Automated testing of SSL security / 2014-10-29

2014-10-29 Automated testing of SSL security
As part of my job I write down security requirements in new projects. Those include 'connections between systems that transport non-public data need to be encrypted using up-to-date encryption'. At the same time, work is improving their testing procedures so new or upgraded applications come to production fully tested according to predefined testing scenarios. So now 'security' is also part of the test scenarios and I was asked to help build tests for our security requirements.

For secure websites it is easy, I use the Qualys SSL Labs SSL Server Test. But there are a lot more ssl secured connections in use, and I would like those verified too without having to expose them to the outside world. Preferably both from Unix and Windows endpoints. And automated and/or as a scenario that can be done by the responsible system administrators.

A simple websearch gave no answers but some asking around gave me SSLScan for Windows which is a windows port of SSLScan Fast SSL Scanner. It's even free, and it gives out just the reports I want:
D:\sslscan win>SSLScan.exe
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Rejected  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  ADH-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1   40 bits  EXP-ADH-RC4-MD5
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1   56 bits  DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-DES-CBC-SHA
    Rejected  TLSv1  128 bits  IDEA-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1   40 bits  EXP-RC4-MD5
    Rejected  TLSv1    0 bits  NULL-SHA
    Rejected  TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    TLSv1  128 bits  RC4-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Not valid before: Mar 15 00:00:00 2012 GMT
    Not valid after: Mar 15 23:59:59 2015 GMT
    Subject: /C=NL/O=Universiteit Utrecht/
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Modulus (2048 bit):
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Authority Key Identifier:

      X509v3 Subject Key Identifier:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Basic Constraints: critical
      X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Certificate Policies:

      X509v3 CRL Distribution Points:

      Authority Information Access:
        CA Issuers - URI:
        OCSP - URI:

      X509v3 Subject Alternative Name:,
  Verify Certificate:
    self signed certificate in certificate chain
At this moment it complains about a self-signed certificate because I haven't given it a list of root certificates. I can't find out at the moment how to fix that, it doesn't seem to check the list of root certificates or not in a place I put them.

Tags: ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.010412 seconds.