The sys admin's daily grind: SSLScan
Keychain for Life
If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.
SSL-secured services are the rule today, rather than the exception. But, how can I quickly and easily check a large number of servers to see whether the encryption methods in use are still up to date? With the SSLScan tool .
In the simplest case, I can just call SSLScan with the URL of the website that I want to test:
sslscan example.com. Listing 1 shows that SSLScan simply tried a long list of ciphers and returned a status of Accepted, Rejected, or Failed for each one.
01 Supported Server Cipher(s): 02 <...> 03 Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 04 Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA 05 Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA 06 <...>
However, I am primarily interested in what ciphers the server accepts, not what it rejects. The following command:
sslscan --no-failed www.example.com
helps me significantly thin out the output, reducing it to a third of the original length. Things become even clearer if I add more restrictions. For example, if I want to know whether the server still supports SSLv2, I can check the target like this:
sslscan --no-failed --ssl2 www.example.com
--tls1 parameters work in the same way; however, SSLScan also lets you test mail servers, not just web servers. You need the
--starttls parameter to do this. Figure 1 shows the output from
sslscan --no-failed --starttls --tlsv1kuehnast.com:25
The last column of the figure shows which ciphers the server prefers.
I can use
--xml=<file name> to redirect the output to an XML file. This method is useful for a script with which I periodically check and/or document the encryption capabilities of the server. A combination with
--targets=<file name> is useful here. I can use this to write a list of host names to the file – along with the port numbers, if there happen to be any ports other than 443. SSLScan then automatically checks the machines one after another.
Another addition to my toolbox! The SSLScan security checker is fast, lean, and easy to automate.
Buy this article as PDF
But you can still be a non-voting “individual supporter” if you pay the money
Several current systems could fall victim to the attack
Latest Linux engine comes with better graphics and support for Intel's new power-saving chips.
Hackers send a message of beauty and liberation to server logs
Citrix gets excited about new Pi-Powered XenDesktop client system
Linux on Azure cert heralds a new era for Redmond.
Proposals for presentations at the CeBIT Open Source Forum will be accepted through 24 January 2016.
Adobe looks for a new start; renames its embattled Flash tool.
The Pi's popular Raspbian OS pursues secrecy without entropy.
VMware bids for a stake in the container industry with a bold effort to integrate containers with its classic virtualization system.