The sys admin's daily grind: SSLScan
Keychain for Life
If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.
SSL-secured services are the rule today, rather than the exception. But, how can I quickly and easily check a large number of servers to see whether the encryption methods in use are still up to date? With the SSLScan tool .
In the simplest case, I can just call SSLScan with the URL of the website that I want to test:
sslscan example.com. Listing 1 shows that SSLScan simply tried a long list of ciphers and returned a status of Accepted, Rejected, or Failed for each one.
01 Supported Server Cipher(s): 02 <...> 03 Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 04 Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA 05 Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA 06 <...>
However, I am primarily interested in what ciphers the server accepts, not what it rejects. The following command:
sslscan --no-failed www.example.com
helps me significantly thin out the output, reducing it to a third of the original length. Things become even clearer if I add more restrictions. For example, if I want to know whether the server still supports SSLv2, I can check the target like this:
sslscan --no-failed --ssl2 www.example.com
--tls1 parameters work in the same way; however, SSLScan also lets you test mail servers, not just web servers. You need the
--starttls parameter to do this. Figure 1 shows the output from
sslscan --no-failed --starttls --tlsv1kuehnast.com:25
The last column of the figure shows which ciphers the server prefers.
I can use
--xml=<file name> to redirect the output to an XML file. This method is useful for a script with which I periodically check and/or document the encryption capabilities of the server. A combination with
--targets=<file name> is useful here. I can use this to write a list of host names to the file – along with the port numbers, if there happen to be any ports other than 443. SSLScan then automatically checks the machines one after another.
Another addition to my toolbox! The SSLScan security checker is fast, lean, and easy to automate.
Buy this article as PDF
New release targets Linux professionals.
The Fedora project adds Wayland and Gnome 3.22
CeBIT 2017: Open Source Forum Call for Papers
Long-time Linux antagonist joins the revolution.
Major bug affects Debian/Ubuntu distributions.
Canonical releases the minimal edition for embedded devices, Internet of Things, and cloud deployments.
The new release features improvements across the board, from performance to security.
Two out of three of the new members are women.
More than 5,000 people attended the event.
Linux Magazine will include the best of both magazines.