Friday, August 15, 2014

SSL/TLS cipher testing Notes and Tools

I am trying to gather some freely available tools, techniques and links that can help running SSL/TLS related tests. The more I learn, the more stuff I will add. SSL/TLS is not that simple, you cannot rely on the output of just 1 tool. You also need to understand how that tool/script works internally.

Tools and scripts (will keep adding)

Testing might be affected with what openssl version you have installed, because older versions may not have support for newer cipher suites or higher protocols. So while testing you need to take this into consideration.

1. Nmap ssl-enum-ciphers script

nmap --script ssl-enum-ciphers -p 443 hostname

2. sslscan. (based on openssl)

Uses openssl internally. If you compile it on redhat, you may run into compilation issues because EC crypto is not there in openssl in redhat (depending on your version). If you are not interested in testing EC, then you can comment out the lines as mentioned in my previous post:

3. ssl_tests (based on sslscan/openssl)
ssl_tests is a shell script that uses sslscan and openssl internally to connect.

4. Using OpenSSL directly
openssl s_client -connect host:port

5. sslyze
root@kali:~# sslyze --tlsv1

6. TestSSLServer : A simple java program that does the same kind of testing. The program uses plain sockets and raw packet level inspection and does not depend on any provider like JSSE or Openssl as such. So it is very good for learning at raw packet level as to how do you know whether compression is supported or not. The program also checks CRIME and BEAST status by checking the compression support in the connection and inspecting the protocol version. You can see how it does that in the comments.

However, I would recommend you develop your own understand about CRIME/BEAST working and its latest status depending on your own application implementation rather than relying on the output of the testing program. Things and assumptions keep changing with time.

Original reference:

Here is a screenshot of running the tool using eclipse:

7. SSLDigger by Foundstone -
It is a windows based tool. However, it does not have support for a lot of latest ciphers probably because it has not been updated.

8. If you want to play around writing your own tool, here is a small test I did in Java. This tool is an example of how you can use a crypto library for SSL testing. The drawback is that you can only test the cipher that your client library supports. In contrast to TestSSLServer (6) which does a packet level inspection and does not rely on a local crypto library.

9. Testing the SSL for mysql and postgresql?
Databases do not really follow the procedures of a typical SSL/TLS handshake. You need to have a db client for that or you can use wireshark. Wanna see an example, check my earlier notes on mysql's ssl:

10. SSLAudit -

I found SSLAudit pretty good.

11. SSL Breacher

12. TLSSLed (Based on sslscan/openssl)

To be continued..

Helpful references for testing

TLS learning

[*]  Listing of Openssl ciphers (meaning of examples like ALL:!ADH:@STRENGTH)

[*]  A little advanced but good learning material about TLS

[*]  Explains a lot of common SSL problems in a very simple way.

[*]  Understanding the meaning of a cipher string like DHE-RSA-AES256-SHA

[*]  High/Low/Med grade ciphers

SSL/TLS best practices


Products using SSL

[*] Postgres using SSL (How to test SSL being used)


1 comment: