SSLDiagnos

_________________________________________________________ SSLDiagnos - 2010-2011 _________________________________________________________ SITE: https://sourceforge.net/projects/ssldiagnos --------------------------------------------------------- Description --------------------------------------------------------- This application is used to get information about SSL usage at a server. It can also be used for testing SSL clients. What this application does is that it tests every OpenSSL protocol/cipher combination. It grades each combination from weak to strong. It can thus be used to find weak SSL ciphers, protocols at a server. The source is written for Win32 but may easily be ported to Linux/Unix. Dependencied: OpenSSL --------------------------------------------------------- Copyright --------------------------------------------------------- Simovits Consulting AB http://www.simovits.com --------------------------------------------------------- Note --------------------------------------------------------- This application is focusing on functionality rather than error handling and ease of use. This application is creted to be able to test the security level of other applications and systems. There are no guarantees that this application has sufficient error handling to be used by production critical systems. It is also of course not intended to be used in or part of any illegal or immoral acts. The owner of the system which are tested by this application shall always be informed prior to any testing. - The server-mode support is experimental. - Error-handling is not prioritized. The SSLPressure-project was created as a complement to ssldiagnos. In the future these projects may be merged, but for now the SSLPressure-project is more of a "lab" that is reprogrammed for each new penetration-test situation. --------------------------------------------------------- About --------------------------------------------------------- This application is used for SSL-layer-diagnostics. Author: James Dickson/Simovits Consulting. Web: http://www.simovits.com --------------------------------------------------------- License --------------------------------------------------------- License of this project is GPL 3.0. See the gpl-3.0.txt for more info or visit: http://www.gnu.org/licenses/gpl.html. --------------------------------------------------------- Definition: Weak, intermediate, strong --------------------------------------------------------- * SSLv2.0 = Weak * Anonymous, null or export grade ciphers = Weak * < 56 bits for encryption = Weak * < 112 bits for encryption = Intermediate * < 128 bits for encryption with AES = Intermediate * >= 128 bits for encryption = Strong Note 1: Even though some security issues are noted about RC4 and MD5. Because of SSL design the usage of RC4 encryption and MD5 hash is not regarded critical in this context. For instance: RC4/128 bit/SSL3 is regarded as "Strong" even though RC4 is only graded as "MEDIUM" cipher strength by OpenSSL. --------------------------------------------------------- USAGE SSLDiagnos --------------------------------------------------------- Example 0 - Get parameter-meaning ssldiagnos.exe --help Example 1 - Start a server using all ciphers but only SSL3 protocol. Port 888 and the server certificates must also be specified ssldiagnos.exe --servercipher ALL --serverprotocol SSL3 --servercert C:\src\ssldiagnos\Debug\cacert.pem -p 888 --servermode --servercertkey cakey.pem Example 2 - Test the host www.hostname.org using port 443 (which is the default). Also test send/receive. ssldiagnos.exe -t www.hostname.org --testsend -p 443 Example 3 - Test the host www.hostname.org using port 443 (which is the default). Connect-test only. ssldiagnos.exe www.hostname.org --------------------------------------------------------- USAGE SSLPressure --------------------------------------------------------- Example 1 - Test all handshakes of SSL2 and SSL3-ciphers on 192.168.1.1 sslpressure.exe -t 192.168.1.1 Example 2 - Add a 500ms delay between tests. sslpressure.exe -t 192.168.1.1 --delay 500 --------------------------------------------------------- History --------------------------------------------------------- Date Name Change ......................................................... 2010-03-24 James Added support for DTLS 2010-11-13 James Changed low, medium, high definitions to weak, intermediate, strong This is to void confusion with cipher-grade. The thought is that only strong protocol/key exchange/cipher combo is PCI compliant. 2010-11-20 James Added some better checks for SSL renegotiation. 2010-11-21 James 0.6.5a - Removed experimental support for SSL rating guide 2009. It messed up the code and was never used anyway. 2010-11-21 James 0.6.6a - Added some colors to simplify ocular result control. 2010-11-23 James 0.6.7a - Fixed color-bug and added support for the cisco-dtls-special-implementation-flag. 2010-11-30 James 0.6.8a - Fixed certificate bit count bug. Compiled .exe is now also using OpenSSL 1.0b. 2010-12-01 James 0.6.9a - Fixed some bugs with issuing warnings too easy for elliptic curve signed certificates. 2010-12-09 James 0.6.10a - Added support for starting SSL with POP3 servers (STLS). 2011-01-04 James 0.6.11a - Bugfix: Default behavior is now to not test for POP3S. Project converted to VS2010 2011-01-04 James 0.6.12a - Added support for explicit FTPS (AUTH SSL, AUTH TLS). 2011-01-05 James 0.6.12b - Some text-changes. 2011-01-23 James 0.7.1a - Added the sslpressure-project to the ssldiagnos-solution. 2011-01-28 James 0.7.1b - Cleaned up some code. 2011-02-08 James 0.8.1a - Added experimental tests for PCT1. Also divided project into library/app since common functions between projects. 2011-03-18 James 0.8.1b - Bug workaround. If start-TLS (such as with smtp) is chosen, before we had a PCT-false-positive. Now we disable PCT-test. Also a bugfix in sslpressure when testing for ssl2.