**2014-10-29**

**Automated testing of SSL security**

As part of my job I write down security requirements in new projects. Those include 'connections between systems that transport non-public data need to be encrypted using up-to-date encryption'. At the same time, work is improving their testing procedures so new or upgraded applications come to production fully tested according to predefined testing scenarios. So now 'security' is also part of the test scenarios and I was asked to help build tests for our security requirements. For secure websites it is easy, I use the Qualys SSL Labs SSL Server Test. But there are a lot more ssl secured connections in use, and I would like those verified too without having to expose them to the outside world. Preferably both from Unix and Windows endpoints. And automated and/or as a scenario that can be done by the responsible system administrators. A simple websearch gave no answers but some asking around gave me SSLScan for Windows which is a windows port of SSLScan Fast SSL Scanner. It's even free, and it gives out just the reports I want:D:\sslscan win>SSLScan.exe wwwsec.cs.uu.nl:443 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2-win http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Compiled against OpenSSL 0.9.8m 25 Feb 2010 Testing SSL server wwwsec.cs.uu.nl on port 443 Supported Server Cipher(s): Rejected SSLv2 168 bits DES-CBC3-MD5 Rejected SSLv2 56 bits DES-CBC-MD5 Rejected SSLv2 128 bits IDEA-CBC-MD5 Rejected SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected SSLv2 128 bits RC2-CBC-MD5 Rejected SSLv2 40 bits EXP-RC4-MD5 Rejected SSLv2 128 bits RC4-MD5 Rejected SSLv3 256 bits ADH-AES256-SHA Rejected SSLv3 256 bits DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA Rejected SSLv3 256 bits AES256-SHA Rejected SSLv3 128 bits ADH-AES128-SHA Rejected SSLv3 128 bits DHE-RSA-AES128-SHA Rejected SSLv3 128 bits DHE-DSS-AES128-SHA Rejected SSLv3 128 bits AES128-SHA Rejected SSLv3 168 bits ADH-DES-CBC3-SHA Rejected SSLv3 56 bits ADH-DES-CBC-SHA Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA Rejected SSLv3 128 bits ADH-RC4-MD5 Rejected SSLv3 40 bits EXP-ADH-RC4-MD5 Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Rejected SSLv3 168 bits DES-CBC3-SHA Rejected SSLv3 56 bits DES-CBC-SHA Rejected SSLv3 40 bits EXP-DES-CBC-SHA Rejected SSLv3 128 bits IDEA-CBC-SHA Rejected SSLv3 40 bits EXP-RC2-CBC-MD5 Rejected SSLv3 128 bits RC4-SHA Rejected SSLv3 128 bits RC4-MD5 Rejected SSLv3 40 bits EXP-RC4-MD5 Rejected SSLv3 0 bits NULL-SHA Rejected SSLv3 0 bits NULL-MD5 Rejected TLSv1 256 bits ADH-AES256-SHA Rejected TLSv1 256 bits DHE-RSA-AES256-SHA Rejected TLSv1 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Rejected TLSv1 128 bits ADH-AES128-SHA Rejected TLSv1 128 bits DHE-RSA-AES128-SHA Rejected TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Rejected TLSv1 168 bits ADH-DES-CBC3-SHA Rejected TLSv1 56 bits ADH-DES-CBC-SHA Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA Rejected TLSv1 128 bits ADH-RC4-MD5 Rejected TLSv1 40 bits EXP-ADH-RC4-MD5 Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Rejected TLSv1 56 bits DES-CBC-SHA Rejected TLSv1 40 bits EXP-DES-CBC-SHA Rejected TLSv1 128 bits IDEA-CBC-SHA Rejected TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 128 bits RC4-SHA Rejected TLSv1 128 bits RC4-MD5 Rejected TLSv1 40 bits EXP-RC4-MD5 Rejected TLSv1 0 bits NULL-SHA Rejected TLSv1 0 bits NULL-MD5 Prefered Server Cipher(s): TLSv1 128 bits RC4-SHA SSL Certificate: Version: 2 Serial Number: -4294967295 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=NL/O=TERENA/CN=TERENA SSL CA Not valid before: Mar 15 00:00:00 2012 GMT Not valid after: Mar 15 23:59:59 2015 GMT Subject: /C=NL/O=Universiteit Utrecht/CN=wwwsec.cs.uu.nl Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:da:af:31:f2:39:f5:66:d0:d5:96:5e:1d:1e:7a: 86:ba:3f:79:79:98:da:30:79:32:39:99:47:88:ea: 6c:2e:a0:2a:9b:29:0a:48:9e:0f:9e:9d:e1:9a:32: 8d:a6:ab:7b:bb:73:62:0a:43:31:cd:78:02:14:09: 23:b7:d1:28:4a:2e:b8:c0:c9:ea:7a:9b:5c:4b:ae: 73:af:7b:82:4d:dd:e9:ec:8f:6e:13:c9:db:d4:d0: 92:9f:d3:88:69:c2:d3:61:32:76:d6:12:d0:45:d7: c2:89:fb:cb:24:b0:5e:6b:11:89:5c:3b:3e:8b:02: 9b:3a:62:ca:ac:47:d1:97:1d:02:bd:50:2b:50:e5: be:55:f5:54:5c:68:99:28:c6:ca:05:70:79:84:1a: 24:6d:02:de:16:74:8b:05:ce:f0:9c:71:27:c0:99: 22:66:2e:00:31:ca:b7:1c:9d:78:8e:6e:e0:8f:94: 4d:42:a7:89:8f:8d:d4:3a:1d:91:e6:c8:59:a1:59: 3b:b3:e7:54:21:3c:38:0b:d3:27:37:33:48:8f:f4: e0:ba:e7:33:17:9b:a2:b1:b4:f0:7a:35:b3:27:4c: 81:ad:76:91:78:52:1a:18:bf:18:c9:93:84:aa:79: 49:ec:43:fe:56:5b:cc:82:ad:44:c7:4b:79:8f:d1: 6d:9d Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Authority Key Identifier: keyid:0C:BD:93:68:0C:F3:DE:AB:A3:49:6B:2B:37:57:47:EA:90:E3:B9:ED X509v3 Subject Key Identifier: 99:E4:5C:2F:C5:E8:4F:D1:A5:91:AA:0B:28:18:F2:EF:2A:96:4B:49 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.29 X509v3 CRL Distribution Points: URI:http://crl.tcs.terena.org/TERENASSLCA.crl Authority Information Access: CA Issuers - URI:http://crt.tcs.terena.org/TERENASSLCA.crt OCSP - URI:http://ocsp.tcs.terena.org X509v3 Subject Alternative Name: DNS:wwwsec.cs.uu.nl, DNS:wwws.cs.uu.nl Verify Certificate: self signed certificate in certificate chainAt this moment it complains about a self-signed certificate because I haven't given it a list of root certificates. I can't find out at the moment how to fix that, it doesn't seem to check the list of root certificates or not in a place I put them.