[Ach] SSLyze / GnuTLS
Michael Zeltner
m at niij.org
Thu Nov 21 23:53:01 CET 2013
In case you don't know that one yet, here's SSLyze.
http://nabla-c0d3.github.io/blog/2013/08/14/sslyze-v0-dot-7-released/ - if you
doubt the origin, it's actually from iSECPartners
https://github.com/iSECPartners/sslyze
It seems quite useful for auditing, similar to that nmap script, but it
supports STARTTLS. It gives the following output for the currently proposed
Postfix configuration:
Accepted Cipher Suite(s):
EXP-ADH-RC4-MD5 Anon 250 2.0.0 Ok
AECDH-RC4-SHA Anon 250 2.0.0 Ok
AECDH-DES-CBC3-SHA Anon 250 2.0.0 Ok
AECDH-AES256-SHA Anon 250 2.0.0 Ok
AECDH-AES128-SHA Anon 250 2.0.0 Ok
ADH-SEED-SHA Anon 250 2.0.0 Ok
ADH-DES-CBC3-SHA Anon 250 2.0.0 Ok
ADH-CAMELLIA256-SHA Anon 250 2.0.0 Ok
ADH-CAMELLIA128-SHA Anon 250 2.0.0 Ok
ADH-AES256-SHA256 Anon 250 2.0.0 Ok
ADH-AES256-SHA Anon 250 2.0.0 Ok
ADH-AES256-GCM-SHA384 Anon 250 2.0.0 Ok
ADH-AES128-SHA256 Anon 250 2.0.0 Ok
ADH-AES128-SHA Anon 250 2.0.0 Ok
ADH-AES128-GCM-SHA256 Anon 250 2.0.0 Ok
EXP-RC2-CBC-MD5 40 bits 250 2.0.0 Ok
EXP-EDH-RSA-DES-CBC-SHA 40 bits 250 2.0.0 Ok
I haven't gotten it to speak to an exim4 built against GnuTLS yet, even with
the most recent STARTTLS fixes that are in HEAD :/
Since exim4 is built against GnuTLS by default on Debian (it's a licensing
issue), I think it's important for this guide to include the appropriate
settings. However, I've found it surprisingly difficult to get the tools I
know/found to enumerate available ciphers for GnuTLS based services…
Anyone here with more expertise?
Michael
--
https://niij.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20131121/e0eaa4b6/attachment.sig>
More information about the Ach
mailing list