2014-10-04 13:47:34
Script to test supported ssl ciphers
In the last months there was a lot of work done in the field of encryption due to our spying friends at the NSA. Keywords like "forward secrecy" jumped to the top places in search engines. Then we got the heartbleed bug in OpenSSL. It's harder to keep his stuff up to date. One important task is to actually test (and not just believe) that your protection is sufficient. You can't just update OpenSSL and Bash and more software and think you are well protected. Many software packages out in the wild use SSL/OpenSSL but just do some "basic" configuration to show "It Works!".
One important task is to check the ciphers or the cipher suite actually used by services like http or smtp (i.e. with starttls). You must use the best balance between using secure communiation with forward secrecy and current key exchange, authorization and hash methods, and compatibility to other software (mainly clients) on the other side. If you want a secure communication between i.e. a RHEL/Centos 5 host and a RHEL/Centos 6 host there will be only two ciphers left.
To have a simple and easily configurable tool for checking ssl ciphers between to peers I wrote a very small script:
#!/bin/ash # shell shock all-clear: compatible to # ash dash ksh93 lksh mksh pdksh shish zsh # Frank Bergmann, www.tuxad.com, 2014-10 # Test peer with openssl for supporting ssl ciphers [ $# -lt 2 ] && { echo 'usage: '$0' ip-address port [protocol]' echo 'protocol is i.e. smtp for STARTTLS' exit 1 } SERVER=$1 PORT=$2 if [ "$3" ] then STARTTLS=-starttls PROT=$3 fi CIPHER_SUITE="\ `openssl ciphers 'ALL:eNULL' | sed 's,:, ,g'`" for CIPHER in $CIPHER_SUITE do IFS="" echo -n "$CIPHER: " OUTPUT="`openssl s_client -cipher $CIPHER $STARTTLS \ $PROT -connect $SERVER:$PORT 2>&1 </dev/null`" ACT_CIPHER=`echo $OUTPUT|grep "Cipher is"|sed \ 's,.*Cipher is ,,'|tr -d '()'` if [ "$ACT_CIPHER" = "$CIPHER" ] then SUPPORT=YES else SUPPORT=NO fi if [ "$SUPPORT" = "NO" ] then SUPPORT=$SUPPORT" ("`echo $OUTPUT|grep \ :error:|cut -d: -f6`")" fi echo $SUPPORT sleep 1 done
Arguments are IP address and port. The optional third argument for protocol is only needed for starttls. Latest version of this script can be downloaded at ssltest.sh. Here's an example run of a RHEL 5 host connecting to a RHEL 6 host with https and smtp/starttls:
$ ./ssltest.sh 80.153.x.x 443|grep -C2 YES ADH-AES256-SHA: NO (sslv3 alert handshake failure) DHE-RSA-AES256-SHA: YES DHE-DSS-AES256-SHA: NO (sslv3 alert handshake failure) AES256-SHA: NO (sslv3 alert handshake failure) ADH-AES128-SHA: NO (sslv3 alert handshake failure) DHE-RSA-AES128-SHA: YES DHE-DSS-AES128-SHA: NO (sslv3 alert handshake failure) AES128-SHA: NO (sslv3 alert handshake failure) -- ADH-RC4-MD5: NO (sslv3 alert handshake failure) EXP-ADH-RC4-MD5: NO (sslv3 alert handshake failure) EDH-RSA-DES-CBC3-SHA: YES EDH-RSA-DES-CBC-SHA: NO (sslv3 alert handshake failure) EXP-EDH-RSA-DES-CBC-SHA: NO (sslv3 alert handshake failure) $ ./ssltest.sh 80.153.x.x 25 smtp|grep -C2 YES ADH-AES256-SHA: NO (ssl handshake failure) DHE-RSA-AES256-SHA: YES DHE-DSS-AES256-SHA: NO (ssl handshake failure) AES256-SHA: NO (ssl handshake failure) ADH-AES128-SHA: NO (ssl handshake failure) DHE-RSA-AES128-SHA: YES DHE-DSS-AES128-SHA: NO (ssl handshake failure) AES128-SHA: NO (ssl handshake failure)
This blog entry is the start of some blog entries regarding this topic.
(As noted after the shebang this script is compatible with maybe all bourne shells. RPM packages for shish and heirloom shell may be downloaded at www.tuxad.com/shells.)
Posted by Frank W. Bergmann | Permanent link | File under: ssl, encryption, openssl, shell, http, smtp