From: offset (offset@ubersecurity.org)
Date: Mon Jun 19 2006 - 17:09:51 EDT
Is there a list of all the possible SSL cipher checks somewhere?
I noticed that the openssl 'ciphers' manpage has a long list and also shows which
ciphers are not implemented by openssl, so I'm curious about the differences between
openssl and gnutls in terms of cipher support, or if they overlap, or if there are
ssl libs that support ciphers that openssl does not.
I noticed that my linux distro doesnt include the patented ciphers (IDEA, MDC2, RC5, EC), so I
had to "unhobble" my version of openssl to get more extensive checking.
The THCSSLCheck does not check for the NULL cipher, not sure how comprehensive Foundstone's
SSLDigger is.
In openssl, you can view the ciphers that your version supports via this command
openssl ciphers -v 'ALL:eNull'
-off
On Mon, Jun 19, 2006 at 07:48:51PM +0200, frank boldewin wrote:
> http://www.packetstormsecurity.org/groups/thc/THCSSLCheck.zip
>
>
> ----- Original Message -----
> From: "thomas springer" <tuevsec@gmx.net>
> To: <pen-test@securityfocus.com>
> Sent: Monday, June 19, 2006 11:23 AM
> Subject: Re: How to: Check SSL version Numbers remotely
>
>
> >Depends, what you mean with Version:
> >
> >1) Version of SSL-Software/Libs (e.g. OpenSSL 0.9.7e or GnuTLS 1.4.0)
> >Most of thes are linked with Server-Software, e.g. Apache. You might
> >grab banners, especially Apache often reports the mod_ssl or
> >openssl-Versions and check the capabilites of the SSL-Lib (Supported
> >Protocols and Ciphers). These might give you a hint about software and
> >version, but neither of these will give you a really trustworthy
> >version-info of the used ssl-libs. I don't know any relyable method to
> >check this remote.
> >
> >2) Version of default (and other supported) SSL-Protocols (e.g. SSL 2.0,
> >SSL 3.0, TLS 1.0, TLS 1.1)
> >Use GnuTLS, OpenSSL, a Foundstones SSL-Digger (beware: good, but
> >ancient!) or the SSL-Check at www.serversniff.net.
> >
> >3) Version of default (and other supported) Ciphers (e.g. 3DES, AES 128,
> >RC4 ...)
> >Use GnuTLS, OpenSSL, a Foundstone SSL-Digger or the SSL-Check at
> >www.serversniff.net.
> >
> >thomas
> >
> >mikeiscool wrote:
> >>On 17 Jun 2006 19:27:42 -0000, 09Sparky@gmail.com <09Sparky@gmail.com>
> >>wrote:
> >>>What is the best way or tool used to check SSL Versions? I need to
> >>>confirm whether or not a remote SSL Server is outdated?
> >
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:08 EDT