ssl-cipher-check
February 16th, 2009 Posted in Computers, Intarweb, Software, UnspecificI wanted a simple way to verify all the SSL ciphers a website could use (thanks PCI). I just needed something simple, not running a full blown vuln scanner and all the tools I could find (thanks THC) were windows based. So I wrote a very simple script… ssl-cipher-check.
It startes by pulling a list of all the ciphers supported by the openssl client. Then tried to connect to the server, on the specified port or 443 f a port is not given, and record the output to a log file called ssl-dump.log. Because all of this happens before any protocol specific commands, this will work with HTTP, POP, IMAP or any SSL enable protocol.
*UPDATE 2/17/2009* I threw this together quickly, so I noticed some problems and fixed them. I uploaded v0.2 now. I added a few flags. *S is self signed, *E (<DATE>) is expire and the date it expire and *V is unable to verify using your local mozilla cert directory for verifying CA certs.
*UPDATE 2/19/2009* I added ADH ciphers to the badlist. thanks to @djtechnocrat for pointing out I forgot to include the ADH ciphers in the “bad” list. v0.3a
DOWNLOAD SCRIPT – DOWNLOAD SAMPLE LOG
The default output is a list of each cipher used and a SUCCESS or FAIL. Example:
./ssl-cipher-check mail.yahoo.com
Mon Feb 16 17:17:28 2009 START
Testing mail.yahoo.com:443
TLS1:ADH-AES128-SHA – FAIL
SSLv2:ADH-AES128-SHA – FAIL
SSLv3:ADH-AES128-SHA – FAIL
TLS1:ADH-AES256-SHA – FAIL
SSLv2:ADH-AES256-SHA – FAIL
SSLv3:ADH-AES256-SHA – FAIL
TLS1:ADH-DES-CBC-SHA – FAIL
SSLv2:ADH-DES-CBC-SHA – FAIL
SSLv3:ADH-DES-CBC-SHA – FAIL
TLS1:ADH-DES-CBC3-SHA – FAIL
SSLv2:ADH-DES-CBC3-SHA – FAIL
SSLv3:ADH-DES-CBC3-SHA – FAIL
TLS1:ADH-RC4-MD5 – FAIL
SSLv2:ADH-RC4-MD5 – FAIL
SSLv3:ADH-RC4-MD5 – FAIL
TLS1:AES128-SHA – SUCCESS
SSLv2:AES128-SHA – FAIL
SSLv3:AES128-SHA – SUCCESS
TLS1:AES256-SHA – SUCCESS
SSLv2:AES256-SHA – FAIL
SSLv3:AES256-SHA – SUCCESS
TLS1:DES-CBC-MD5 – FAIL
SSLv2:DES-CBC-MD5 – SUCCESS
SSLv3:DES-CBC-MD5 – FAIL
TLS1:DES-CBC-SHA – SUCCESS
SSLv2:DES-CBC-SHA – FAIL
SSLv3:DES-CBC-SHA – SUCCESS
TLS1:DES-CBC3-MD5 – FAIL
SSLv2:DES-CBC3-MD5 – SUCCESS
SSLv3:DES-CBC3-MD5 – FAIL
TLS1:DES-CBC3-SHA – SUCCESS
SSLv2:DES-CBC3-SHA – FAIL
SSLv3:DES-CBC3-SHA – SUCCESS
TLS1:DHE-DSS-AES128-SHA – FAIL
SSLv2:DHE-DSS-AES128-SHA – FAIL
SSLv3:DHE-DSS-AES128-SHA – FAIL
TLS1:DHE-DSS-AES256-SHA – FAIL
SSLv2:DHE-DSS-AES256-SHA – FAIL
SSLv3:DHE-DSS-AES256-SHA – FAIL
TLS1:DHE-RSA-AES128-SHA – FAIL
SSLv2:DHE-RSA-AES128-SHA – FAIL
SSLv3:DHE-RSA-AES128-SHA – FAIL
TLS1:DHE-RSA-AES256-SHA – FAIL
SSLv2:DHE-RSA-AES256-SHA – FAIL
SSLv3:DHE-RSA-AES256-SHA – FAIL
TLS1:EDH-DSS-DES-CBC-SHA – FAIL
SSLv2:EDH-DSS-DES-CBC-SHA – FAIL
SSLv3:EDH-DSS-DES-CBC-SHA – FAIL
TLS1:EDH-DSS-DES-CBC3-SHA – FAIL
SSLv2:EDH-DSS-DES-CBC3-SHA – FAIL
SSLv3:EDH-DSS-DES-CBC3-SHA – FAIL
TLS1:EDH-RSA-DES-CBC-SHA – FAIL
SSLv2:EDH-RSA-DES-CBC-SHA – FAIL
SSLv3:EDH-RSA-DES-CBC-SHA – FAIL
TLS1:EDH-RSA-DES-CBC3-SHA – FAIL
SSLv2:EDH-RSA-DES-CBC3-SHA – FAIL
SSLv3:EDH-RSA-DES-CBC3-SHA – FAIL
TLS1:EXP-ADH-DES-CBC-SHA – FAIL
SSLv2:EXP-ADH-DES-CBC-SHA – FAIL
SSLv3:EXP-ADH-DES-CBC-SHA – FAIL
TLS1:EXP-ADH-RC4-MD5 – FAIL
SSLv2:EXP-ADH-RC4-MD5 – FAIL
SSLv3:EXP-ADH-RC4-MD5 – FAIL
TLS1:EXP-DES-CBC-SHA – SUCCESS
SSLv2:EXP-DES-CBC-SHA – FAIL
SSLv3:EXP-DES-CBC-SHA – SUCCESS
TLS1:EXP-EDH-DSS-DES-CBC-SHA – FAIL
SSLv2:EXP-EDH-DSS-DES-CBC-SHA – FAIL
SSLv3:EXP-EDH-DSS-DES-CBC-SHA – FAIL
TLS1:EXP-EDH-RSA-DES-CBC-SHA – FAIL
SSLv2:EXP-EDH-RSA-DES-CBC-SHA – FAIL
SSLv3:EXP-EDH-RSA-DES-CBC-SHA – FAIL
TLS1:EXP-RC2-CBC-MD5 – SUCCESS
SSLv2:EXP-RC2-CBC-MD5 – SUCCESS
SSLv3:EXP-RC2-CBC-MD5 – SUCCESS
TLS1:EXP-RC2-CBC-MD5 – SUCCESS
SSLv2:EXP-RC2-CBC-MD5 – SUCCESS
SSLv3:EXP-RC2-CBC-MD5 – SUCCESS
TLS1:EXP-RC4-MD5 – SUCCESS
SSLv2:EXP-RC4-MD5 – SUCCESS
SSLv3:EXP-RC4-MD5 – SUCCESS
TLS1:EXP-RC4-MD5 – SUCCESS
SSLv2:EXP-RC4-MD5 – SUCCESS
SSLv3:EXP-RC4-MD5 – SUCCESS
TLS1:NULL-MD5 – FAIL
SSLv2:NULL-MD5 – FAIL
SSLv3:NULL-MD5 – FAIL
TLS1:NULL-SHA – FAIL
SSLv2:NULL-SHA – FAIL
SSLv3:NULL-SHA – FAIL
TLS1:RC2-CBC-MD5 – FAIL
SSLv2:RC2-CBC-MD5 – SUCCESS
SSLv3:RC2-CBC-MD5 – FAIL
TLS1:RC4-MD5 – SUCCESS
SSLv2:RC4-MD5 – SUCCESS
SSLv3:RC4-MD5 – SUCCESS
TLS1:RC4-MD5 – SUCCESS
SSLv2:RC4-MD5 – SUCCESS
SSLv3:RC4-MD5 – SUCCESS
TLS1:RC4-SHA – SUCCESS
SSLv2:RC4-SHA – FAIL
SSLv3:RC4-SHA – SUCCESS
Mon Feb 16 17:17:39 2009 FINISHED
5 Responses to “ssl-cipher-check”
By Ramkumar on Feb 28, 2009
Thanks a lot. Was very useful.
By Brakaka on Apr 18, 2009
Is http://www.discryptor.net/ safe?
By Dan on Aug 31, 2009
Is your code available for download?
By CG on Nov 23, 2009
can you repost the script?
By MadHat Unspecific on Nov 23, 2009
It is still up at http://www.unspecific.com/ssl/
ssl-cipher-check.pl – The script itself.
mkcabundle.pl – The CA bundle creation script.