[Ach] SSLyze / GnuTLS

Michael Zeltner m at niij.org
Thu Nov 21 23:53:01 CET 2013


In case you don't know that one yet, here's SSLyze.
http://nabla-c0d3.github.io/blog/2013/08/14/sslyze-v0-dot-7-released/ - if you
doubt the origin, it's actually from iSECPartners
https://github.com/iSECPartners/sslyze

It seems quite useful for auditing, similar to that nmap script, but it
supports STARTTLS. It gives the following output for the currently proposed
Postfix configuration:

      Accepted Cipher Suite(s):
        EXP-ADH-RC4-MD5               Anon          250 2.0.0 Ok
        AECDH-RC4-SHA                 Anon          250 2.0.0 Ok
        AECDH-DES-CBC3-SHA            Anon          250 2.0.0 Ok
        AECDH-AES256-SHA              Anon          250 2.0.0 Ok
        AECDH-AES128-SHA              Anon          250 2.0.0 Ok
        ADH-SEED-SHA                  Anon          250 2.0.0 Ok
        ADH-DES-CBC3-SHA              Anon          250 2.0.0 Ok
        ADH-CAMELLIA256-SHA           Anon          250 2.0.0 Ok
        ADH-CAMELLIA128-SHA           Anon          250 2.0.0 Ok
        ADH-AES256-SHA256             Anon          250 2.0.0 Ok
        ADH-AES256-SHA                Anon          250 2.0.0 Ok
        ADH-AES256-GCM-SHA384         Anon          250 2.0.0 Ok
        ADH-AES128-SHA256             Anon          250 2.0.0 Ok
        ADH-AES128-SHA                Anon          250 2.0.0 Ok
        ADH-AES128-GCM-SHA256         Anon          250 2.0.0 Ok
        EXP-RC2-CBC-MD5               40 bits       250 2.0.0 Ok
        EXP-EDH-RSA-DES-CBC-SHA       40 bits       250 2.0.0 Ok

I haven't gotten it to speak to an exim4 built against GnuTLS yet, even with
the most recent STARTTLS fixes that are in HEAD :/

Since exim4 is built against GnuTLS by default on Debian (it's a licensing
issue), I think it's important for this guide to include the appropriate
settings. However, I've found it surprisingly difficult to get the tools I
know/found to enumerate available ciphers for GnuTLS based services…

Anyone here with more expertise?
Michael
-- 
https://niij.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20131121/e0eaa4b6/attachment.sig>


More information about the Ach mailing list