Friday, July 30, 2010

SSL/TLS Weak Cipher

While reviewing a Qualys report, I noticed the following "QID: 38140 SSL Server Supports Weak Encryption Vulnerability".  Of course one can verify Qualys findings one cipher at a time using openssl, but in order to verify all supported cipher-MAC combination, I needed to find an automated tool. Here are some of the useful ones I found:
  1. Qualys SSL Labs - Good choice if you need to generate a presentable report for management.
  2. CryptoNark - In addition to checking SSL Ciphers, it also does HTTP Track/Trace check and 'Unsafe' URL check.  You will need to install some custom Perl modules to get it working.
  3. SSLscan - Comes bundled with BackTrack4.
It is a lot easier to quickly verify your remediation using these tools, as opposed to submitting another Qualys scan.

Update (6/21/11): Here is a new tool from Leviathan Security to help test SSL Re-negotiation vulnerability. (also see "(Really) Testing for SSL/TLS Re-negotiation")


No comments:

Post a Comment