ItsTestingTime

I've noticed that OpenSSL will say that "Renegotiation IS supported" even when a server has disabled it. To know for sure, it's possible to trigger a Renegotiation with the open ssl client to see what happens. To do this, run the command: openssl s_client -connect host:port And enter R to trigger Renegotiation: R You will see "RENEGOTIATING" followed by an error if Renegotiation has failed.

A link for me to read this on my kindle. http://www.zdnet.com/blog/security/security-engineering-broken-promises/6503?tag=mantle_skin;content

SSL Digger also does the job: Free from mcafee but windows only (.net 1.1). http://www.mcafee.com/us/downloads/free-tools/index.aspx Very light weight and simple to use. Gui based but exports reports.

I was looking for a simple way to confirm the supported ciphers suits of a remote server. Nessus has the ability to identify week cipher suites however it is too heavyweight for my liking. I couldn't find anything else that met my needs so I've put a script together that wraps the relevant OpenSSL commands. It appears to be a common security testing task to confirm that weak ciphers have been disabled to prevent downgrading attacks, so I hope this script will be of use to others. Unmodified this script will test HIGH,MEDIUM,LOW,EXPORT,eNULL and aNULL ciphers suits as defined by http://www.openssl.org/docs/apps/ciphers.html. Example Usage: ./scan.py www.google.com:443 Example Output: = LOW = ADH-DES-CBC-SHA:FAIL EDH-RSA-DES-CBC-SHA:FAIL EDH-DSS-DES-CBC-SHA:FAIL DES-CBC-SHA:FAIL DES-CBC-MD5:FAIL = EXPORT = EXP-ADH-DES-CBC-SHA:FAIL EXP-ADH-RC4-MD5:FAIL EXP-EDH-RSA-DES-CBC-SHA:FAIL EXP-EDH-DSS-DES-CBC-SHA:FAIL EXP-DES-CBC-SHA:FAIL EXP-RC2-CBC-MD5:FAIL EXP-RC4-MD5:FAIL EXP-RC2-CBC-M...