[Ach] SSLyze / GnuTLS

Aaron Zauner azet at azet.org
Fri Nov 22 06:08:30 CET 2013


I’ve added it to the “tools” section yesterday. It’s really a useful tool.

iSECPartners publish frequently on SSL vulernabilities. There is a great paper describing common attacks against SSL/TLS that I referenced a lot in this paper and e-mails all over mailing lists, it is just well done and explains basic principle in an easily understandable way (you’ll have to know what XOR does - thats all). 

Thanks for the addition of the postfix output - haven’t been that much into mailing for 1.5yrs (used to work for large email service providers back then) - I’m glad that people contribute and check that stuff, it’s really important!

Aaron


On 21 Nov 2013, at 23:53, Michael Zeltner <m at niij.org> wrote:

> In case you don't know that one yet, here's SSLyze.
> http://nabla-c0d3.github.io/blog/2013/08/14/sslyze-v0-dot-7-released/ - if you
> doubt the origin, it's actually from iSECPartners
> https://github.com/iSECPartners/sslyze
> 
> It seems quite useful for auditing, similar to that nmap script, but it
> supports STARTTLS. It gives the following output for the currently proposed
> Postfix configuration:
> 
>      Accepted Cipher Suite(s):
>        EXP-ADH-RC4-MD5               Anon          250 2.0.0 Ok
>        AECDH-RC4-SHA                 Anon          250 2.0.0 Ok
>        AECDH-DES-CBC3-SHA            Anon          250 2.0.0 Ok
>        AECDH-AES256-SHA              Anon          250 2.0.0 Ok
>        AECDH-AES128-SHA              Anon          250 2.0.0 Ok
>        ADH-SEED-SHA                  Anon          250 2.0.0 Ok
>        ADH-DES-CBC3-SHA              Anon          250 2.0.0 Ok
>        ADH-CAMELLIA256-SHA           Anon          250 2.0.0 Ok
>        ADH-CAMELLIA128-SHA           Anon          250 2.0.0 Ok
>        ADH-AES256-SHA256             Anon          250 2.0.0 Ok
>        ADH-AES256-SHA                Anon          250 2.0.0 Ok
>        ADH-AES256-GCM-SHA384         Anon          250 2.0.0 Ok
>        ADH-AES128-SHA256             Anon          250 2.0.0 Ok
>        ADH-AES128-SHA                Anon          250 2.0.0 Ok
>        ADH-AES128-GCM-SHA256         Anon          250 2.0.0 Ok
>        EXP-RC2-CBC-MD5               40 bits       250 2.0.0 Ok
>        EXP-EDH-RSA-DES-CBC-SHA       40 bits       250 2.0.0 Ok
> 
> I haven't gotten it to speak to an exim4 built against GnuTLS yet, even with
> the most recent STARTTLS fixes that are in HEAD :/
> 
> Since exim4 is built against GnuTLS by default on Debian (it's a licensing
> issue), I think it's important for this guide to include the appropriate
> settings. However, I've found it surprisingly difficult to get the tools I
> know/found to enumerate available ciphers for GnuTLS based services…
> 
> Anyone here with more expertise?
> Michael
> -- 
> https://niij.org/
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131122/ab2e641d/attachment.sig>


More information about the Ach mailing list