.163": true, "198.41.215.163": true, "2400:cb00:2048:1::c629:d49d": true, "2400:cb00:2048:1::c629:d59d": true } }, "DNSLookup": { "grade": "Good", "output": [ "2400:cb00:2048:1::c629:d59d", "2400:cb00:2048:1::c629:d49d", "198.41.215.163", "198.41.214.163" ] }, "TCPDial": { "grade": "Good" }, "TLSDial": { "grade": "Good" } }, "PKI": { "ChainExpiration": { "grade": "Good", "output": "2015-12-31T23:59:59Z" }, "ChainValidation": { "grade": "Warning", "output": [ " is signed by RSAWithSHA1", "Certificate for COMODO Extended Validation Secure Server CA is valid for too long", "COMODO Extended Validation Secure Server CA is signed by RSAWithSHA1" ] }, "MultipleCerts": { "grade": "Good" } }, "TLSHandshake": { "CertsByCiphers": { "grade": "Good", "output": { "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": "SHA1WithRSA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": "SHA1WithRSA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": "SHA1WithRSA", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": "SHA1WithRSA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": "SHA1WithRSA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384": "SHA1WithRSA", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": "SHA1WithRSA", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": "SHA1WithRSA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA": "SHA1WithRSA", "TLS_RSA_WITH_AES_128_CBC_SHA": "SHA1WithRSA", "TLS_RSA_WITH_AES_128_CBC_SHA256": "SHA1WithRSA", "TLS_RSA_WITH_AES_128_GCM_SHA256": "SHA1WithRSA", "TLS_RSA_WITH_AES_256_CBC_SHA": "SHA1WithRSA", "TLS_RSA_WITH_AES_256_CBC_SHA256": "SHA1WithRSA", "TLS_RSA_WITH_AES_256_GCM_SHA384": "SHA1WithRSA" } }, "CertsBySigAlgs": { "grade": "Good", "output": { "{DSA,SHA1}": "SHA1WithRSA", "{DSA,SHA224}": "SHA1WithRSA", "{DSA,SHA256}": "SHA1WithRSA", "{DSA,SHA384}": "SHA1WithRSA", "{DSA,SHA512}": "SHA1WithRSA", "{ECDSA,SHA1}": "SHA1WithRSA", "{ECDSA,SHA224}": "SHA1WithRSA", "{ECDSA,SHA256}": "SHA1WithRSA", "{ECDSA,SHA384}": "SHA1WithRSA", "{ECDSA,SHA512}": "SHA1WithRSA", "{RSA,SHA1}": "SHA1WithRSA", "{RSA,SHA224}": "SHA1WithRSA", "{RSA,SHA256}": "SHA1WithRSA", "{RSA,SHA384}": "SHA1WithRSA", "{RSA,SHA512}": "SHA1WithRSA" } }, "CipherSuite": { "grade": "Good", "output": [ { "ECDHE-RSA-AES128-GCM-SHA256": [ { "TLS 1.2": [ "secp256r1" ] } ] }, { "ECDHE-RSA-AES128-SHA256": [ { "TLS 1.2": [ "secp256r1" ] } ] }, { "ECDHE-RSA-AES128-SHA": [ { "TLS 1.2": [ "secp256r1" ] }, { "TLS 1.1": [ "secp256r1" ] }, { "TLS 1.0": [ "secp256r1" ] } ] }, { "AES128-GCM-SHA256": [ "TLS 1.2" ] }, { "AES128-SHA256": [ "TLS 1.2" ] }, { "AES128-SHA": [ "TLS 1.2", "TLS 1.1", "TLS 1.0" ] }, { "ECDHE-RSA-AES256-GCM-SHA384": [ { "TLS 1.2": [ "secp256r1" ] } ] }, { "ECDHE-RSA-AES256-SHA384": [ { "TLS 1.2": [ "secp256r1" ] } ] }, { "ECDHE-RSA-AES256-SHA": [ { "TLS 1.2": [ "secp256r1" ] }, { "TLS 1.1": [ "secp256r1" ] }, { "TLS 1.0": [ "secp256r1" ] } ] }, { "AES256-GCM-SHA384": [ "TLS 1.2" ] }, { "AES256-SHA256": [ "TLS 1.2" ] }, { "AES256-SHA": [ "TLS 1.2", "TLS 1.1", "TLS 1.0" ] }, { "ECDHE-RSA-DES-CBC3-SHA": [ { "TLS 1.2": [ "secp256r1" ] }, { "TLS 1.1": [ "secp256r1" ] }, { "TLS 1.0": [ "secp256r1" ] } ] }, { "DES-CBC3-SHA": [ "TLS 1.2", "TLS 1.1", "TLS 1.0" ] } ] }, "SigAlgs": { "grade": "Good", "output": [ { "hash": "SHA1", "signature": "RSA" }, { "hash": "SHA1", "signature": "DSA" }, { "hash": "SHA1", "signature": "ECDSA" }, { "hash": "SHA224", "signature": "RSA" }, { "hash": "SHA224", "signature": "DSA" }, { "hash": "SHA224", "signature": "ECDSA" }, { "hash": "SHA256", "signature": "RSA" }, { "hash": "SHA256", "signature": "DSA" }, { "hash": "SHA256", "signature": "ECDSA" }, { "hash": "SHA384", "signature": "RSA" }, { "hash": "SHA384", "signature": "DSA" }, { "hash": "SHA384", "signature": "ECDSA" }, { "hash": "SHA512", "signature": "RSA" }, { "hash": "SHA512", "signature": "DSA" }, { "hash": "SHA512", "signature": "ECDSA" } ] } }, "TLSSession": { "SessionResume": { "grade": "Good", "output": { "2400:cb00:2048:1::c629:d49d": true } } } }, "success": true }