
Research
/Security News
Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Table of Contents generated with DocToc
Utility library for determining which SSL/TLS versions and ciphers a server supports
This module requires NodeJS v6.9 or higher
npm install sslinfo --save
Note: This library requires an OpenSSL installation - the newer the better.
var sslinfo = require('sslinfo');
sslinfo.getServerResults({ host: "www.google.com", port: 443 })
.done(function (results) {
console.log(results);
},
function (error) {
console.log("Error", {error: error})
});
Note: To get results from servers which support SNI (all servers of cloudflare for example), specify which servername
should be transmitted to the remote server:
sslinfo.getServerResults({ host: "www.cloudflare.com", port: 443, servername: "www.cloudflare.com" })
The getServerResults()
function returns a promise that should be resolved by implementing done()
.
Sample output:
{
"host": "www.google.com",
"port": 443,
"cert": {
... certificate information ...
},
"protocols": [
{
"protocol": "SSLv2_method",
"name": "SSLv2",
"enabled": false,
"error": "The installed openssl library does not support \"SSLv2_method\""
},
{
"protocol": "SSLv3_method",
"name": "SSLv3",
"enabled": true
},
{
"protocol": "TLSv1_method",
"name": "TLSv1",
"enabled": true
},
{
"protocol": "TLSv1_1_method",
"name": "TLSv1.1",
"enabled": true
},
{
"protocol": "TLSv1_2_method",
"name": "TLSv1.2",
"enabled": true
}
],
"ciphers": {
"SSLv3_method": {
...
},
"TLSv1_method": {
"name": "TLSv1",
"enabled": [
... enabled cipher list ...
],
"disabled": [
... disabled cipher list ...
],
"unsupported": [
... ciphers unsupported by the OpenSSL version ...
]
},
"TLSv1_1_method": {
...
},
"TLSv1_2_method": {
...
}
}
}
Beginning with NodeJS 4.0.0, SSLv2 and SSLv3 are disabled by default. The sample output will be slightly different in this case.
{
"host": "www.google.com",
"port": 443,
"cert": {
... certificate information ...
},
"certPEM": '... PEM encoded certificate ...',
"protocols": [
{
"protocol": "SSLv2_method",
"name": "SSLv2",
"enabled": false,
"error": "This version of NodeJS does not support \"SSLv2_method\""
}
]
}
var sslinfo = require('sslinfo');
sslinfo.getCertificateInfo({ host: "www.google.com", port: 443 })
.done(function (results) {
console.log(results);
},
function (error) {
console.log("Error", {error: error})
});
The getCertificateInfo()
function returns a promise that should be resolved by implementing done()
.
Sample output:
{
"host": "www.google.com",
"port": 443,
"cert": {
{ version: 2,
subject:
{ countryName: 'US',
stateOrProvinceName: 'California',
localityName: 'Mountain View',
organizationName: 'Google Inc',
commonName: 'www.google.com' },
issuer:
{ countryName: 'US',
organizationName: 'Google Inc',
commonName: 'Google Internet Authority G2' },
... more cert info ...
},
"certPEM": '... PEM encoded certificate ...'
}
var sslinfo = require('sslinfo');
sslinfo.getOpenSSLCapabilities()
.done(function (results) {
console.log(results);
},
function (error) {
console.log("Error", {error: error});
});
The getOpenSSLCapabilities()
function returns a promise that should be resolved by implementing done()
.
Sample output (from Mac OS X 10.10.3):
{
"version": "OpenSSL 0.9.8zd 8 Jan 2015",
"protocols": {
"supported": [
"SSLv3",
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"unsupported": [
"SSLv2"
]
},
"ciphers": {
"supported": [
... ciphers supported by this OpenSSL version ...
],
"unsupported": [
... ciphers supported by this tool, but not the installed OpenSSL version ...
]
}
}
Note: The unsupported
cipher list is not necessarily correct. I'm going to investigate how to make this information more useful.
0.2.0 (2018-04-08)
Merged pull requests:
Implemented enhancements:
FAQs
Library for inspecting SSL/TLS protocols and ciphers
The npm package sslinfo receives a total of 16 weekly downloads. As such, sslinfo popularity was classified as not popular.
We found that sslinfo demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Research
/Security News
Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.
Security News
The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.