The sys admin's daily grind: SSLScan
Keychain for Life
If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.
SSL-secured services are the rule today, rather than the exception. But, how can I quickly and easily check a large number of servers to see whether the encryption methods in use are still up to date? With the SSLScan tool .
In the simplest case, I can just call SSLScan with the URL of the website that I want to test:
sslscan example.com. Listing 1 shows that SSLScan simply tried a long list of ciphers and returned a status of Accepted, Rejected, or Failed for each one.
01 Supported Server Cipher(s): 02 <...> 03 Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 04 Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA 05 Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA 06 <...>
However, I am primarily interested in what ciphers the server accepts, not what it rejects. The following command:
sslscan --no-failed www.example.com
helps me significantly thin out the output, reducing it to a third of the original length. Things become even clearer if I add more restrictions. For example, if I want to know whether the server still supports SSLv2, I can check the target like this:
sslscan --no-failed --ssl2 www.example.com
--tls1 parameters work in the same way; however, SSLScan also lets you test mail servers, not just web servers. You need the
--starttls parameter to do this. Figure 1 shows the output from
sslscan --no-failed --starttls --tlsv1kuehnast.com:25
The last column of the figure shows which ciphers the server prefers.
I can use
--xml=<file name> to redirect the output to an XML file. This method is useful for a script with which I periodically check and/or document the encryption capabilities of the server. A combination with
--targets=<file name> is useful here. I can use this to write a list of host names to the file – along with the port numbers, if there happen to be any ports other than 443. SSLScan then automatically checks the machines one after another.
Another addition to my toolbox! The SSLScan security checker is fast, lean, and easy to automate.
Buy this article as PDF
Xen project announces a privilege escalation problem for Qemu host systems
Attackers can compromise an Android phone just by sending a text message
PC vendor will pre-install Ubuntu on portables in India.
More embarrassment for Adobe's embattled multimedia tool
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.
Popular desktop environment continues the Gnome 2 legacy – with new support for the Gnome 3 toolkit.
The Obama White House has issued a memorandum telling all US government agencies they must use HTTPS for all websites and web communication.
New program will dial up security for the Firefox browser.
Red Hat's community distro embraces the cloud.