Checking SSL ciphers

This section contains user-submitted tutorials.
Post Reply
ObiWan
Senior user
Senior user
Posts: 281
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Checking SSL ciphers

Post by ObiWan » 2015-03-02 09:49

I suppose most if not all the hMS users are aware of the latter SSL issues and vulnerabilities; issues which, to be fixed need a reconfiguration of the SSL ciphers offered by the server; now, once the server is reconfigured as desired, one may want to check it to ensure it isn't offering vulnerable or undesired cipher suites; here's how to run such a check.

Start by configuring hMS to enable SSL/TLS on whatever port you want; in this example I'll assume you configured IMAP to also use SSL on port 993 and that your server's public IP is 192.0.2.100; now, once configured your SSL settings, just pick the attached tool. I picked the tool from the CVS here, rebuilt it and once I noticed it didn't support TLS1.1 and 1.2, slightly modified the code to support them too (in case you need the modified source it's available here, I didn't include the VS project into the zip due to attachment size limitations) .

Anyhow, assuming you have the tool ready, just fire up a command prompt and run "sslscan --no-failed 192.0.2.100:993" the program will then start, connect to the given IP/Port and negotiate the security suite showing the ones accepted by the server; the output will then show you the list of ciphers accepted by the server, the preferred ones and some details about the server certificate; for further informations, just run "sslcan" without parameters and you'll see the program help (or have a look at the source code).

SSLscan - scanning tool
Attachments
SSLScan.zip
(750.02 KiB) Downloaded 651 times

ObiWan
Senior user
Senior user
Posts: 281
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Checking SSL ciphers

Post by ObiWan » 2015-03-02 10:09

In case someone is curious to see what the output looks like...

Code: Select all


D:\Tools\sslscan> sslscan --no-failed smtp.gmail.com:465
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.9.2-win32
             http://www.titania.co.uk
 Copyright 2010 Ian Ventura-Whiting / Michael Boman
    Compiled against OpenSSL 1.0.1l 15 Jan 2015

Testing SSL server smtp.gmail.com on port 465

  Supported Server Cipher(s):
    accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA
    accepted  TLSv1.2  256 bits  AES256-SHA
    accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA
    accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
    accepted  TLSv1.2  128 bits  AES128-SHA
    accepted  TLSv1.2  128 bits  ECDHE-RSA-RC4-SHA
    accepted  TLSv1.2  128 bits  RC4-SHA
    accepted  TLSv1.2  128 bits  RC4-MD5
    accepted  TLSv1.2  112 bits  DES-CBC3-SHA
    accepted  TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA
    accepted  TLSv1.1  256 bits  AES256-SHA
    accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA
    accepted  TLSv1.1  128 bits  AES128-SHA
    accepted  TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA
    accepted  TLSv1.1  128 bits  RC4-SHA
    accepted  TLSv1.1  128 bits  RC4-MD5
    accepted  TLSv1.1  112 bits  DES-CBC3-SHA
    accepted  TLSv1    256 bits  ECDHE-RSA-AES256-SHA
    accepted  TLSv1    256 bits  AES256-SHA
    accepted  TLSv1    128 bits  ECDHE-RSA-AES128-SHA
    accepted  TLSv1    128 bits  AES128-SHA
    accepted  TLSv1    128 bits  ECDHE-RSA-RC4-SHA
    accepted  TLSv1    128 bits  RC4-SHA
    accepted  TLSv1    128 bits  RC4-MD5
    accepted  TLSv1    112 bits  DES-CBC3-SHA
    accepted  SSLv3    256 bits  ECDHE-RSA-AES256-SHA
    accepted  SSLv3    256 bits  AES256-SHA
    accepted  SSLv3    128 bits  ECDHE-RSA-AES128-SHA
    accepted  SSLv3    128 bits  AES128-SHA
    accepted  SSLv3    128 bits  ECDHE-RSA-RC4-SHA
    accepted  SSLv3    128 bits  RC4-SHA
    accepted  SSLv3    128 bits  RC4-MD5
    accepted  SSLv3    112 bits  DES-CBC3-SHA

  Prefered Server Cipher(s):
    SSLv3    128 bits  ECDHE-RSA-RC4-SHA
    TLSv1    128 bits  ECDHE-RSA-RC4-SHA
    TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA
    TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256

  SSL Certificate:
    Version: 
    Serial Number: 4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
    Not valid before: Jul 15 08:40:38 2014 GMT
    Not valid after: Apr  4 15:15:55 2015 GMT
    Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
    Public Key Algorithm: rsaEncryption
    rsaEncryption Public Key: (2048 bit):
      Public-Key: (2048 bit)
      Modulus:
          00:ae:e2:f3:ab:2e:0c:8d:b0:78:9c:c4:13:91:80:
          ed:8e:39:f5:ca:c4:42:9b:f3:7d:0d:cc:db:ba:7a:
          5b:9b:6d:fd:53:e3:91:a2:94:1d:df:1e:00:d0:24:
          42:d1:c9:d4:d1:66:29:68:11:fb:fb:e4:08:3b:b9:
          14:0c:fc:cd:6d:93:ed:61:d7:cc:03:a4:96:5e:9b:
          ec:c5:98:97:2c:df:47:1c:04:dd:b5:0a:70:af:aa:
          c2:04:60:93:32:63:79:1c:57:8b:c3:c7:8e:1b:c7:
          a5:6f:10:09:89:f7:f9:22:14:9e:f1:45:49:42:72:
          1b:b9:61:53:85:a1:59:0c:68:46:b1:dd:45:9b:e4:
          5b:62:f6:97:bc:56:06:1d:6a:cb:a4:e7:76:9e:f1:
          9b:88:af:8a:45:7b:0f:5f:ad:ac:4e:7b:fe:8b:5c:
          46:8f:31:2c:3a:db:62:92:5a:9c:8a:fc:65:1b:68:
          0a:74:ee:15:75:d5:cf:8b:56:08:e5:50:34:e0:03:
          ed:a4:9c:38:a0:5a:b7:5b:fb:22:cb:f4:7b:f7:58:
          d2:d6:8c:40:07:15:68:44:71:ee:50:c1:5d:d2:37:
          c2:4b:81:ad:d1:6f:0d:8d:de:5a:bd:69:f9:10:b4:
          e9:e4:26:07:4c:50:6e:31:91:41:c6:aa:c7:20:80:
          c0:c9
      Exponent: 65537 (0x10001)

X509v3 Extended Key Usage: 
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name: 
DNS:smtp.gmail.com
Authority Information Access: 
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp

X509v3 Subject Key Identifier: 
9A:9D:90:6F:63:E4:67:8F:41:EA:B8:99:9A:7B:D0:09:BF:08:82:CD
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier: 
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

X509v3 Certificate Policies: 
Policy: 1.3.6.1.4.1.11129.2.5.1

X509v3 CRL Distribution Points: 

Full Name:
  URI:http://pki.google.com/GIAG2.crl

Secure session renegotiations supported

D:\Tools\sslscan>

ObiWan
Senior user
Senior user
Posts: 281
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Checking SSL ciphers

Post by ObiWan » 2020-07-20 09:26

As a note, the latest version of SSLscan which also checks for TLS1.3 is available here

https://github.com/rbsec/sslscan

not willing to build it yourself, you can pick the latest binary release here

https://github.com/rbsec/sslscan/releases

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Checking SSL ciphers

Post by RvdH » 2020-07-25 18:34

Thanks, useful ✔️
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

ObiWan
Senior user
Senior user
Posts: 281
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Checking SSL ciphers

Post by ObiWan » 2020-07-28 17:36

RvdH wrote:
2020-07-25 18:34
Thanks, useful ✔️
You're welcome; as for using it, here are a couple examples

sslscan --starttls-smtp mail.example.com:25

sslscan --starttls-pop3 mail.example.com:110


the above two will check the "mail.example.com" server for supported SSL/TLS ciphers on SMTP and POP3, for further usage, just run the tool w/o any parameters and it will show a brief help

Post Reply