The sys admin's daily grind: SSLScan

Keychain for Life

Article from Issue 163/2014
Author(s):

If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.

SSL-secured services are the rule today, rather than the exception. But, how can I quickly and easily check a large number of servers to see whether the encryption methods in use are still up to date? With the SSLScan tool [1].

In the simplest case, I can just call SSLScan with the URL of the website that I want to test: sslscan example.com. Listing 1 shows that SSLScan simply tried a long list of ciphers and returned a status of Accepted, Rejected, or Failed for each one.

Listing 1

sslscan example.com

 

However, I am primarily interested in what ciphers the server accepts, not what it rejects. The following command:

sslscan --no-failed www.example.com

helps me significantly thin out the output, reducing it to a third of the original length. Things become even clearer if I add more restrictions. For example, if I want to know whether the server still supports SSLv2, I can check the target like this:

sslscan --no-failed --ssl2 www.example.com

The --ssl3 and --tls1 parameters work in the same way; however, SSLScan also lets you test mail servers, not just web servers. You need the  --starttls parameter to do this. Figure 1 shows the output from

Figure 1: Charly uses SSLScan to check his mail server.
sslscan --no-failed --starttls
  --tlsv1kuehnast.com:25

The last column of the figure shows which ciphers the server prefers.

Redirection

I can use --xml=<file name> to redirect the output to an XML file. This method is useful for a script with which I periodically check and/or document the encryption capabilities of the server. A combination with --targets=<file name> is useful here. I can use this to write a list of host names to the file – along with the port numbers, if there happen to be any ports other than 443. SSLScan then automatically checks the machines one after another.

Another addition to my toolbox! The SSLScan security checker is fast, lean, and easy to automate.

The Author

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column – testssl.sh

    Back in the day, integrating and function testing an SSL certificate was an easy thing to do. Now, you can use a shell script that talks plain English, despite the Babylonian confusion of key protocols and ciphers.

  • Charly's Column – Precise Timekeeping

    After the idea of procuring an atomic clock failed to thrill the other members of Charly's household, our intrepid columnist simply decided to tap into the timekeeping of a GPS satellite. In doing so, he ensured the kind of punctuality at home that only large data centers actually need. Precisely.

  • Charly's Column – Let's Encrypt

    Columnist Charly fights the fight for free SSL certificates with Let's Encrypt. He particularly likes the matching software client that takes care of everything – from certificate retrieval to web server integration.

  • Charly’s Column: Cluster SSH

    Charly doesn’t relish the idea of searching through the logfiles of a dozen proxy servers when page requests fail. Now that he has deployed Cluster SSH, he can pull the strings on many machines at the same time.

  • Charly's Column

    Users log on to services such as SSH, ftp, SASL, POP3, IMAP, Apache htaccess, and many more using their names and passwords. These popular access mechanisms are a potential target for brute-force attacks. An attentive bouncer will keep dictionary attacks at bay.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News