Automated testing of SSL security / 2014-10-29

Koos van den Hout

2014-10-29 Automated testing of SSL security 8 years ago

As part of my job I write down security requirements in new projects. Those include 'connections between systems that transport non-public data need to be encrypted using up-to-date encryption'. At the same time, work is improving their testing procedures so new or upgraded applications come to production fully tested according to predefined testing scenarios. So now 'security' is also part of the test scenarios and I was asked to help build tests for our security requirements.

For secure websites it is easy, I use the Qualys SSL Labs SSL Server Test. But there are a lot more ssl secured connections in use, and I would like those verified too without having to expose them to the outside world. Preferably both from Unix and Windows endpoints. And automated and/or as a scenario that can be done by the responsible system administrators.

A simple websearch gave no answers but some asking around gave me SSLScan for Windows which is a windows port of SSLScan Fast SSL Scanner. It's even free, and it gives out just the reports I want:

D:\sslscan win>SSLScan.exe wwwsec.cs.uu.nl:443
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server wwwsec.cs.uu.nl on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Rejected  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  ADH-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1   40 bits  EXP-ADH-RC4-MD5
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1   56 bits  DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-DES-CBC-SHA
    Rejected  TLSv1  128 bits  IDEA-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1   40 bits  EXP-RC4-MD5
    Rejected  TLSv1    0 bits  NULL-SHA
    Rejected  TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    TLSv1  128 bits  RC4-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=NL/O=TERENA/CN=TERENA SSL CA
    Not valid before: Mar 15 00:00:00 2012 GMT
    Not valid after: Mar 15 23:59:59 2015 GMT
    Subject: /C=NL/O=Universiteit Utrecht/CN=wwwsec.cs.uu.nl
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Modulus (2048 bit):
          00:da:af:31:f2:39:f5:66:d0:d5:96:5e:1d:1e:7a:
          86:ba:3f:79:79:98:da:30:79:32:39:99:47:88:ea:
          6c:2e:a0:2a:9b:29:0a:48:9e:0f:9e:9d:e1:9a:32:
          8d:a6:ab:7b:bb:73:62:0a:43:31:cd:78:02:14:09:
          23:b7:d1:28:4a:2e:b8:c0:c9:ea:7a:9b:5c:4b:ae:
          73:af:7b:82:4d:dd:e9:ec:8f:6e:13:c9:db:d4:d0:
          92:9f:d3:88:69:c2:d3:61:32:76:d6:12:d0:45:d7:
          c2:89:fb:cb:24:b0:5e:6b:11:89:5c:3b:3e:8b:02:
          9b:3a:62:ca:ac:47:d1:97:1d:02:bd:50:2b:50:e5:
          be:55:f5:54:5c:68:99:28:c6:ca:05:70:79:84:1a:
          24:6d:02:de:16:74:8b:05:ce:f0:9c:71:27:c0:99:
          22:66:2e:00:31:ca:b7:1c:9d:78:8e:6e:e0:8f:94:
          4d:42:a7:89:8f:8d:d4:3a:1d:91:e6:c8:59:a1:59:
          3b:b3:e7:54:21:3c:38:0b:d3:27:37:33:48:8f:f4:
          e0:ba:e7:33:17:9b:a2:b1:b4:f0:7a:35:b3:27:4c:
          81:ad:76:91:78:52:1a:18:bf:18:c9:93:84:aa:79:
          49:ec:43:fe:56:5b:cc:82:ad:44:c7:4b:79:8f:d1:
          6d:9d
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Authority Key Identifier:
        keyid:0C:BD:93:68:0C:F3:DE:AB:A3:49:6B:2B:37:57:47:EA:90:E3:B9:ED

      X509v3 Subject Key Identifier:
        99:E4:5C:2F:C5:E8:4F:D1:A5:91:AA:0B:28:18:F2:EF:2A:96:4B:49
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Certificate Policies:
        Policy: 1.3.6.1.4.1.6449.1.2.2.29

      X509v3 CRL Distribution Points:
        URI:http://crl.tcs.terena.org/TERENASSLCA.crl

      Authority Information Access:
        CA Issuers - URI:http://crt.tcs.terena.org/TERENASSLCA.crt
        OCSP - URI:http://ocsp.tcs.terena.org

      X509v3 Subject Alternative Name:
        DNS:wwwsec.cs.uu.nl, DNS:wwws.cs.uu.nl
  Verify Certificate:
    self signed certificate in certificate chain

At this moment it complains about a self-signed certificate because I haven't given it a list of root certificates. I can't find out at the moment how to fix that, it doesn't seem to check the list of root certificates or not in a place I put them.

Tags: english, security

IPv6 check

Running test...

Automated testing of SSL security / 2014-10-29

Koos van den Hout

IPv6 check

Archive