Re: How to: Check SSL version Numbers remotely

[offset <offset () ubersecurity org>]

Is there a list of all the possible SSL cipher checks somewhere?

I noticed that the openssl 'ciphers' manpage has a long list and also shows which
ciphers are not implemented by openssl, so I'm curious about the differences between
openssl and gnutls in terms of cipher support, or if they overlap, or if there are
ssl libs that support ciphers that openssl does not.

I noticed that my linux distro doesnt include the patented ciphers (IDEA, MDC2, RC5, EC), so I
had to "unhobble" my version of openssl to get more extensive checking.

The THCSSLCheck does not check for the NULL cipher, not sure how comprehensive Foundstone's
SSLDigger is.

In openssl, you can view the ciphers that your version supports via this command

openssl ciphers -v 'ALL:eNull'

-off

On Mon, Jun 19, 2006 at 07:48:51PM +0200, frank boldewin wrote:
> http://www.packetstormsecurity.org/groups/thc/THCSSLCheck.zip
>
>
> ----- Original Message ----- 
> From: "thomas springer" <tuevsec () gmx net>
> To: <pen-test () securityfocus com>
> Sent: Monday, June 19, 2006 11:23 AM
> Subject: Re: How to: Check SSL version Numbers remotely
>
>
> > Depends, what you mean with Version:
> >
> > 1) Version of SSL-Software/Libs (e.g. OpenSSL 0.9.7e or GnuTLS 1.4.0)
> > Most of thes are linked with Server-Software, e.g. Apache. You might
> > grab banners, especially Apache often reports the mod_ssl or
> > openssl-Versions and check the capabilites of the SSL-Lib (Supported
> > Protocols and Ciphers). These might give you a hint about software and
> > version, but neither of these will give you a really trustworthy
> > version-info of the used ssl-libs. I don't know any relyable method to
> > check this remote.
> >
> > 2) Version of default (and other supported) SSL-Protocols (e.g. SSL 2.0,
> > SSL 3.0, TLS 1.0, TLS 1.1)
> > Use GnuTLS, OpenSSL, a Foundstones SSL-Digger (beware: good, but
> > ancient!) or the SSL-Check at www.serversniff.net.
> >
> > 3) Version of default (and other supported) Ciphers (e.g. 3DES, AES 128,
> > RC4 ...)
> > Use GnuTLS, OpenSSL, a Foundstone SSL-Digger or the SSL-Check at
> > www.serversniff.net.
> >
> > thomas
> >
> > mikeiscool wrote:
> > > On 17 Jun 2006 19:27:42 -0000, 09Sparky () gmail com <09Sparky () gmail com>
> > > wrote:
> > > > What is the best way or tool used to check SSL Versions?  I need to
> > > > confirm whether or not a remote SSL Server is outdated?

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------