Tool Tuesday – TLS/SSL Scanning Tools
There are countless tools and variants for testing TLS/SSL connections. With these three simple tools you can easily check your own configuration.
In a nutshell: TLS (Transport Layer Security) and its previous version SSL (Secure Socket Layer) are protocols that are used for encrypted data transmission. Various parameters are negotiated between the client and server during connection setup. Which parameters are available for negotiation is defined in the server configuration.
In order to check this configuration – whether for a penetration test or for the in-house compliance check – various tools are available to facilitate the work.
We picked three tools: O-Saft, sslscan and testssl and compared them with each other.
O-Saft first captivates with its original name. It is a Perl based scanner with a lot of options. The special feature is that O-Saft not only evaluates and outputs the offered ciphers of the server but the scanner can also open a TCP socket and send SSL/TLS handshakes. The big advantage of this method is that the presence of SSLv2 can be tested without additional or outdated libraries.
The output is in text form on the console. This can optionally be redirected to a file.
More information can be found at: https://github.com/OWASP/O-Saft
sslcan must be installed or compiled. Self compiling has the advantage that you can use old openssl libraries to test SSLv2 or SSLv3 for example. The output appears very clear and divided into different colors on the console (great for screenshots). Alternatively, the output can be in the form of an XML file.
More information can be found at: https://github.com/rbsec/sslscan
testssl is a bash script. Therefore no installation or compilation is necessary. The scanner uses the current openssl version on the system. So only protocols and ciphers supported by the current openssl can be tested. The output is very extensive. It does not only give information about the used ciphers and certificates but also about possible vulnerabilities and attacks. In addition, the output can be written in various formats, such as a JSON file or CSV file, for further processing.
More information under: https://github.com/drwetter/testssl.sh
Do you have any questions about TLS/SSL security? Please feel free to contact us!
#1 – New Can I Trust Test Case – Browser returns secret out of pre-cached response in a CORS-Request
Update: Our WordPress Author Security Plugin is now available in the WordPress Plugin Store.
How can you actively prevent usernames from being enumerated on WordPress author pages?
In our Big Application Security Penetration Test FAQ for clients we answer everything you should know before, during and after the commissioning of an Application Security Penetration Test.
In focus today: Questions #18 and #19 – How are vulnerabilities found evaluated? And what is the CVSS?
CSRF Countermeasures #2: Another way to protect against CSRF – stateless – is the Double Submit Cookie method.