[clug] Crypto debugging

Chris Turton cturton at gbglobal.com
Thu Feb 3 08:48:16 UTC 2022


There's always nmap ( in most repos I would have thought) with the relevant lua scripts to check certs and cipher suites for a given host.Ref: https://jumpnowtek.com/security/Using-nmap-to-check-certs-and-supported-algos.html
-------- Original message --------From: Bob Edwards via linux <linux at lists.samba.org> Date: 3/2/22  17:35  (GMT+10:00) To: linux at lists.samba.org Subject: Re: [clug] Crypto debugging On 31/1/22 10:42 pm, Tony Lewis via linux wrote:> Impressive tool.  I'll see whether there's access to github.> > ThanksI've used testssl.sh quite a bit - esp. when I want to know howbad my SSL sites are before letting Qualys know about them...Also good for checking sites inside a network that can't be reachedby outside tools (such as Qualys etc.).If you can't access github from your env. then clone it elsewhere,tar it up and copy it over. It isn't very large or complex.I have used OpenVAS a bit in the past. Lots of setting up of serversetc. and you, generally, need to access it from a web-browser.cheers,Bob Edwards.> > On 31/1/22 10:01 pm, Simon Oxwell wrote:>> Testssl.sh might fit the bill?>>>> Simon>>>> On Mon, 31 Jan 2022, 21:50 Tony Lewis via linux, >> <linux at lists.samba.org <mailto:linux at lists.samba.org>> wrote:>>>>     I'm working in a constrained environment (limited ability to get>>     hands>>     on keyboard or install stuff) and I need to figure out the>>     simplest way>>     to be able to run scans to tell me what versions of SSL/TLS, and what>>     ciphers, including weak ones, are running on other boxes in that>>     environment.>>>>     I've considered:>>>>       * running openssl s_client:>>           o decent versions have weak ciphers disabled at compile >> time, so>>             out of the box it doesn't help much>>       * compiling openssl with weak ciphers included>>           o I've limited experience recompiling on this platform but >> could>>             look into it>>       * installing and running openvas>>           o this will change the environment a bit, including adding>>             repositories so was hoping to avoid>>           o also, no experience, so there is a learning curve>>>>     Can anyone suggest a tool that can do this with a minimum of>>     effort and>>     change to the environment.  Ideally I can just run it and point it>>     at an>>     ip:port and get a summary of the certificate, protocol and ciphers>>     offered.>>>>     Thanks,>>>>     Tony-- linux mailing listlinux at lists.samba.orghttps://lists.samba.org/mailman/listinfo/linux


More information about the linux mailing list