As you should know by now, TLS is a mean to transparently secure data connections between hosts. It uses to secure a host of applications from your Web,Mail,ftp,VPN,etc.... to various other apps.
It uses a combination of symmetrical/asymmetrical encryption methods for encryption and key-exchange.
In this post we will look at a few scripts that will test cipher supports using openssl. The openssl tool is a very powerful application and does a host of things from crafting CSR ( certificate signing request ) , signing your own certs, and binding to ports to test and debug ssl negogiations. It can also be used just to
"Interpet" a certification and extract the key and start/end dates.
1st
How do we check the support ciphers that a website will accept?
sahel01:~ kfelix$ cat openssl.sh
#!/usr/bin/env bash
# OpenSSL requires the port number.
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is " ]] ; then
echo YES
else
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done
2nd
How do we ensure that SMTPs ( secured ) is supported by a MX gateway.
sahel01:~ kfelix$ cat openssl_smtp.sh
#!/usr/bin/env bash
# OpenSSL requires the port number.
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
smtps=25
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -crlf -state -connect $2:$smtps -starttls smtp )
if [[ "$result" =~ "Cipher is " ]] ; then
echo YES
else
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done
3rd
How do we validate a web site certificates to see if they are expired?
sahel01:~ kfelix$ openssl s_client -connect www.google.com:443 | openssl x509 -noout -dates
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
notBefore=Feb 20 13:34:56 2013 GMT
notAfter=Jun 7 19:43:27 2013 GMT
4th
How about the public key ?
sahel01:~ kfelix$ openssl s_client -connect www.google.com:443 | openssl x509 -noout -pubkey
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDg9RWzMhtCE/CTothJekVXIgSa
eBDX05KSdr5/x1KvoI6a5lDcS0r3Cvg/LwaZKvDeNUL/vNj8k7mSAdKYNgiX7NOw
ufmQEJ8JtNQ4kIzP49oym+RnoDgUWJ4G0ZAD0hgrn8ycvkAVm3dYbanHiERBCPyR
+6VBoIPdF1EIAXXQWwIDAQAB
-----END PUBLIC KEY-----
Ken Felix
Freelance Network/Security Engineer
kfelix at hyperfeed d-o-t com
No comments:
Post a Comment