[clug] Crypto debugging

Bob Edwards bob at cs.anu.edu.au
Fri Feb 4 00:23:49 UTC 2022 

On 3/2/22 7:48 pm, Chris Turton wrote:
> There's always nmap ( in most repos I would have thought) with the 
> relevant lua scripts to check certs and cipher suites for a given host.
> 
> Ref: https://jumpnowtek.com/security/Using-nmap-to-check-certs-and-supported-algos.html

Hi Chris,

Great tip! I didn't know about these nmap scripts.

Thanks!
Bob Edwards.

> 
> -------- Original message --------
> From: Bob Edwards via linux <linux at lists.samba.org>
> Date: 3/2/22 17:35 (GMT+10:00)
> To: linux at lists.samba.org
> Subject: Re: [clug] Crypto debugging
> 
> On 31/1/22 10:42 pm, Tony Lewis via linux wrote:
>  > Impressive tool.  I'll see whether there's access to github.
>  >
>  > Thanks
> 
> I've used testssl.sh quite a bit - esp. when I want to know how
> bad my SSL sites are before letting Qualys know about them...
> 
> Also good for checking sites inside a network that can't be reached
> by outside tools (such as Qualys etc.).
> 
> If you can't access github from your env. then clone it elsewhere,
> tar it up and copy it over. It isn't very large or complex.
> 
> I have used OpenVAS a bit in the past. Lots of setting up of servers
> etc. and you, generally, need to access it from a web-browser.
> 
> cheers,
> Bob Edwards.
> 
>  >
>  > On 31/1/22 10:01 pm, Simon Oxwell wrote:
>  >> Testssl.sh might fit the bill?
>  >>
>  >> Simon
>  >>
>  >> On Mon, 31 Jan 2022, 21:50 Tony Lewis via linux,
>  >> <linux at lists.samba.org <mailto:linux at lists.samba.org>> wrote:
>  >>
>  >>     I'm working in a constrained environment (limited ability to get
>  >>     hands
>  >>     on keyboard or install stuff) and I need to figure out the
>  >>     simplest way
>  >>     to be able to run scans to tell me what versions of SSL/TLS, and 
> what
>  >>     ciphers, including weak ones, are running on other boxes in that
>  >>     environment.
>  >>
>  >>     I've considered:
>  >>
>  >>       * running openssl s_client:
>  >>           o decent versions have weak ciphers disabled at compile
>  >> time, so
>  >>             out of the box it doesn't help much
>  >>       * compiling openssl with weak ciphers included
>  >>           o I've limited experience recompiling on this platform but
>  >> could
>  >>             look into it
>  >>       * installing and running openvas
>  >>           o this will change the environment a bit, including adding
>  >>             repositories so was hoping to avoid
>  >>           o also, no experience, so there is a learning curve
>  >>
>  >>     Can anyone suggest a tool that can do this with a minimum of
>  >>     effort and
>  >>     change to the environment.  Ideally I can just run it and point it
>  >>     at an
>  >>     ip:port and get a summary of the certificate, protocol and ciphers
>  >>     offered.
>  >>
>  >>     Thanks,
>  >>
>  >>     Tony
> 
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list