As part of my job I write down security requirements in new projects. Those
include 'connections between systems that transport non-public data need to
be encrypted using up-to-date encryption'. At the same time, work is improving
their testing procedures so new or upgraded applications come to production
fully tested according to predefined testing scenarios. So now 'security' is
also part of the test scenarios and I was asked to help build tests for our
security requirements.
For secure websites it is easy, I use the
Qualys SSL Labs SSL Server Test.
But there are a lot more ssl secured connections in use, and I would like those
verified too without having to expose them to the outside world. Preferably
both from Unix and Windows endpoints. And automated and/or as a scenario that
can be done by the responsible system administrators.
A simple websearch gave no answers but some asking around gave me
SSLScan for Windows which
is a windows port of
SSLScan Fast SSL Scanner.
It's even free, and it gives out just the reports I want:
D:\sslscan win>SSLScan.exe wwwsec.cs.uu.nl:443
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2-win
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Compiled against OpenSSL 0.9.8m 25 Feb 2010
Testing SSL server wwwsec.cs.uu.nl on port 443
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 128 bits IDEA-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Rejected SSLv3 128 bits AES128-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected SSLv3 168 bits DES-CBC3-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 128 bits IDEA-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Rejected SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Rejected TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 128 bits IDEA-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
TLSv1 128 bits RC4-SHA
SSL Certificate:
Version: 2
Serial Number: -4294967295
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=NL/O=TERENA/CN=TERENA SSL CA
Not valid before: Mar 15 00:00:00 2012 GMT
Not valid after: Mar 15 23:59:59 2015 GMT
Subject: /C=NL/O=Universiteit Utrecht/CN=wwwsec.cs.uu.nl
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:da:af:31:f2:39:f5:66:d0:d5:96:5e:1d:1e:7a:
86:ba:3f:79:79:98:da:30:79:32:39:99:47:88:ea:
6c:2e:a0:2a:9b:29:0a:48:9e:0f:9e:9d:e1:9a:32:
8d:a6:ab:7b:bb:73:62:0a:43:31:cd:78:02:14:09:
23:b7:d1:28:4a:2e:b8:c0:c9:ea:7a:9b:5c:4b:ae:
73:af:7b:82:4d:dd:e9:ec:8f:6e:13:c9:db:d4:d0:
92:9f:d3:88:69:c2:d3:61:32:76:d6:12:d0:45:d7:
c2:89:fb:cb:24:b0:5e:6b:11:89:5c:3b:3e:8b:02:
9b:3a:62:ca:ac:47:d1:97:1d:02:bd:50:2b:50:e5:
be:55:f5:54:5c:68:99:28:c6:ca:05:70:79:84:1a:
24:6d:02:de:16:74:8b:05:ce:f0:9c:71:27:c0:99:
22:66:2e:00:31:ca:b7:1c:9d:78:8e:6e:e0:8f:94:
4d:42:a7:89:8f:8d:d4:3a:1d:91:e6:c8:59:a1:59:
3b:b3:e7:54:21:3c:38:0b:d3:27:37:33:48:8f:f4:
e0:ba:e7:33:17:9b:a2:b1:b4:f0:7a:35:b3:27:4c:
81:ad:76:91:78:52:1a:18:bf:18:c9:93:84:aa:79:
49:ec:43:fe:56:5b:cc:82:ad:44:c7:4b:79:8f:d1:
6d:9d
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Authority Key Identifier:
keyid:0C:BD:93:68:0C:F3:DE:AB:A3:49:6B:2B:37:57:47:EA:90:E3:B9:ED
X509v3 Subject Key Identifier:
99:E4:5C:2F:C5:E8:4F:D1:A5:91:AA:0B:28:18:F2:EF:2A:96:4B:49
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.29
X509v3 CRL Distribution Points:
URI:http://crl.tcs.terena.org/TERENASSLCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.tcs.terena.org/TERENASSLCA.crt
OCSP - URI:http://ocsp.tcs.terena.org
X509v3 Subject Alternative Name:
DNS:wwwsec.cs.uu.nl, DNS:wwws.cs.uu.nl
Verify Certificate:
self signed certificate in certificate chain
At this moment it complains about a self-signed certificate because I haven't
given it a list of root certificates. I can't find out at the moment how to
fix that, it doesn't seem to check the list of root certificates or not in
a place I put them.