Index of /software/ssl

Icon  Name                    Last modified      Size  Description
[DIR] Parent Directory                             -   
[TXT] CHANGELOG               02-Nov-2011 18:41  1.7K  
[TXT] LICENSE                 21-Jun-2010 14:19   18K  
[   ] openssl32+64.bins.tbz2  27-Oct-2010 15:25  1.8M  
[TXT] openssl32+64.bins.tb..> 27-Oct-2010 15:26  190   
[IMG] snapshot.jpg            30-Jun-2010 10:04   98K  
[IMG] snapshot_small.jpg      30-Jun-2010 10:06   14K  
[   ] testssl.sh              02-Nov-2011 18:32  9.3K
testssl.sh: How to test SSL configurations on the server
testssl.sh is a Unix command line tool which checks for the support of weak SSL ciphers and the old SSL version 2 as well as some flaws.
   It's designed to provide clear output for a good/bad decision as not everybody has cryptography skills like Bruce Schneier ;-) (hint: me neither). testssl.sh is working on every Linux distribution which has openssl installed. Since it is pretty much portable it should work on any other Unix system and on cygwin, supposed it can find openssl.

New:
  • 1.18: Rearragement of arguments: URI comes now always last. NOPARANOID flag tells whether medium grade ciphers are ok.
  • 1.17: tests now for renegotiation vulnerabity, see (CVE-2009-3555)
  • 1.16: Invoking options changed with this release. Port and hostname / URL will be accepted only as one argument. major code cleanups. Also checks now whether SSL is listening on the server side at all. -a/--all tests cipher by cipher now.
  • [..]
  • More see CHANGELOG.

So called cipher classes are supported as well as single ciphers available on the client side (to be tested on the server side). For the latter the option -a/--allis needed as a second argument. The drawback for most distributions: One cannot check 56Bit ciphers as they are disabled during compile time. Thus the signed tarball provides openssl32+64.bins.tbz2 as a courtesy.

Contributions are welcome, contact see here or here. I post all updates on Twitter.
 

For general info on SSL/TLS see Wikipedia. As far as the depricated usage of SSLv2 is concerned two quotes why you should not enable this on your server:

Depending on the time and resources of an attacker, any communication protected by SSLv2 may be vulnerable to Man-in-The-Middle (MiTM) attacks that could allow data tampering or disclosure. SSLv2 flaws in summary: - SSL encrypted web requests traffic analysis can disclose which pages were downloaded, length of data downloaded, what web servers were accessed and more. This requires sniffing or physical access and is considered a passive attack. (Source and further reading: OSVDB)

SSL 2.0 is vulnerable to a "man-in-the-middle" attack. An active attacker can invisibly edit the list of ciphersuite preferences in the hello messages to invisibly force both client and server to use 40-bit encryption. SSL 3.0 defends against this attack by having the last handshake message include a hash of all the previous handshake messages. (Source: SSL discussion list)