The sys admin's daily grind: SSLScan

Keychain for Life

Article from Issue 163/2014
Author(s):

If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.

SSL-secured services are the rule today, rather than the exception. But, how can I quickly and easily check a large number of servers to see whether the encryption methods in use are still up to date? With the SSLScan tool [1].

In the simplest case, I can just call SSLScan with the URL of the website that I want to test: sslscan example.com. Listing 1 shows that SSLScan simply tried a long list of ciphers and returned a status of Accepted, Rejected, or Failed for each one.

Listing 1

sslscan example.com

01 Supported Server Cipher(s):
02 <...>
03 Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
04 Accepted  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
05 Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
06 <...>

However, I am primarily interested in what ciphers the server accepts, not what it rejects. The following command:

sslscan --no-failed www.example.com

helps me significantly thin out the output, reducing it to a third of the original length. Things become even clearer if I add more restrictions. For example, if I want to know whether the server still supports SSLv2, I can check the target like this:

sslscan --no-failed --ssl2 www.example.com

The --ssl3 and --tls1 parameters work in the same way; however, SSLScan also lets you test mail servers, not just web servers. You need the  --starttls parameter to do this. Figure 1 shows the output from

Figure 1: Charly uses SSLScan to check his mail server.
sslscan --no-failed --starttls
  --tlsv1kuehnast.com:25

The last column of the figure shows which ciphers the server prefers.

Redirection

I can use --xml=<file name> to redirect the output to an XML file. This method is useful for a script with which I periodically check and/or document the encryption capabilities of the server. A combination with --targets=<file name> is useful here. I can use this to write a list of host names to the file – along with the port numbers, if there happen to be any ports other than 443. SSLScan then automatically checks the machines one after another.

Another addition to my toolbox! The SSLScan security checker is fast, lean, and easy to automate.

The Author

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly’s Column: Cluster SSH

    Charly doesn’t relish the idea of searching through the logfiles of a dozen proxy servers when page requests fail. Now that he has deployed Cluster SSH, he can pull the strings on many machines at the same time.

  • Charly's Column

    Users log on to services such as SSH, ftp, SASL, POP3, IMAP, Apache htaccess, and many more using their names and passwords. These popular access mechanisms are a potential target for brute-force attacks. An attentive bouncer will keep dictionary attacks at bay.

  • Charly's Column – Whowatch

    For no particular reason, Charly occasionally patrols his server farm and hunts down attackers. He has put together a neat toolbox for this job.

  • Charly’s Column: OpenNetAdmin

    Last month, the Havege daemon helped organize the chaos in this column. Today, Charly attempts to organize the network – a tale of suffering in three chapters.

  • Charly's Column

    Some of Charly’s servers run the SSH daemon on port 443 rather than on the standard port 22. If an SSL-capable Apache web server starts causing trouble, his method of settling the dispute is sslh.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia