[Ach] SSLyze / GnuTLS

Michael Zeltner m at niij.org
Thu Nov 21 23:53:01 CET 2013

In case you don't know that one yet, here's SSLyze.
http://nabla-c0d3.github.io/blog/2013/08/14/sslyze-v0-dot-7-released/ - if you
doubt the origin, it's actually from iSECPartners

It seems quite useful for auditing, similar to that nmap script, but it
supports STARTTLS. It gives the following output for the currently proposed
Postfix configuration:

      Accepted Cipher Suite(s):
        EXP-ADH-RC4-MD5               Anon          250 2.0.0 Ok
        AECDH-RC4-SHA                 Anon          250 2.0.0 Ok
        AECDH-DES-CBC3-SHA            Anon          250 2.0.0 Ok
        AECDH-AES256-SHA              Anon          250 2.0.0 Ok
        AECDH-AES128-SHA              Anon          250 2.0.0 Ok
        ADH-SEED-SHA                  Anon          250 2.0.0 Ok
        ADH-DES-CBC3-SHA              Anon          250 2.0.0 Ok
        ADH-CAMELLIA256-SHA           Anon          250 2.0.0 Ok
        ADH-CAMELLIA128-SHA           Anon          250 2.0.0 Ok
        ADH-AES256-SHA256             Anon          250 2.0.0 Ok
        ADH-AES256-SHA                Anon          250 2.0.0 Ok
        ADH-AES256-GCM-SHA384         Anon          250 2.0.0 Ok
        ADH-AES128-SHA256             Anon          250 2.0.0 Ok
        ADH-AES128-SHA                Anon          250 2.0.0 Ok
        ADH-AES128-GCM-SHA256         Anon          250 2.0.0 Ok
        EXP-RC2-CBC-MD5               40 bits       250 2.0.0 Ok
        EXP-EDH-RSA-DES-CBC-SHA       40 bits       250 2.0.0 Ok

I haven't gotten it to speak to an exim4 built against GnuTLS yet, even with
the most recent STARTTLS fixes that are in HEAD :/

Since exim4 is built against GnuTLS by default on Debian (it's a licensing
issue), I think it's important for this guide to include the appropriate
settings. However, I've found it surprisingly difficult to get the tools I
know/found to enumerate available ciphers for GnuTLS based services…

Anyone here with more expertise?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20131121/e0eaa4b6/attachment.sig>

More information about the Ach mailing list