Overview
Over time now i’ve been reading articles of different encryption mechanisms SSL/TLS etc. I am going to cut short the chase since there are many articles available online to make u understand the basics .
I was browsing over then net when i came across this informative guide Wikipedia rocks doesn’t it.
and also a guy named Jake Rocheleau shows step wise installation of how to install the SSL on your own server : Here
Security
SSL’s are used to provide secure connections between the client and server in order to help protect against sniffing of vital data. Though SSL’s provide security there have been cases where the encryption has been broken / cracked . SSL security is constantly changing over time .
Here is how SSL Works:
Tools
There are quite a few open Source Tools Available for Audit of SSL .
- SSL Analyzer (Windows)
- sslaudit.pl
- SSL test ( Online Scanner )
- SSL Scan
These are a few of ones which i have used till date and pretty happy with the results .
SSL Analyser
SSL Analyzer is a windows platform based tool ,
The SSL Vulnerabilities Analyzer is designed for website owners and security testers. The tool takes a domain and/or IP address, tests the encryptions and algorithms supported by them and analyzes the results in a graphic form, reporting problematic encryption methods. The better part is that these people even have a Hardening Guide.
SSLAudit.pl
One of the best thing about this script is that it has a rating system . It rates your SSL analyses. They even provide a rating guide: Here
Currently SSLAudit performs the following checks:
- SSL Protocol support detection
- SSL Cipher support detection
- Public cert PEM extraction
- Certificate timeframe validation (and warns if it is 30 days or less until the certificate expires)
SSL Test Online Scanner
SSLScan
SSLScan queries SSL services, such as HTTPS, in order to determine the ciphers that are supported. SSLScan is designed to be easy, lean and fast. The output includes prefered ciphers of the SSL service, the certificate and is in Text and XML formats.
Tutorials for the same are available here is one Written by Michael Boman
Basic usage
--targets=
targets.txt
option).--no-failed
option to hide those results (highly recommended). If you are testing a HTTP-server you can also supply the --http
option which will send a HTTP-request to the newly created connection to see what status code your request supports (useful if server supports less secure protocols/ciphers but redirects to a page which tells the user to update their browser).--starttls
option instead.Advanced usage
Specifying protocol versions to test
--ssl2
, --ssl3
or --tls1
option respectively.Using client certificates
--pk=
cert.p12
option to specify where to load the client certificate. If the certificate is protected by a password (which it should be) you can specify that using the --pkpass=
p12password
option. Please note that the password will be visible to anyone on the same system due to the presence in command parameters.Verifying server certificates
--certs=
certs.pem
option you can specify which root CA’s you trust and want to verify the target server against. This option is still under development and only exists in the Google Code repository.SSL implementation bugs
--bugs
option.Output formats
--xml=
file.xml
option writes the findings to a file in the XML-format. If you use the filename “stdout” the program will output the results to the terminal screen instead of a file. This can be very useful, especially with the –quiet option, if you call SSLScan from some other program and then want to parse the XML-file, which will be provided on stdout instead of a temporary file.--pout
is a undocumented and soon to be retired feature that outputs the collected results in a more grep-friendly format, which is inspired by nMap’s greppable format.
Other options
--version
tells you which version of SSLScan you are running.--quiet
just runts the test without outputting anything on the screen. Can be a useful flag when combined with --xml=stdout
.--help
provides you with a help-message which basically tells you what options SSLScan supports.