Security Weekly
Patch/Configuration Management

Testing Your SSL Configuration with sslyze

Here’s a handy tool to double check the SSL configuration of your web server.  You’ve got the host stood up, an SSL certificate deployed, but you’re not quite sure what options SSL is offering.  Enter sslyze, a cross platform utility written in Python.  Simply download the code from http://code.google.com/p/sslyze/, extract the archive and run from the command line.

I setup a generic web server running a self-signed certificate to test it out. Oddly enough, the cert is listed as not trusted. I found that running it without root permissions resulted in a lot of permissions errors and it didn’t execute. Once I added sudo to the mix, it worked very well and very fast.

sudo python sslyze.py --regular 192.168.1.99:443
Password:

REGISTERING AVAILABLE PLUGINS
-----------------------------
PluginCertInfo - OK
   
PluginOpenSSLCipherSuites - OK
   
PluginSessionRenegotiation - OK
   
PluginSessionResumption - OK

CHECKING HOST(S) AVAILABILITY
-----------------------------
192.168.1.99:443                    => 192.168.1.99:443

SCAN RESULTS FOR 192.168.1.99:443 - 192.168.1.99:443
----------------------------------------------------
* Session Renegotiation :
      
Client-initiated Renegotiations:    Rejected
Secure Renegotiation:               Supported

* Session Resumption :
     
Using SSLv3 Session IDs:       Supported
      Using TLSv1 Session Tickets:   Supported
      Using TLSv1 Session IDs:       Supported

* SSLV2 Cipher Suites :
      Cipher Suite:                             SSL Handshake:           HTTP GET:
      DES-CBC3-MD5  168bits                 Preferred               200 OK
      RC4-MD5  128bits                           Accepted                200 OK
      RC2-CBC-MD5  128bits                   Accepted                200 OK
      EXP-RC4-MD5  40bits                     Accepted                200 OK
      EXP-RC2-CBC-MD5  40bits           Accepted                200 OK
      DES-CBC-MD5  56bits                     Accepted                200 OK

* SSLV3 Cipher Suites :
      Cipher Suite:                             SSL Handshake:           HTTP GET:
       DHE-RSA-AES256-SHA  256bits       Preferred               200 OK
       RC4-SHA  128bits                             Accepted                200 OK
       RC4-MD5  128bits                             Accepted                200 OK
       EXP-RC4-MD5  40bits                       Accepted                200 OK
       EXP-RC2-CBC-MD5  40bits              Accepted                200 OK
       EXP-EDH-RSA-DES-CBC-SHA  40bits              Accepted                200 OK
       EXP-DES-CBC-SHA  40bits               Accepted                200 OK
       EDH-RSA-DES-CBC3-SHA  168bits                Accepted                200 OK
       EDH-RSA-DES-CBC-SHA  56bits                  Accepted                200 OK
       DHE-RSA-AES128-SHA  128bits                  Accepted                200 OK
       DES-CBC3-SHA  168bits                        Accepted                200 OK
       DES-CBC-SHA  56bits                          Accepted                200 OK
       AES256-SHA  256bits                          Accepted                200 OK
       AES128-SHA  128bits                          Accepted                200 OK
       SEED-SHA                               Rejected - SSL Alert           N/A
       NULL-SHA                               Rejected - SSL Alert           N/A
       NULL-MD5                               Rejected - SSL Alert           N/A
       EXP-EDH-DSS-DES-CBC-SHA                Rejected - SSL Alert           N/A
       EXP-ADH-RC4-MD5                        Rejected - SSL Alert           N/A
       EXP-ADH-DES-CBC-SHA                    Rejected - SSL Alert           N/A
       EDH-DSS-DES-CBC3-SHA                   Rejected - SSL Alert           N/A
       EDH-DSS-DES-CBC-SHA                    Rejected - SSL Alert           N/A
       DHE-RSA-SEED-SHA                       Rejected - SSL Alert           N/A
       DHE-DSS-SEED-SHA                       Rejected - SSL Alert           N/A
       DHE-DSS-AES256-SHA                     Rejected - SSL Alert           N/A
       DHE-DSS-AES128-SHA                     Rejected - SSL Alert           N/A
       ADH-SEED-SHA                           Rejected - SSL Alert           N/A
       ADH-RC4-MD5                            Rejected - SSL Alert           N/A
       ADH-DES-CBC3-SHA                       Rejected - SSL Alert           N/A
       ADH-DES-CBC-SHA                        Rejected - SSL Alert           N/A
       ADH-AES256-SHA                         Rejected - SSL Alert           N/A
       ADH-AES128-SHA                         Rejected - SSL Alert           N/A

* TLSV1 Cipher Suites :
      Cipher Suite:                             SSL Handshake:           HTTP GET:
      DHE-RSA-AES256-SHA  256bits                  Preferred               200 OK
      RC4-SHA  128bits                             Accepted                200 OK
      RC4-MD5  128bits                             Accepted                200 OK
      EXP-RC4-MD5  40bits                          Accepted                200 OK
      EXP-RC2-CBC-MD5  40bits                      Accepted                200 OK
      EXP-EDH-RSA-DES-CBC-SHA  40bits              Accepted                200 OK
      EXP-DES-CBC-SHA  40bits                      Accepted                200 OK
      EDH-RSA-DES-CBC3-SHA  168bits                Accepted                200 OK
      EDH-RSA-DES-CBC-SHA  56bits                  Accepted                200 OK
      DHE-RSA-AES128-SHA  128bits                  Accepted                200 OK
      DES-CBC3-SHA  168bits                        Accepted                200 OK
      DES-CBC-SHA  56bits                          Accepted                200 OK
      AES256-SHA  256bits                          Accepted                200 OK
      AES128-SHA  128bits                          Accepted                200 OK
      SEED-SHA                               Rejected - SSL Alert           N/A
      NULL-SHA                               Rejected - SSL Alert           N/A
      NULL-MD5                               Rejected - SSL Alert           N/A
      EXP-EDH-DSS-DES-CBC-SHA                Rejected - SSL Alert           N/A
      EXP-ADH-RC4-MD5                        Rejected - SSL Alert           N/A
      EXP-ADH-DES-CBC-SHA                    Rejected - SSL Alert           N/A
      EDH-DSS-DES-CBC3-SHA                   Rejected - SSL Alert           N/A
      EDH-DSS-DES-CBC-SHA                    Rejected - SSL Alert           N/A
      DHE-RSA-SEED-SHA                       Rejected - SSL Alert           N/A
      DHE-DSS-SEED-SHA                       Rejected - SSL Alert           N/A
      DHE-DSS-AES256-SHA                     Rejected - SSL Alert           N/A
      DHE-DSS-AES128-SHA                     Rejected - SSL Alert           N/A
      ADH-SEED-SHA                           Rejected - SSL Alert           N/A
      ADH-RC4-MD5                            Rejected - SSL Alert           N/A
      ADH-DES-CBC3-SHA                       Rejected - SSL Alert           N/A
      ADH-DES-CBC-SHA                        Rejected - SSL Alert           N/A
      ADH-AES256-SHA                         Rejected - SSL Alert           N/A
      ADH-AES128-SHA                         Rejected - SSL Alert           N/A

* Certificate :
    Validation w/ Mozilla's CA Store:  Certificate is NOT Trusted
 
    Subject CN:                        testweb
    Issuer:                            /C=US/ST=Utah/L=Layton/O=Foo/OU=Bar/CN=ssl.testdomain.com
     Serial Number:                     BED13023A4F44702
    Not before:                        Nov 30 04:17:55 2011 GMT
Not after:                         Nov 29 04:17:55 2012 GMT
    Keysize:                           1024 bits
    Signature Algorithm:               sha1WithRSAEncryption
    Version:                           1 (0x0)
    SHA1 Fingerprint:                  AD1F472A0C43A77FBBA861476C0E740A5FA3516A
    Number of Extensions:              0

SCAN COMPLETED IN 0.71 S
------------------------


Follow me on Twitter: @Jason_Wood

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.