Transport Layer Security (TLS), normally known as SSL, is one of the foremost widely used protocols to secure network communications. As prices fall user security and privacy expectations raise corporation’s area unit deploying it additional wide per annum. Attacks against the CA (Certificate Authority) system, SSL implementation flaws, and aging protocol versions have grabbed news headlines, attention to weak configurations, and therefore the need to avoid them. In addition, server misconfiguration has continually greatly inflated the overhead caused by SSL, deceleration the transition to improved communications security.
To help get better system configuration there is a popular python tool among hackers and crackers called SSLYZE. SSLyze can give you the report of flaws exist in your SSL implementation by checking for insecure renegotiation, scanning for weak ciphers, checking for SSLv2, SSLv3, and TLSv1 versions, information dump of the server certificate, checking for Heartbleed , Poodle and CRIME type vulnerabilities and so on.
Working of SSLyze
SSLyze is totally written in Python code however it uses an OpenSSL wrapper written in C known as nassl, that was specifically developed for permitting SSLyze to access the low-level OpenSSL apis required to perform deep SSL testing.
Here I m using Linux Ubuntu system to install SSLyze but you can also install it on windows.
So SSLyze can be easily installed via pip:
$ pip install sslyze
Or you can clone the repository from github and install it with other requirements. Use following commands to install sslyze:
$ git clone https://github.com/nabla-c0d3/sslyze.git
$ cd sslyze
On Linux, the `python-devel` package needs to be installed first so that the nassl C extension can be compiled:
$ sudo apt-get install python-dev
Then final command type:
$ pip install -r requirements.txt --target ./lib
Now our SSLyze tools is finally installed in our system lets use it.
Now type in your terminal:
$ python sslyze_cli.py --regular www.google.com:443
So by this means you can see full report of your SSL configuration which will help you to improve your infrastructure security and SSL implementation.
In my command I used
--regular as an options because
--regular option is a short form for finding
--sslv2, --sslv3, --tlsv1, –reneg (Session Renegotiation),
--resum (Session Resumption),
You can also use different options for different work like:
For testing server for session resumption rate support, using both session IDs and TLS session tickets
Or for client certificate following OPTIONS are required:
--cert=CERT Client certificate filename.
--pass=KEYPASS Client private key passphrase.
For certificate info:
--certinfo=CERTINFO Verifies the validity of the server certificate.
--ca_file=CA_FILE Local Certificate Authority file (in PEM format)
To check for heartbleed:
--heartbleed Tests the server(s) for the OpenSSL Heartbleed vulnerability.
Author: Provensec is a leading cyber security services provider like penetration testing services, online website scanner etc catering to midsized businesses. Provensec LLC is amongst top 10 contributors on Packet Storm for responsible disclosures and security research. You can contact Provensec at [email protected].
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky
View all comments