The sys admin's daily grind: SSLScan

Keychain for Life

Article from Issue 163/2014
Author(s):

If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.

SSL-secured services are the rule today, rather than the exception. But, how can I quickly and easily check a large number of servers to see whether the encryption methods in use are still up to date? With the SSLScan tool [1].

In the simplest case, I can just call SSLScan with the URL of the website that I want to test: sslscan example.com. Listing 1 shows that SSLScan simply tried a long list of ciphers and returned a status of Accepted, Rejected, or Failed for each one.

Listing 1

sslscan example.com

01 Supported Server Cipher(s):
02 <...>
03 Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
04 Accepted  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
05 Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
06 <...>

However, I am primarily interested in what ciphers the server accepts, not what it rejects. The following command:

sslscan --no-failed www.example.com

helps me significantly thin out the output, reducing it to a third of the original length. Things become even clearer if I add more restrictions. For example, if I want to know whether the server still supports SSLv2, I can check the target like this:

sslscan --no-failed --ssl2 www.example.com

The --ssl3 and --tls1 parameters work in the same way; however, SSLScan also lets you test mail servers, not just web servers. You need the  --starttls parameter to do this. Figure 1 shows the output from

Figure 1: Charly uses SSLScan to check his mail server.
sslscan --no-failed --starttls
  --tlsv1kuehnast.com:25

The last column of the figure shows which ciphers the server prefers.

Redirection

I can use --xml=<file name> to redirect the output to an XML file. This method is useful for a script with which I periodically check and/or document the encryption capabilities of the server. A combination with --targets=<file name> is useful here. I can use this to write a list of host names to the file – along with the port numbers, if there happen to be any ports other than 443. SSLScan then automatically checks the machines one after another.

Another addition to my toolbox! The SSLScan security checker is fast, lean, and easy to automate.

The Author

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly’s Column: Cluster SSH

    Charly doesn’t relish the idea of searching through the logfiles of a dozen proxy servers when page requests fail. Now that he has deployed Cluster SSH, he can pull the strings on many machines at the same time.

  • Charly's Column

    Users log on to services such as SSH, ftp, SASL, POP3, IMAP, Apache htaccess, and many more using their names and passwords. These popular access mechanisms are a potential target for brute-force attacks. An attentive bouncer will keep dictionary attacks at bay.

  • Charly’s Column: OpenNetAdmin

    Last month, the Havege daemon helped organize the chaos in this column. Today, Charly attempts to organize the network – a tale of suffering in three chapters.

  • Charly's Column

    HTTPing may be the perfect tool to check on the health of your web server.

  • Charly's Column

    Parallel SSH is the name of an easy-to-configure tool that our resident sys admin, Charly, now routinely deploys whenever he needs to launch the same programs, copy the same files, or kill the same processes simultaneously on multiple computers.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News