Security Basics mailing list archives
Re: Encryption Level of web site
From: "Dana Epp" <dana () vulscan com>
Date: Fri, 20 Jun 2003 12:27:55 -0700
Hey Patrick, I don't have to much time right now to actually go and write something clean, but here is a quick and dirty perl script to get you started that I wrote during lunch. Basically it takes advantage of the OpenSSL libs through Net:SSLeay to make the calls I recommended in my last email a few days ago. It will connect to a target, get the cipher used during the connection and then barf the number of bits. Wouldn't be that hard to modify this to call get_cipher_list() and iterate through the list of available ciphers for you. I'll leave that to you to play with for now. I tested this against a few SSL implimentations around the lab, and it works fine under Perl on Linux, Cygwin/XP and OpenBSD. As I've only spent like 30 minutes on this, there is no real error checking, intelligence blah blah blah. Should be enough though to quickly probe a target and get the cipher and bits that you need. You will need some sort of perl implementation with Net::SSLeay installed. I called the script get_ssl_bits.pl. Usage was: ./get_ssl_bits.pl target.domain.com 443 I also tested it against some other services other than HTTPS (IMAPS and SSMTP) by using the proper ports (993 and 465 respectively) and it works fine. Have fun. Hope its helpful. #!/usr/bin/perl -w # get_ssl_bits.pl # Simple script to probe an SSL enabled target to get the cipher and the bits used by said cipher # NOTE: This only probes the active connection/cipher in use. Check API to call available ciphers # ie: get_cipher_list() # # Usage: get_ssl_bits.pl <target> <port> # use Socket; use Net::SSLeay qw(die_now die_if_ssl_error); # Prime the pump for the OpenSSL API Net::SSLeay::load_error_strings(); Net::SSLeay::SSLeay_add_ssl_algorithms(); Net::SSLeay::randomize(); # Get the args. Usage: get_ssl_bits.pl <target> <port> my ($target, $port) = @ARGV; my $target_ip = gethostbyname( $target ); $port = getservbyname ($port, 'tcp') unless $port =~ /^\d+$/; my $params = sockaddr_in( $port, $target_ip ); # Create the needed socket socket ( S, &AF_INET, &SOCK_STREAM, 0 ) or die "socket: $!"; connect( S, $params ) or die "connect: $!"; select ( S ); $| = 1; select( STDOUT ); # Create SSL context $ctx = Net::SSLeay::CTX_new() or die_now( "Failed to create SSL_CTX $!" ); Net::SSLeay::CTX_set_options( $ctx, &Net::SSLeay::OP_ALL ) and die_if_ssl_error( "ssl ctx set options" ); $ssl = Net::SSLeay::new( $ctx ) or die_now( "Failed to create SSL $!" ); # Attach the socket to the descriptor Net::SSLeay::set_fd( $ssl, fileno(S) ); # Ok lets hit the target Net::SSLeay::connect( $ssl ) and die_if_ssl_error( "ssl connect" ); my $cipher = Net::SSLeay::get_cipher( $ssl ); my $cipher_bits = Net::SSLeay::get_cipher_bits( $ssl, 0 ); # Barf the results to Patrick print "Connected with Cipher '$cipher' which is using $cipher_bits bits.\n"; # Tear down the connection Net::SSLeay::free( $ssl ); Net::SSLeay::CTX_free( $ctx ); close S; --- Regards, Dana M. Epp ----- Original Message ----- From: "Patrick Boucher" <pboucher () gardienvirtuel com> To: "Nicholas Diotte" <xphox () xphox net> Cc: <security-basics () securityfocus com> Sent: Thursday, June 19, 2003 11:08 AM Subject: Re: Encryption Level of web site
Greetings, Ok thank you for the information, but i am searching for a way to make a query on a remote WebServer (One i don't have acces to) to know, what are the permited encryption on it ?. If it is possible to talk to a https server that support 40 bits
encryption..
So i can tell the client: Your server should support only 128 bits.. DO you know of a Script or way to know that ? Without looking at the Config files? Thank you again for your time,.. Patrick
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Encryption Level of web site Patrick Boucher (Jun 18)
- Re: Encryption Level of web site Dana Epp (Jun 18)
- <Possible follow-ups>
- RE: Encryption Level of web site Michaels, Tod (Jun 18)
- Re: Encryption Level of web site Nicholas Diotte (Jun 19)
- Re: Encryption Level of web site Patrick Boucher (Jun 20)
- Re: Encryption Level of web site Dana Epp (Jun 21)
- Re: Encryption Level of web site Patrick Boucher (Jun 20)
- Re: Encryption Level of web site Nick Diotte (Jun 21)