Many of you have been there, you run a secure web site, or maybe a reverse-proxy(say doing HTTPS bridging, or terminating the HTTPS connections in front of a web server), a WAF, a SSL VPN server, etc.
Configuring SSL correctly might be a challenge.
Say you order a pen test, and one of the things to be “checked” are the “SSL settings”.
They(pen testers) may come with a list of “SSL things” that need to be “fixed” on your web server(reverse proxy, WAF, etc.), say SSL 2.0, weak ciphers.
Actually you can scan your server yourself, with one of the SSL server scanners found out there, to mention some of them(trying to mention free ones):
Online scanning:
- SSL Labs
https://www.ssllabs.com/
- serversniff.net
http://www.serversniff.net/content.php?do=ssl
http://serversniff.net/sslcert.php
http://webwiki.de/
- the tls report
http://tlsreport.layer8.net/reports/generate
- SSLScan
http://www.sslscan.com/scan.html
Tools:
- SSLScan
http://www.titania.co.uk/index.php?option=com_content&view=article&id=56&Itemid=68
http://sourceforge.net/projects/sslscan/
- sslciphercheck
http://www.woany.co.uk/sslciphercheck/
- SSLCipherCheck
http://www.pvv.ntnu.no/~josteitv/papers/ssl_vuln_code.tar.gz
- SSLDIGGER
http://www.foundstone.com/us/resources/proddesc/ssldigger.htm
- THCSSLCheck
http://freeworld.thc.org/root/tools/THCSSLCheck.zip
- GnuTLS, gnutls-cli-debug
http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dcli_002ddebug.html
Advanced probing(you may use them to test HTTP on a secure web site too, sort of a “SSL telnet client”):
- OpenSSL, openssl s_client
http://openssl.org/docs/apps/s_client.html
- GnuTLS, gnutls-cli
http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dcli.html
The problems with SSL server scanning might be multiple:
- accuracy of the scanner(some scanners say you have weak ciphers enabled, but they will not probe for NULL ciphers, anonymous key exchange, etc., just for some common weak cipher suites).
- protocol and cipher suites support(if one makes a scanner using OpenSSL, it will fall into OpenSSL’s limitations(as writing), or even if ones makes a scanner using a combination between OpenSSL and GnuTLS(see http://www.gnu.org/software/gnutls/comparison.html) it won’t be able to fully probe (certain) web servers running on Windows Server 2008 R2(as writing)).
- ease of use(it’s not all about how easy you can scan a web site, this can reflect in a scanner having various installation requirements, say a certain OS etc., or if you use an online scanner you may enter into some privacy issues you want to avoid or into availability issues, the server on which the scanner is hosted goes down).
- ease of interpreting the scanner’s results(it would be useful to have the results presented in a “readable” way, using a nice layout, maybe something you can print and present “up there”, maybe a rating of the server, if problems are detected, an explanation of some results will be useful, a manual accompanying the scanner explaining a little bit SSL).
- damage or should I say “production ready”(well this is somehow relative, the scanner has to send multiple probes to the server, there is no way around that).
If you want a list of SSL/TLS cipher suites, please go to:
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
As can be seen from above, I’ve listed a few free tools that can be useful for scanning SSL on your web server, reverse-proxy, etc.
We will dissect them a little in the future(so don’t jump on me saying I’m drawing conclusions without presenting facts, if you can’t wait till then, just try to analyze the server(s) at tls.woodgrovebank.com with any of the scanners from above, and you will see what I’m talking about), and take a look how we can use openssl s_client or gnutls-cli as “SSL telnet clients”. But for the moment I want to mention more about SSL Labs.
SSL Labs is not just a SSL Scanner, it’s more of a “SSL project” incorporating various projects(actually all of them are in works): a SSL server scanner, a Public SSL Server Database, a SSL Server Rating Guide talking about SSL/TLS, explaining what to scan for, how a server is rated, etc., or the SSL Threat Model.
https://www.ssllabs.com/projects/index.html
The SSL server scanner has the widest SSL/TLS protocols support from the above listed SSL Scanners(SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2), the widest cipher suites support(including TLS_NULL_WITH_NULL_NULL(OK, this is not quite a cipher suite), or ECC cipher suites, like TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), it analyzes the server’s certificate(public key, validation method, revocation capabilities(CRL, OCSP), signature algorithm, issuer, etc.), it rates the server, you can read the SSL Server Rating Guide as a manual of the scanner, it may provide certain explanations of certain results:
http://blog.ivanristic.com/2009/09/ssl-labs-improved-ec-and-tls-12-detection.html
As can be seen Ivan Ristic discusses on his blog about the SSL Labs project, thus there is a blog accompanying this project.
The SSL server scanner is the most up-to-date SSL server scanner from the scanners listed above, being able to asses a web server running on Windows Server 2008 R2 using ECC and TLS 1.2.
So if you want to “SSL scan” your secure web site, I would say you should start first with SSL Labs.
For the moment there might be some caveats regarding privacy, due to the Public SSL Server Database and Google being “too sharp” and quick to index, if one is good with Google’s search, it can extract from it certain things. Also, don’t expect the scanner to fully complete the SSL/TLS negotiations for all the cipher suites listed as supported by the server.
There might be some things you want the scanner to present, like cipher suites per protocol, preferred cipher suite per protocol, etc., custom server port, and the scanner currently does not present. There is a great likeliness that these or other features will be added in the future though, or that a commercial side to be added to the project.