I came to know about the following good tools to check the ciphers running on you SSL service and SSL vulnerabilities.
Often
we have this situation where we have various SSL enabled services
running on the product, but we do not have a way of verifying the SSL
cipher quality.
Use
SSLScan and
ssl_tests
to test for weak ciphers running on your SSL service. I tested it for
Apache httpd (443), tomcat (8443).
ssl_tests
also tests for common SSL vulnerabilities like the SSL/TLS cipher
renegotiation. sslscan primarily does a brute force for Low, medium and
high grade ciphers and lists their status as 'Accepted' or 'Rejected'
depending on the SSL service's response.
ssl_tests is a shell script that relies on the sslscan tool for making the checks.
Compiling sslscan is generally easy and straight forward but in case you face errors like the one I faced:
gcc -g -Wall -lssl -o sslscan sslscan.c
sslscan.c: In function ‘getCertificate’:
sslscan.c:992: warning: implicit declaration of function ‘EC_KEY_print’
sslscan.c:992: error: ‘union ’ has no member named ‘ec’
sslscan.c:995: error: ‘union ’ has no member named ‘ec’
make: *** [all] Error 1
You
can tweak the source code to comment out the lines related to EC keys
in sslscan.c (most probably you wont be using EC keys) :
| //EC_KEY_print(stdoutBIO, publicKey->pkey.ec, 6); |
// | EC_KEY_print(fileBIO, publicKey->pkey.ec, 4); |
Reference:
https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)
No comments:
Post a Comment