[clug] Crypto debugging
bob at cs.anu.edu.au
Fri Feb 4 00:23:49 UTC 2022
On 3/2/22 7:48 pm, Chris Turton wrote:
> There's always nmap ( in most repos I would have thought) with the
> relevant lua scripts to check certs and cipher suites for a given host.
> Ref: https://jumpnowtek.com/security/Using-nmap-to-check-certs-and-supported-algos.html
Great tip! I didn't know about these nmap scripts.
> -------- Original message --------
> From: Bob Edwards via linux <linux at lists.samba.org>
> Date: 3/2/22 17:35 (GMT+10:00)
> To: linux at lists.samba.org
> Subject: Re: [clug] Crypto debugging
> On 31/1/22 10:42 pm, Tony Lewis via linux wrote:
> > Impressive tool. I'll see whether there's access to github.
> > Thanks
> I've used testssl.sh quite a bit - esp. when I want to know how
> bad my SSL sites are before letting Qualys know about them...
> Also good for checking sites inside a network that can't be reached
> by outside tools (such as Qualys etc.).
> If you can't access github from your env. then clone it elsewhere,
> tar it up and copy it over. It isn't very large or complex.
> I have used OpenVAS a bit in the past. Lots of setting up of servers
> etc. and you, generally, need to access it from a web-browser.
> Bob Edwards.
> > On 31/1/22 10:01 pm, Simon Oxwell wrote:
> >> Testssl.sh might fit the bill?
> >> Simon
> >> On Mon, 31 Jan 2022, 21:50 Tony Lewis via linux,
> >> <linux at lists.samba.org <mailto:linux at lists.samba.org>> wrote:
> >> I'm working in a constrained environment (limited ability to get
> >> hands
> >> on keyboard or install stuff) and I need to figure out the
> >> simplest way
> >> to be able to run scans to tell me what versions of SSL/TLS, and
> >> ciphers, including weak ones, are running on other boxes in that
> >> environment.
> >> I've considered:
> >> * running openssl s_client:
> >> o decent versions have weak ciphers disabled at compile
> >> time, so
> >> out of the box it doesn't help much
> >> * compiling openssl with weak ciphers included
> >> o I've limited experience recompiling on this platform but
> >> could
> >> look into it
> >> * installing and running openvas
> >> o this will change the environment a bit, including adding
> >> repositories so was hoping to avoid
> >> o also, no experience, so there is a learning curve
> >> Can anyone suggest a tool that can do this with a minimum of
> >> effort and
> >> change to the environment. Ideally I can just run it and point it
> >> at an
> >> ip:port and get a summary of the certificate, protocol and ciphers
> >> offered.
> >> Thanks,
> >> Tony
> linux mailing list
> linux at lists.samba.org
More information about the linux