The sys admin's daily grind: SSLScan
Keychain for Life
If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.
SSL-secured services are the rule today, rather than the exception. But, how can I quickly and easily check a large number of servers to see whether the encryption methods in use are still up to date? With the SSLScan tool .
In the simplest case, I can just call SSLScan with the URL of the website that I want to test:
sslscan example.com. Listing 1 shows that SSLScan simply tried a long list of ciphers and returned a status of Accepted, Rejected, or Failed for each one.
01 Supported Server Cipher(s): 02 <...> 03 Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 04 Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA 05 Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA 06 <...>
However, I am primarily interested in what ciphers the server accepts, not what it rejects. The following command:
sslscan --no-failed www.example.com
helps me significantly thin out the output, reducing it to a third of the original length. Things become even clearer if I add more restrictions. For example, if I want to know whether the server still supports SSLv2, I can check the target like this:
sslscan --no-failed --ssl2 www.example.com
--tls1 parameters work in the same way; however, SSLScan also lets you test mail servers, not just web servers. You need the
--starttls parameter to do this. Figure 1 shows the output from
sslscan --no-failed --starttls --tlsv1kuehnast.com:25
The last column of the figure shows which ciphers the server prefers.
I can use
--xml=<file name> to redirect the output to an XML file. This method is useful for a script with which I periodically check and/or document the encryption capabilities of the server. A combination with
--targets=<file name> is useful here. I can use this to write a list of host names to the file – along with the port numbers, if there happen to be any ports other than 443. SSLScan then automatically checks the machines one after another.
Another addition to my toolbox! The SSLScan security checker is fast, lean, and easy to automate.
Buy this article as PDF
3ROS attack tool lowers the technical bar so anyone can be an intruder.
Mozilla's latest browser offers powerful new privacy feature
If attackers are on your system, saving your passwords in a password vault is no protection.
Faulty hash algorithm persists, despite efforts by experts to raise awareness.
Powerful man-in-the-middle attack is now targeting online shopping.
Another high-profile coder says the kernel team needs a kinder, gentler culture.
Bug database has a bug of its own that could allow an intruder to create an unauthorized account.
Report focuses federal resources on achieving universal Internet access.
Leading browser makers say “no” to porous encryption algorithm