[Ach] SSLyze / GnuTLS
Aaron Zauner
azet at azet.org
Fri Nov 22 06:08:30 CET 2013
I’ve added it to the “tools” section yesterday. It’s really a useful tool.
iSECPartners publish frequently on SSL vulernabilities. There is a great paper describing common attacks against SSL/TLS that I referenced a lot in this paper and e-mails all over mailing lists, it is just well done and explains basic principle in an easily understandable way (you’ll have to know what XOR does - thats all).
Thanks for the addition of the postfix output - haven’t been that much into mailing for 1.5yrs (used to work for large email service providers back then) - I’m glad that people contribute and check that stuff, it’s really important!
Aaron
On 21 Nov 2013, at 23:53, Michael Zeltner <m at niij.org> wrote:
> In case you don't know that one yet, here's SSLyze.
> http://nabla-c0d3.github.io/blog/2013/08/14/sslyze-v0-dot-7-released/ - if you
> doubt the origin, it's actually from iSECPartners
> https://github.com/iSECPartners/sslyze
>
> It seems quite useful for auditing, similar to that nmap script, but it
> supports STARTTLS. It gives the following output for the currently proposed
> Postfix configuration:
>
> Accepted Cipher Suite(s):
> EXP-ADH-RC4-MD5 Anon 250 2.0.0 Ok
> AECDH-RC4-SHA Anon 250 2.0.0 Ok
> AECDH-DES-CBC3-SHA Anon 250 2.0.0 Ok
> AECDH-AES256-SHA Anon 250 2.0.0 Ok
> AECDH-AES128-SHA Anon 250 2.0.0 Ok
> ADH-SEED-SHA Anon 250 2.0.0 Ok
> ADH-DES-CBC3-SHA Anon 250 2.0.0 Ok
> ADH-CAMELLIA256-SHA Anon 250 2.0.0 Ok
> ADH-CAMELLIA128-SHA Anon 250 2.0.0 Ok
> ADH-AES256-SHA256 Anon 250 2.0.0 Ok
> ADH-AES256-SHA Anon 250 2.0.0 Ok
> ADH-AES256-GCM-SHA384 Anon 250 2.0.0 Ok
> ADH-AES128-SHA256 Anon 250 2.0.0 Ok
> ADH-AES128-SHA Anon 250 2.0.0 Ok
> ADH-AES128-GCM-SHA256 Anon 250 2.0.0 Ok
> EXP-RC2-CBC-MD5 40 bits 250 2.0.0 Ok
> EXP-EDH-RSA-DES-CBC-SHA 40 bits 250 2.0.0 Ok
>
> I haven't gotten it to speak to an exim4 built against GnuTLS yet, even with
> the most recent STARTTLS fixes that are in HEAD :/
>
> Since exim4 is built against GnuTLS by default on Debian (it's a licensing
> issue), I think it's important for this guide to include the appropriate
> settings. However, I've found it surprisingly difficult to get the tools I
> know/found to enumerate available ciphers for GnuTLS based services…
>
> Anyone here with more expertise?
> Michael
> --
> https://niij.org/
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131122/ab2e641d/attachment.sig>
More information about the Ach
mailing list