Wikipedia defines SSL or the Secure Sockets Layer as the following – “Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for privacy and a keyed message authentication code for message reliability. TLS is an IETF standards track protocol, last updated in RFC 5246 and is based on the earlier SSL specifications developed by Netscape Corporation.”
In simpler words, it means that SSL creates a secure connection between two endpoints, over which any amount of data can be securely sent. It is mostly used with web applications that need trust to be established between the client and the server – mostly applications that handle financial data. So you see it is of utmost importance to see that your or your customers SSL implementation is safe to use and does not leak any information. This is a list of tools we compiled that will help you do just that. We will try to restrict them only to open source and free tools:
- SSLScan: Possibly the oldest SSL scanning tool. SSLScan queries SSL services, such as HTTPS, in order to determine the ciphers that are supported. SSLScan is designed to be easy, lean and fast. The output includes prefered ciphers of the SSL service, the certificate and is in Text and XML formats.
Download SSLScan v1.8.4 (sslscan-1.8.4.tgz) here. - TLSSLed: It is based on SSLcan. TLSSLed is a Linux shell script whose purpose is to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool. The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.
Download TLSSLed v1.1 (TLSSLed_v1.1.sh) here. - Comodo SSL Analyzer: The SSL Analyzer highlights insecure elements that need immediate remediation in red. Green represents an adequate level of security and an amber color means there is a potential issue that should be evaluated by the web server administrator. The Comodo SSL Analyzer provides consumers and web site owners with essential knowledge regarding the security level of any e-Business. We have covered this tool here.
Visit COMODO SSL Analyzer v0.9.13 (BETA) here. - CryptoNark: CryptoNark scans your site and reports back all ciphers that an ssl client can successfully negotiate. CryptoNark does not check the validity of the certificate used to encrypt a web site–this is because it’s primary purpose from an SSL perspective is to check to see what ciphers are enabled. We have covered this tool here.
Download CryptoNark v0.4.5 (cnark-v0.4.5.tar.gz) here. - SSLTest: SSLTest is a command line tool used to test SSL based servers to determine the SSL ciphers and protocols they support. These types of tests are commonly performed during penetration tests and compliance reviews (DSD ISM, PCI-DSS) that include a SSL server in scope. It is a Perl program, that works on Linux, Windows and Mac OS X, and is originally based on Cryptonark by Chris Mahns. It uses OpenSSL to make SSL connections, and test for supported ciphers and protocols. We covered this tool here.
Download SSLTest v0.4 (ssltest.pl) here. - SSLCertScanner: SSLCertScanner is the FREE SSL certificate scanner tool which can remotely scan, retrieve and validate the SSL certificate from any host either on the intranet or internet. It is completely portable tool which also comes with Installer to support local installation & uninstallation. It works on wide range of platforms starting from Windows XP to latest operating system Windows 7. We covered this tool here.
Download SSLCertScanner v2.5 (sslcertscanner.zip) here. - Qualys SSL Server Test: Qualys SSL Server Test is an online service that enables you to inspect the configuration of any public SSL web server. This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. We wrote (very brief) about this tool here.
Visit Qualys SSL Server Test v1.0.59 here. - SSL Audit: SSL Audit scans web servers for SSL support, unlike other tools it is not limited to ciphers supported by SSL engines such as OpenSSL or NSS but can detect all known cipher suites. It features an innovative Fingerprinting engine that was never seen before. We wrote about this tool here. Download SSL Audit Alpha here.
- SSLyzeUPDATE: SSLyze is a stand-alone python application that looks for classic SSL misconfigurations, while providing the advanced user with the opportunity to customize the application via a simple plugin interface. It is a cross-platform tool to analyze the configuration of SSL servers. Supports cipher suites scanning, insecure renegotiation verification, session resumption testing, client certificates, and more. We wrote about this tool here. Download SSLyze v0.3 here.
- SSLSmartUPDATE: SSLSmart is a highly flexible and interactive tool aimed at improving efficiency and reducing false positives during SSL testing. A number of tools allow users to test for supported SSL ciphers suites, but most only provide testers with a fixed set of cipher suites. Further testing is performed by initiating an SSL socket connection with one cipher suite at a time, an inefficient approach that leads to false positives and often does not provide a clear picture of the true vulnerability of the server. SSLSmart is designed to combat these shortcomings. We wrote about this tool here. Download SSLSmart v1.0 here.
- CiphersurferUPDATE: ciphersurfer is a tool written for the early stages of a penetration test activities. While gathering information about an host, it’s important to evaluate how strong is the cryptography applied to the HTTP traffic. This is the ciphersurfer goal. The tool tries for every SSL protocols it supports to connect to the host with all ciphers saving the ones the server supports. This information used with certificate key length and the list of supported protocols by the server it’s used to evaluate how strong is the target HTTPS configuration. This gives the penetration test an information about how secure is the communication between clients and the target machine. Download ciphersurfer here.
So, there it is! This is a list of SSL scanners that we are aware of. Incase you know anymore, please let us know! We will be more than glad to add it this list! Where do you go after using these tools? Harden your SSL stack!
Searches leading to this post:
nmap can support scan tls/ssl renegotiation vulnerability, sslsmart renegotiation
{ 0 comments… add one now }