Monday, 26 December 2011

Check SSL/TLS configuration

There are several tools for checking the safety of encrypted communication via HTTPS:

sslscan
- sslyze
- SSL Audit (only available for Windows)

Nessus is also scanning for vulnerable SSL certificates and you can also see via Nmap weak configurations when using the SSL NSE Scripts available in Nmap. (e.g #nmap --script "*ssl*" <target>)

I always check the SSL configuration with sslscan, sslyze and also with Nessus and Nmap.

You can also make an online ssl scan of a website via Qualys, but the result will stay permanently in the Qualys database and is publicly available. If the results of the scan were pretty bad, the domain will also show up in the list "Recent Worst-Rated". So be aware of this fact, before you execute this kind of SaaS.

The most important recommendations, when using SSL/TLS are:

- Use a key >= 128 Bit
- Use strong cryptographic ciphers
- Do NOT use SSLv2 anymore
- Use TLS 1.0, as it it supported by every browser nowadays (even if this implementation is vulnerable to "BEAST" when using a block cipher)
- Use "Secure" Cookie Flag
- Use an Appropriate Certificate Authority
Only Support Secure Renegotiations

In a reverse conclusion everything that is not matching these recommendations is a finding in your pentest.


Further reading:
Testing for SSL (OWASP)
Transport Layer Protection Cheat Sheet (OWASP)
OWASP Application Security FAQ #SSL (OWASP)
BEAST Countermeasures
Still no fix in Windows to close Bug exploited by BEAST

No comments:

Post a Comment