Re: Encryption Level of web site

["Dana Epp" <dana () vulscan com>]

Firstly, being that nessus uses nasl scripts and plugins from source, you
SHOULD be able to find out exactly what they are doing from there. Check
something like /usr/src/nessus/nessus-plugins/ to get a better
understanding. I would guess from your email that you want to know how the
SSL cipher checks work in nessus. I haven't taken a look, but I would guess
its pretty straight forward.

The trick is to connect to the server via SSL, and then find out the ciphers
available to the server by querying it. You can pretty much get all this
info by checking the RFC specs, but a lot of heavy lifting is done for you
already if you were to use something like the openssl libs, which should
work on the platforms you want to query from.

As a starting point I would check out http://www.openssl.org/docs/ and read
up on the SSL API. Basically you want to use a basic SSL connection
framework and call the ultra secret API call to do it all for ya....
SSL_get_ciphers(), which is the API call to get the list of available
ciphers for the given target. To get you started, I would check out
http://www.openssl.org/docs/ssl/ssl.html

Good luck. Happy hacking.

---
Regards,
Dana M. Epp


----- Original Message ----- 
From: "Patrick Boucher" <pboucher () gardienvirtuel com>
To: <security-basics () securityfocus com>
Sent: Wednesday, June 18, 2003 9:21 AM
Subject: Encryption Level of web site


> Greetings,
>
>   I would like to know what are the permited (and deny) encryption Level
on a
> Web Site.
>
>  Nessus tell me that my target host accept 40 bit, 56 bits and 128 bits
> encryptions..
>
> I would like to know how that information was obtained?
>
> How can i get that information?(Without using Nessus) In Linux and Windows
?
> Thank you.
> -- 
> Patrick Boucher
>
> --------------------------------------------------------------------------
-
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------