Syndicate
Site (RSS, Atom)
Contact
Weblog status
Total entries: 50
Last entry: 2016-10-17 22:22:03
Last updated: 2016-10-18 07:57:57
powered by vim, bash, cat, grep, sed, and nb 3.4.2

2014-10-04 13:47:34

Script to test supported ssl ciphers

In the last months there was a lot of work done in the field of encryption due to our spying friends at the NSA. Keywords like "forward secrecy" jumped to the top places in search engines. Then we got the heartbleed bug in OpenSSL. It's harder to keep his stuff up to date. One important task is to actually test (and not just believe) that your protection is sufficient. You can't just update OpenSSL and Bash and more software and think you are well protected. Many software packages out in the wild use SSL/OpenSSL but just do some "basic" configuration to show "It Works!".

One important task is to check the ciphers or the cipher suite actually used by services like http or smtp (i.e. with starttls). You must use the best balance between using secure communiation with forward secrecy and current key exchange, authorization and hash methods, and compatibility to other software (mainly clients) on the other side. If you want a secure communication between i.e. a RHEL/Centos 5 host and a RHEL/Centos 6 host there will be only two ciphers left.

To have a simple and easily configurable tool for checking ssl ciphers between to peers I wrote a very small script:

#!/bin/ash
# shell shock all-clear: compatible to
# ash dash ksh93 lksh mksh pdksh shish zsh

# Frank Bergmann, www.tuxad.com, 2014-10
# Test peer with openssl for supporting ssl ciphers

[ $# -lt 2 ] && {
  echo 'usage: '$0' ip-address port [protocol]'
  echo 'protocol is i.e. smtp for STARTTLS'
  exit 1
}

SERVER=$1
PORT=$2
if [ "$3" ]
then
  STARTTLS=-starttls
  PROT=$3
fi
CIPHER_SUITE="\
`openssl ciphers 'ALL:eNULL' | sed 's,:, ,g'`"

for CIPHER in $CIPHER_SUITE
do
  IFS=""
  echo -n "$CIPHER: "
  OUTPUT="`openssl s_client -cipher $CIPHER $STARTTLS \
$PROT -connect $SERVER:$PORT 2>&1 </dev/null`"
  ACT_CIPHER=`echo $OUTPUT|grep "Cipher is"|sed \
's,.*Cipher is ,,'|tr -d '()'`
  if [ "$ACT_CIPHER" = "$CIPHER" ]
  then
    SUPPORT=YES
  else
    SUPPORT=NO
  fi
  if [ "$SUPPORT" = "NO" ]
  then
    SUPPORT=$SUPPORT" ("`echo $OUTPUT|grep \
:error:|cut -d: -f6`")"
  fi
  echo $SUPPORT
  sleep 1
done

Arguments are IP address and port. The optional third argument for protocol is only needed for starttls. Latest version of this script can be downloaded at ssltest.sh. Here's an example run of a RHEL 5 host connecting to a RHEL 6 host with https and smtp/starttls:

$ ./ssltest.sh 80.153.x.x 443|grep -C2 YES
ADH-AES256-SHA: NO (sslv3 alert handshake failure)
DHE-RSA-AES256-SHA: YES
DHE-DSS-AES256-SHA: NO (sslv3 alert handshake failure)
AES256-SHA: NO (sslv3 alert handshake failure)
ADH-AES128-SHA: NO (sslv3 alert handshake failure)
DHE-RSA-AES128-SHA: YES
DHE-DSS-AES128-SHA: NO (sslv3 alert handshake failure)
AES128-SHA: NO (sslv3 alert handshake failure)
--
ADH-RC4-MD5: NO (sslv3 alert handshake failure)
EXP-ADH-RC4-MD5: NO (sslv3 alert handshake failure)
EDH-RSA-DES-CBC3-SHA: YES
EDH-RSA-DES-CBC-SHA: NO (sslv3 alert handshake failure)
EXP-EDH-RSA-DES-CBC-SHA: NO (sslv3 alert handshake failure)

$ ./ssltest.sh 80.153.x.x 25 smtp|grep -C2 YES
ADH-AES256-SHA: NO (ssl handshake failure)
DHE-RSA-AES256-SHA: YES
DHE-DSS-AES256-SHA: NO (ssl handshake failure)
AES256-SHA: NO (ssl handshake failure)
ADH-AES128-SHA: NO (ssl handshake failure)
DHE-RSA-AES128-SHA: YES
DHE-DSS-AES128-SHA: NO (ssl handshake failure)
AES128-SHA: NO (ssl handshake failure)

This blog entry is the start of some blog entries regarding this topic.

(As noted after the shebang this script is compatible with maybe all bourne shells. RPM packages for shish and heirloom shell may be downloaded at www.tuxad.com/shells.)


Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, openssl, shell, http, smtp