Here’s a handy tool to double check the SSL configuration of your web server. Â You’ve got the host stood up, an SSL certificate deployed, but you’re not quite sure what options SSL is offering. Â Enter sslyze, a cross platform utility written in Python. Â Simply download the code from http://code.google.com/p/sslyze/, extract the archive and run from the command line.
I setup a generic web server running a self-signed certificate to test it out. Oddly enough, the cert is listed as not trusted. I found that running it without root permissions resulted in a lot of permissions errors and it didn’t execute. Once I added sudo to the mix, it worked very well and very fast.
sudo python sslyze.py --regular 192.168.1.99:443
Password:
REGISTERING AVAILABLE PLUGINS
-----------------------------
PluginCertInfo - OK
 Â
PluginOpenSSLCipherSuites - OK
 Â
PluginSessionRenegotiation - OK
 Â
PluginSessionResumption - OK
CHECKING HOST(S) AVAILABILITY
-----------------------------
192.168.1.99:443 Â Â Â Â Â Â Â Â Â Â => 192.168.1.99:443
SCAN RESULTS FOR 192.168.1.99:443 - 192.168.1.99:443
----------------------------------------------------
* Session Renegotiation :
   Â
Client-initiated Renegotiations: Â Â Rejected
Secure Renegotiation: Â Â Â Â Â Â Â Supported
* Session Resumption :
  Â
Using SSLv3 Session IDs: Â Â Â Supported
   Using TLSv1 Session Tickets:  Supported
   Using TLSv1 Session IDs:    Supported
* SSLV2 Cipher Suites :
   Cipher Suite:               SSL Handshake:      HTTP GET:
   DES-CBC3-MD5  168bits         Preferred        200 OK
   RC4-MD5  128bits              Accepted         200 OK
   RC2-CBC-MD5  128bits          Accepted         200 OK
   EXP-RC4-MD5  40bits           Accepted         200 OK
   EXP-RC2-CBC-MD5  40bits      Accepted         200 OK
   DES-CBC-MD5  56bits           Accepted         200 OK
* SSLV3 Cipher Suites :
   Cipher Suite:               SSL Handshake:      HTTP GET:
    DHE-RSA-AES256-SHA  256bits    Preferred        200 OK
    RC4-SHA  128bits               Accepted         200 OK
    RC4-MD5  128bits               Accepted         200 OK
    EXP-RC4-MD5  40bits            Accepted         200 OK
    EXP-RC2-CBC-MD5  40bits        Accepted         200 OK
    EXP-EDH-RSA-DES-CBC-SHA  40bits        Accepted         200 OK
    EXP-DES-CBC-SHA  40bits        Accepted         200 OK
    EDH-RSA-DES-CBC3-SHA  168bits         Accepted         200 OK
    EDH-RSA-DES-CBC-SHA  56bits          Accepted         200 OK
    DHE-RSA-AES128-SHA  128bits          Accepted         200 OK
    DES-CBC3-SHA  168bits             Accepted         200 OK
    DES-CBC-SHA  56bits              Accepted         200 OK
    AES256-SHA  256bits              Accepted         200 OK
    AES128-SHA  128bits              Accepted         200 OK
    SEED-SHA                Rejected - SSL Alert      N/A
    NULL-SHA                Rejected - SSL Alert      N/A
    NULL-MD5                Rejected - SSL Alert      N/A
    EXP-EDH-DSS-DES-CBC-SHA         Rejected - SSL Alert      N/A
    EXP-ADH-RC4-MD5             Rejected - SSL Alert      N/A
    EXP-ADH-DES-CBC-SHA           Rejected - SSL Alert      N/A
    EDH-DSS-DES-CBC3-SHA          Rejected - SSL Alert      N/A
    EDH-DSS-DES-CBC-SHA           Rejected - SSL Alert      N/A
    DHE-RSA-SEED-SHA            Rejected - SSL Alert      N/A
    DHE-DSS-SEED-SHA            Rejected - SSL Alert      N/A
    DHE-DSS-AES256-SHA           Rejected - SSL Alert      N/A
    DHE-DSS-AES128-SHA           Rejected - SSL Alert      N/A
    ADH-SEED-SHA              Rejected - SSL Alert      N/A
    ADH-RC4-MD5               Rejected - SSL Alert      N/A
    ADH-DES-CBC3-SHA            Rejected - SSL Alert      N/A
    ADH-DES-CBC-SHA             Rejected - SSL Alert      N/A
    ADH-AES256-SHA             Rejected - SSL Alert      N/A
    ADH-AES128-SHA             Rejected - SSL Alert      N/A
* TLSV1 Cipher Suites :
   Cipher Suite:               SSL Handshake:      HTTP GET:
   DHE-RSA-AES256-SHA  256bits          Preferred        200 OK
   RC4-SHA  128bits               Accepted         200 OK
   RC4-MD5  128bits               Accepted         200 OK
   EXP-RC4-MD5  40bits              Accepted         200 OK
   EXP-RC2-CBC-MD5  40bits            Accepted         200 OK
   EXP-EDH-RSA-DES-CBC-SHA  40bits        Accepted         200 OK
   EXP-DES-CBC-SHA  40bits            Accepted         200 OK
   EDH-RSA-DES-CBC3-SHA  168bits         Accepted         200 OK
   EDH-RSA-DES-CBC-SHA  56bits          Accepted         200 OK
   DHE-RSA-AES128-SHA  128bits          Accepted         200 OK
   DES-CBC3-SHA  168bits             Accepted         200 OK
   DES-CBC-SHA  56bits              Accepted         200 OK
   AES256-SHA  256bits              Accepted         200 OK
   AES128-SHA  128bits              Accepted         200 OK
   SEED-SHA                Rejected - SSL Alert      N/A
   NULL-SHA                Rejected - SSL Alert      N/A
   NULL-MD5                Rejected - SSL Alert      N/A
   EXP-EDH-DSS-DES-CBC-SHA         Rejected - SSL Alert      N/A
   EXP-ADH-RC4-MD5             Rejected - SSL Alert      N/A
   EXP-ADH-DES-CBC-SHA           Rejected - SSL Alert      N/A
   EDH-DSS-DES-CBC3-SHA          Rejected - SSL Alert      N/A
   EDH-DSS-DES-CBC-SHA           Rejected - SSL Alert      N/A
   DHE-RSA-SEED-SHA            Rejected - SSL Alert      N/A
   DHE-DSS-SEED-SHA            Rejected - SSL Alert      N/A
   DHE-DSS-AES256-SHA           Rejected - SSL Alert      N/A
   DHE-DSS-AES128-SHA           Rejected - SSL Alert      N/A
   ADH-SEED-SHA              Rejected - SSL Alert      N/A
   ADH-RC4-MD5               Rejected - SSL Alert      N/A
   ADH-DES-CBC3-SHA            Rejected - SSL Alert      N/A
   ADH-DES-CBC-SHA             Rejected - SSL Alert      N/A
   ADH-AES256-SHA             Rejected - SSL Alert      N/A
   ADH-AES128-SHA             Rejected - SSL Alert      N/A
* Certificate :
  Validation w/ Mozilla's CA Store:  Certificate is NOT Trusted
Â
  Subject CN:             testweb
  Issuer:               /C=US/ST=Utah/L=Layton/O=Foo/OU=Bar/CN=ssl.testdomain.com
   Serial Number:           BED13023A4F44702
  Not before:             Nov 30 04:17:55 2011 GMT
Not after: Â Â Â Â Â Â Â Â Â Â Â Â Nov 29 04:17:55 2012 GMT
  Keysize:              1024 bits
  Signature Algorithm:        sha1WithRSAEncryption
  Version:              1 (0x0)
  SHA1 Fingerprint:          AD1F472A0C43A77FBBA861476C0E740A5FA3516A
  Number of Extensions:        0
SCAN COMPLETED IN 0.71 S
------------------------
Follow me on Twitter: @Jason_Wood