PDA

View Full Version : Project: SSLyzer 0.1



nop
06-27-2011, 01:53 AM
I started developing an analyzing library while ago for programs, which make
use of the SSL/TLS to secure the connection. I didnt code at it for a while
and posted it already but I think its better placed here and maybe its interesting
for someone.

I was inspired by ssllabs.com, which has been implemented in Java. It is a great
webservice with one problem. The performance of that implementation is not as
good as it could be. A part problem is Javas fault and another part maybe a
sleep functions which, slow down the process explicitly for commercial purpose.

After a small research I found another tool, called sslscan, which was developed
in C. Compared with ssllabs, it got a speed improvement. But even this
implementation has a problem. It is coded nasty, a weird structure and has not
necessary HTTP traffic for the tests.

That was the point I decided to write it on my own, so I can make it as fast as
I want, reduce the lack of perfomance and memory. I even had to free memory
leaks of the openssl library itself.


This program is usually planed as an library for Linux, Mac and Windows
programs. It is written in C, its not packed or crypted not even backdoored
Its using the openssl and the postgres library and will be released for all
systems after a modification of the entropy seed for Windows. So including
will be as easy as possible.



Depencies:
- openssl
- postgres

Features:
- protocol detection
- cipher detection
- renegotiation detection
- certificate validation
- Hostname, NSS trustbase, pathlen, chain
- weak debian key detection
- Commented out for now: automated insertion of the whole keys is
missing with index on key column, after it will be reactivated
- evaluation with ssllabs.com guidlines
- protocols
- ciphers
- key exchange

Comming:
- OCSP and CRLs
- Frontend
- StartTLS
- Mac and Windows compiles
- compiles as libraries
- input validation
- NSS trustbase extraction of certdata.[c][txt]

Goal:
- identify weak protocols
- ssl 2.0: cipher downgrade attack
- identify of weak ciphers
- export cipher
- anonymous cipher
- identify renegotiation support
- weak renegotiation
- HTTP downgrade attack
- SSL/TLS Session injection
- identify trust status of the certificate
- weak keylength
- trusted chain
- correct pathlen
- hostname
- evaluation of the security of the SSL/SSL service


If i missed something I will post it. Database will be used in future but for
now it will work without, so no postgres is needed at the moment.

Input validation is not implemented at the moment.

I have attached the binary and the configs separately, because of the
size limit in this forum for .rar extensions.


Example run:

SSLyzer 0.1
***********************************
Scans and evaluates SSL-Server
for SSL/TLS configuration-,
implementation- and design-
vulnerabilities

by NOP <nop@execs.com> 2010
regard to slyke
***********************************


Supported Protocols:
***********************************
ssl3
tls1

Supported Ciphers:
***********************************
DHE-RSA-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
AES128-SHA
RC4-SHA
RC4-MD5

Renegotiation:
***********************************
Vulnerable or off

Evaluation Result
***********************************
Target: <SERVER_EXAMPLE>:443
-------------------------------
Validation: True
Protocol Score: 85.00 %
Cipher Score: 90.00 %
Key-Exchange Score: 80.00 %
-------------------------------
SSL-Server Score: 85.50 %
SSL-Server Mark: A
-------------------------------