News

Tool Tuesday – TLS/SSL Scanning Tools

Aug 6, 2019

There are countless tools and variants for testing TLS/SSL connections. With these three simple tools you can easily check your own configuration. 

In a nutshell: TLS (Transport Layer Security) and its previous version SSL (Secure Socket Layer) are protocols that are used for encrypted data transmission. Various parameters are negotiated between the client and server during connection setup. Which parameters are available for negotiation is defined in the server configuration.
In order to check this configuration – whether for a penetration test or for the in-house compliance check – various tools are available to facilitate the work.
We picked three tools: O-Saft, sslscan and testssl and compared them with each other.

O-Saft

O-Saft first captivates with its original name. It is a Perl based scanner with a lot of options. The special feature is that O-Saft not only evaluates and outputs the offered ciphers of the server but the scanner can also open a TCP socket and send SSL/TLS handshakes. The big advantage of this method is that the presence of SSLv2 can be tested without additional or outdated libraries. 
The output is in text form on the console. This can optionally be redirected to a file.

More information can be found at: https://github.com/OWASP/O-Saft

sslscan

sslcan must be installed or compiled. Self compiling has the advantage that you can use old openssl libraries to test SSLv2 or SSLv3 for example. The output appears very clear and divided into different colors on the console (great for screenshots). Alternatively, the output can be in the form of an XML file.

More information can be found at: https://github.com/rbsec/sslscan

testssl

testssl is a bash script. Therefore no installation or compilation is necessary. The scanner uses the current openssl version on the system. So only protocols and ciphers supported by the current openssl can be tested. The output is very extensive. It does not only give information about the used ciphers and certificates but also about possible vulnerabilities and attacks. In addition, the output can be written in various formats, such as a JSON file or CSV file, for further processing.

More information under: https://github.com/drwetter/testssl.sh

Do you have any questions about TLS/SSL security? Please feel free to contact us

Tool Tuesday - TLS/SSL Scanning Tools

Recent posts

Tool Tuesday – nmap

One tool which should be installed on every pentester PC is nmap. This command line tool is the Swiss army knive for penetration tests on network level, but also used regularly by system administrators.

read more

mgm sp @ Munich

Our head office is located in the heart of Bavaria, since the time of SecureNet. Come have a look!

read more

Awareness Training @ mgm sp

One of the most important fundamentals for practiced security is the creation of awareness for threats in information security. In our IT Security Awareness Training, we demonstrate how attackers act, what motivates them and how easy it is to do damage.

read more

Wenn Sie auf der Seite weitersurfen, stimmen Sie der Cookie-Nutzung zu.
If you continue to visit the site, you agree to the use of cookies.
Privacy Policy / Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close