TestSSLServer

TestSSLServer is a simple command-line tool which contacts a SSL/TLS server (name and port are given as parameters) and obtains some information from it:

New (November 4th, 2012): TestSSLServer now tests for SSL 2.0 support. It also retrieves the server certificate and prints out its hash (SHA-1), and the server name (SubjectDN). Finally, a C#/.NET version has been produced, for people who do not wish to install a Java VM but can live with .NET (compatible .NET 2.0, also works with Mono).

Download

TestSSLServer is written in Java (1.5+). A compiled jar file is here: TestSSLServer.jar. The source code can be obtained there.

New: TestSSLServer has been ported to C#/.NET too. A compiled version is there: TestSSLServer.exe. The source code can be obtained there.

License is MIT-like: you acknowledge that the code is provided without any guarantee of anything, and that I am not liable for anything which follows from using it. Subject to that condition, you can do whatever you want with the code. See the source code for the legal wording.

Please note that although the information which is gathered from the server is nominally public, some server administrators could be somewhat dismayed at your using the tool on their servers, and there may be laws against it (in the same way that port scanning third-party servers with nmap is a matter of delicacy, both morally and legally). You should use TestSSLServer only to scan your own servers, and that's what it was designed to do.

Usage

Run the tool with:

   java -jar TestSSLServer.jar theservername 443

with theservername being the host name of the server to test, and 443 being the port (if the port is omitted, 443 is used by default). The tool will then report something like this:

   Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
   Deflate compression: no
   Supported cipher suites (ORDER IS NOT SIGNIFICANT):
     SSLv3
        RSA_WITH_RC4_128_MD5
        RSA_WITH_RC4_128_SHA
        RSA_WITH_3DES_EDE_CBC_SHA
        RSA_WITH_AES_128_CBC_SHA
        RSA_WITH_AES_256_CBC_SHA
        TLS_ECDHE_RSA_WITH_RC4_128_SHA
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
     (TLSv1.0: idem)
     (TLSv1.1: idem)
     TLSv1.2
        RSA_WITH_RC4_128_MD5
        RSA_WITH_RC4_128_SHA
        RSA_WITH_3DES_EDE_CBC_SHA
        RSA_WITH_AES_128_CBC_SHA
        RSA_WITH_AES_256_CBC_SHA
        RSA_WITH_AES_128_CBC_SHA256
        RSA_WITH_AES_256_CBC_SHA256
        TLS_RSA_WITH_AES_128_GCM_SHA256
        TLS_RSA_WITH_AES_256_GCM_SHA384
        TLS_ECDHE_RSA_WITH_RC4_128_SHA
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  ----------------------
  Server certificate(s):
    2a50705d1aba8edb325ea901756cf115ef1c20f7: CN=Test SSL, C=CA
   ----------------------
   Minimal encryption strength:     strong encryption (96-bit or more)
   Achievable encryption strength:  strong encryption (96-bit or more)
   BEAST status: protected
   CRIME status: protected

In this case, the server supports SSL 3.0 and all three TLS versions, but not SSL 2.0. It refuses to use Deflate compression. It supports a few cipher suites; the list of cipher suites is the same for SSL 3.0, TLS 1.0 and TLS 1.1, but some additional cipher suites are accepted with TLS 1.2. The server uses one certificate; the SHA-1 hash of that certificate (aka "thumbprint") and the SubjectDN in that certificate are printed.

The summary (at the end) reads like this:

On BEAST and CRIME

BEAST and CRIME are two attacks described by Duong and Rizzo in recent times (2011 and 2012, respectively). They are client attacks, which aim at recovering a secret HTTP cookie value; they need some hostile code running on the client (e.g. Javascript) and network-level access on the outside (eavesdropping on the line, possibly active modifications). Although the attacks target the client, the server can protect the client by not letting it using the combinations of features which are vulnerable.

For CRIME, things are simple: the client is vulnerable if and only if it uses Deflate compression (that's SSL-level compression, not the HTTP-level compression). TestSSLServer will report the CRIME status as "protected" if and only if the server refuses to use Deflate compression.

For BEAST, things are a bit more complex. The client is weak if it uses a CBC-based cipher suite with SSL 3.0 or TLS 1.0. Note that in SSL/TLS, the client submits a list of supported cipher suites (ordered by client's preference), and the server chooses which cipher suite will be used. Normally, the server follows the client's preferences, but the server has the possibility to choose otherwise. TestSSLServer will report the BEAST status as "protected" if any of the following is true:

For this analysis, only strong cipher suites are considered. Weak and medium cipher suites (i.e. symmetric keys of 56 bits or less) are considered "immune" to BEAST in the following sense: the small key is considered to be a worse problem anyway.

Note that no BEAST-related test is performed with SSL 2.0.

Author

Questions and comments can be sent to: Thomas Pornin <pornin@bolet.org>.