Thursday, February 28, 2013

Testing for TLS support WWW/SMTP with openssl

As you should know by now, TLS is a mean to transparently secure data connections between hosts. It uses to secure a host of applications from  your Web,Mail,ftp,VPN,etc.... to various other apps.

It uses a combination of symmetrical/asymmetrical encryption methods for encryption and key-exchange.

In this post we will look at a few scripts that will test cipher supports using openssl. The openssl tool is a very powerful application  and does a host of things from crafting CSR ( certificate signing request ) , signing your own certs, and binding to ports to test and debug ssl negogiations. It can also be used just to "Interpet" a certification and extract the key and start/end dates.

1st 

How do we check the support ciphers that a website will accept?

 sahel01:~ kfelix$ cat openssl.sh
#!/usr/bin/env bash

# OpenSSL requires the port number.
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is " ]] ; then
  echo YES
else
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

2nd 

How do we ensure that SMTPs ( secured ) is supported by a MX gateway.

 sahel01:~ kfelix$ cat openssl_smtp.sh
#!/usr/bin/env bash

# OpenSSL requires the port number.
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
smtps=25

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -crlf -state -connect $2:$smtps  -starttls smtp )
if [[ "$result" =~ "Cipher is " ]] ; then
  echo YES
else
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

3rd

How do we validate a web site certificates to see if they are expired?

sahel01:~ kfelix$ openssl s_client -connect www.google.com:443   | openssl x509 -noout -dates
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
notBefore=Feb 20 13:34:56 2013 GMT
notAfter=Jun  7 19:43:27 2013 GMT

4th

How about the public key ?

sahel01:~ kfelix$ openssl s_client -connect www.google.com:443   | openssl x509 -noout -pubkey
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDg9RWzMhtCE/CTothJekVXIgSa
eBDX05KSdr5/x1KvoI6a5lDcS0r3Cvg/LwaZKvDeNUL/vNj8k7mSAdKYNgiX7NOw
ufmQEJ8JtNQ4kIzP49oym+RnoDgUWJ4G0ZAD0hgrn8ycvkAVm3dYbanHiERBCPyR
+6VBoIPdF1EIAXXQWwIDAQAB
-----END PUBLIC KEY-----

Ken Felix

Freelance Network/Security Engineer

kfelix at hyperfeed d-o-t com

No comments:

Post a Comment