Results 1 to 1 of 1

Thread: Project: SSLyzer 0.1 Share/Save - My123World.Com!

  1. #1

    Project: SSLyzer 0.1

    I started developing an analyzing library while ago for programs, which make
    use of the SSL/TLS to secure the connection. I didnt code at it for a while
    and posted it already but I think its better placed here and maybe its interesting
    for someone.

    I was inspired by ssllabs.com, which has been implemented in Java. It is a great
    webservice with one problem. The performance of that implementation is not as
    good as it could be. A part problem is Javas fault and another part maybe a
    sleep functions which, slow down the process explicitly for commercial purpose.

    After a small research I found another tool, called sslscan, which was developed
    in C. Compared with ssllabs, it got a speed improvement. But even this
    implementation has a problem. It is coded nasty, a weird structure and has not
    necessary HTTP traffic for the tests.

    That was the point I decided to write it on my own, so I can make it as fast as
    I want, reduce the lack of perfomance and memory. I even had to free memory
    leaks of the openssl library itself.


    This program is usually planed as an library for Linux, Mac and Windows
    programs. It is written in C, its not packed or crypted not even backdoored
    Its using the openssl and the postgres library and will be released for all
    systems after a modification of the entropy seed for Windows. So including
    will be as easy as possible.


    Code:
    Depencies:
        - openssl
        - postgres
    
    Features:
        - protocol detection
        - cipher detection
        - renegotiation detection
        - certificate validation
            - Hostname, NSS trustbase, pathlen, chain
        - weak debian key detection
        - Commented out for now: automated insertion of the whole keys is
            missing with index on key column, after it will be reactivated
        - evaluation with ssllabs.com guidlines
            - protocols
            - ciphers
            - key exchange
    
    Comming:
        - OCSP and CRLs
        - Frontend
        - StartTLS
        - Mac and Windows compiles
        - compiles as libraries
        - input validation
        - NSS trustbase extraction of certdata.[c][txt]
    
    Goal:
        - identify weak protocols
            - ssl 2.0: cipher downgrade attack
        - identify of weak ciphers
            - export cipher
            - anonymous cipher
        - identify renegotiation support
            - weak renegotiation
            - HTTP downgrade attack
            - SSL/TLS Session injection
        - identify trust status of the certificate
            - weak keylength
            - trusted chain
            - correct pathlen
            - hostname
        - evaluation of the security of the SSL/SSL service

    If i missed something I will post it. Database will be used in future but for
    now it will work without, so no postgres is needed at the moment.

    Input validation is not implemented at the moment.

    I have attached the binary and the configs separately, because of the
    size limit in this forum for .rar extensions.


    Example run:

    SSLyzer 0.1
    ***********************************
    Scans and evaluates SSL-Server
    for SSL/TLS configuration-,
    implementation- and design-
    vulnerabilities

    by NOP <nop@execs.com> 2010
    regard to slyke
    ***********************************


    Supported Protocols:
    ***********************************
    ssl3
    tls1

    Supported Ciphers:
    ***********************************
    DHE-RSA-AES256-SHA
    AES256-SHA
    EDH-RSA-DES-CBC3-SHA
    DES-CBC3-SHA
    DHE-RSA-AES128-SHA
    AES128-SHA
    RC4-SHA
    RC4-MD5

    Renegotiation:
    ***********************************
    Vulnerable or off

    Evaluation Result
    ***********************************
    Target: <SERVER_EXAMPLE>:443
    -------------------------------
    Validation: True
    Protocol Score: 85.00 %
    Cipher Score: 90.00 %
    Key-Exchange Score: 80.00 %
    -------------------------------
    SSL-Server Score: 85.50 %
    SSL-Server Mark: A
    -------------------------------
    Attached Files Attached Files
    Last edited by nop; 06-27-2011 at 01:57 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •