The sys admin's daily grind: SSLScan
Keychain for Life
If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.
SSL-secured services are the rule today, rather than the exception. But, how can I quickly and easily check a large number of servers to see whether the encryption methods in use are still up to date? With the SSLScan tool [1].
In the simplest case, I can just call SSLScan with the URL of the website that I want to test: sslscan example.com. Listing 1 shows that SSLScan simply tried a long list of ciphers and returned a status of Accepted, Rejected, or Failed for each one.
Listing 1
sslscan example.com
However, I am primarily interested in what ciphers the server accepts, not what it rejects. The following command:
sslscan --no-failed www.example.com
helps me significantly thin out the output, reducing it to a third of the original length. Things become even clearer if I add more restrictions. For example, if I want to know whether the server still supports SSLv2, I can check the target like this:
sslscan --no-failed --ssl2 www.example.com
The --ssl3 and --tls1 parameters work in the same way; however, SSLScan also lets you test mail servers, not just web servers. You need the --starttls parameter to do this. Figure 1 shows the output from
Figure 1: Charly uses SSLScan to check his mail server.
sslscan --no-failed --starttls --tlsv1kuehnast.com:25
The last column of the figure shows which ciphers the server prefers.
Redirection
I can use --xml=<file name> to redirect the output to an XML file. This method is useful for a script with which I periodically check and/or document the encryption capabilities of the server. A combination with --targets=<file name> is useful here. I can use this to write a list of host names to the file – along with the port numbers, if there happen to be any ports other than 443. SSLScan then automatically checks the machines one after another.
Another addition to my toolbox! The SSLScan security checker is fast, lean, and easy to automate.
Infos
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.
-
Linux Kernel 6.2 Released with New Hardware Support
Find out what's new in the most recent release from Linus Torvalds and the Linux kernel team.