Tool for detecting enabled features and bugs in SSL and TLS servers

Many of the features and ciphersuites in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) servers are not considered secure and safe to enable. To verify that they are not supported by a server, it is necessary to be able to advertise them in the first message send by the client in the TLS handshake – the Client Hello.

The cipherscan tool, does just that in order to discover the supported ciphersuites in a server. As a back-end it uses the openssl application. Unfortunately, as OpenSSL project is deprecating insecure old features it is also adding new features, causing no version of OpenSSL to be able to advertise and thus detect all the features of the protocol.

There are two possible solutions to this problem:

  1. create an openssl s_client compatible script that uses tlslite-ng internally
  2. extend the cscan.py to support detection of supported ciphers

The goal is to research possible upsides and downsides of either solution and then implement chosen solution so that scanning servers for TLS 1.3 and SSL 2 support is possible at the same time.

References

You must be logged in to perform this action!

Hubert Kario

Team:
Location: Brno