SSL Diagnos is used to get information about SSL protocols (pct, ssl2, ssl3, tls, dtls) and cipher suites. It can also be used for testing and rating ciphers on SSL clients. It has also specific support for pop3s, sip, smtp and explicit ftps.
- SSL scanner including rating of SSL cipher suite strength for server and clients
- Tests for example https, smtp, sip, pop3s, ftps
- Can be used for OWASP-CM-001
- Uses OpenSSL 1.0 to test ssl2, ssl3, tls, dtls, explicit ftps
- Tests renegotiation and availability of tls renegotiation extension.
Definition: Weak, intermediate, strong
* SSLv2.0 = Weak
* Anonymous, null or export grade ciphers = Weak
* < 56 bits for encryption = Weak
* < 112 bits for encryption = Intermediate
* < 128 bits for encryption with AES = Intermediate
* >= 128 bits for encryption = Strong
Even though some security issues are noted about
RC4 and MD5. Because of SSL design the usage of RC4
encryption and MD5 hash is not regarded critical in
this context. For instance: RC4/128 bit/SSL3 is regarded
as “Strong” even though RC4 is only graded as “MEDIUM”
cipher strength by OpenSSL.
Example 0 – Get parameter-meaning
Example 1 – Start a server using all ciphers but only SSL3 protocol. Port 888 and the server certificates must also be specified
ssldiagnos.exe –servercipher ALL –serverprotocol SSL3 –servercert C:srcssldiagnosDebugcacert.pem -p 888 –servermode –servercertkey cakey.pem
Example 2 – Test the host www.hostname.org using port 443 (which is the default). Also test send/receive.
ssldiagnos.exe -t www.hostname.org –testsend -p 443
Example 3 – Test the host www.hostname.org using port 443 (which is the default). Connect-test only.
Example 1 – Test all handshakes of SSL2 and SSL3-ciphers on 192.168.1.1
sslpressure.exe -t 192.168.1.1
Example 2 – Add a 500ms delay between tests.
sslpressure.exe -t 192.168.1.1 –delay 500