Download Latest Version
ssldiagnos_20140421.zip (2.0 MB)
Get an email when there's a new version of SSL Diagnos
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| ssldiagnos_20140421.zip | 2014-04-21 | 2.0 MB | |
| ssldiagnos_20140419.zip | 2014-04-19 | 1.9 MB | |
| readme.txt | 2014-04-19 | 7.4 kB | |
| ssldiagnos_20130922.zip | 2013-09-22 | 1.9 MB | |
| ssldiagnos_20130805.zip | 2013-08-05 | 1.9 MB | |
| Totals: 5 Items | 7.8 MB | 1 |
_________________________________________________________ SSLDiagnos - 2010-2014 _________________________________________________________ SITE: https://sourceforge.net/projects/ssldiagnos --------------------------------------------------------- Description --------------------------------------------------------- This application is used to get information about SSL usage at a server. It can also be used for testing SSL clients. What this application does is that it tests every OpenSSL protocol/cipher combination. It grades each combination from weak to strong. It can thus be used to find weak SSL ciphers, protocols at a server. The source is written for Win32 but may easily be ported to Linux/Unix. Dependencied: OpenSSL --------------------------------------------------------- Note --------------------------------------------------------- This application is focusing on functionality rather than error handling and ease of use. This application is creted to be able to test the security level of other applications and systems. There are no guarantees that this application has sufficient error handling to be used by production critical systems. It is also of course not intended to be used in or part of any illegal or immoral acts. The owner of the system which are tested by this application shall always be informed prior to any testing. - The server-mode support is experimental. - Error-handling is not prioritized. The SSLPressure-project was created as a complement to ssldiagnos. In the future these projects may be merged, but for now the SSLPressure-project is more of a "lab" that is reprogrammed for each new penetration-test situation. --------------------------------------------------------- About --------------------------------------------------------- This application is used for SSL-layer-diagnostics. Author: James Dickson --------------------------------------------------------- License --------------------------------------------------------- License of this project is GPL 3.0. See the gpl-3.0.txt for more info or visit: http://www.gnu.org/licenses/gpl.html. --------------------------------------------------------- Definition: Weak, intermediate, strong --------------------------------------------------------- * SSLv2.0 = Weak * Anonymous, null or export grade ciphers = Weak * < 56 bits for encryption = Weak * < 112 bits for encryption = Intermediate * < 128 bits for encryption with AES = Intermediate * >= 128 bits for encryption = Strong Note 1: Even though some security issues are noted about RC4 and MD5. Because of SSL design the usage of RC4 encryption and MD5 hash is not regarded critical in this context. For instance: RC4/128 bit/SSL3 is regarded as "Strong" even though RC4 is only graded as "MEDIUM" cipher strength by OpenSSL. --------------------------------------------------------- USAGE SSLDiagnos --------------------------------------------------------- Example 0 - Get parameter-meaning ssldiagnos.exe --help Example 1 - Start a server using all ciphers but only SSL3 protocol. Port 888 and the server certificates must also be specified ssldiagnos.exe --servercipher ALL --serverprotocol SSL3 --servercert C:\src\ssldiagnos\Debug\cacert.pem -p 888 --servermode --servercertkey cakey.pem Example 2 - Test the host www.hostname.org using port 443 (which is the default). Also test send/receive. ssldiagnos.exe -t www.hostname.org --testsend -p 443 Example 3 - Test the host www.hostname.org using port 443 (which is the default). Connect-test only. ssldiagnos.exe www.hostname.org --------------------------------------------------------- USAGE SSLPressure --------------------------------------------------------- Example 1 - Test all handshakes of SSL2 and SSL3-ciphers on 192.168.1.1 sslpressure.exe -t 192.168.1.1 Example 2 - Add a 500ms delay between tests. sslpressure.exe -t 192.168.1.1 --delay 500 --------------------------------------------------------- History --------------------------------------------------------- Date Name Change ......................................................... 2010-03-24 James Added support for DTLS 2010-11-13 James Changed low, medium, high definitions to weak, intermediate, strong This is to void confusion with cipher-grade. The thought is that only strong protocol/key exchange/cipher combo is PCI compliant. 2010-11-20 James Added some better checks for SSL renegotiation. 2010-11-21 James 0.6.5a - Removed experimental support for SSL rating guide 2009. It messed up the code and was never used anyway. 2010-11-21 James 0.6.6a - Added some colors to simplify ocular result control. 2010-11-23 James 0.6.7a - Fixed color-bug and added support for the cisco-dtls-special-implementation-flag. 2010-11-30 James 0.6.8a - Fixed certificate bit count bug. Compiled .exe is now also using OpenSSL 1.0b. 2010-12-01 James 0.6.9a - Fixed some bugs with issuing warnings too easy for elliptic curve signed certificates. 2010-12-09 James 0.6.10a - Added support for starting SSL with POP3 servers (STLS). 2011-01-04 James 0.6.11a - Bugfix: Default behavior is now to not test for POP3S. Project converted to VS2010 2011-01-04 James 0.6.12a - Added support for explicit FTPS (AUTH SSL, AUTH TLS). 2011-01-05 James 0.6.12b - Some text-changes. 2011-01-23 James 0.7.1a - Added the sslpressure-project to the ssldiagnos-solution. 2011-01-28 James 0.7.1b - Cleaned up some code. 2011-02-08 James 0.8.1a - Added experimental tests for PCT1. Also divided project into library/app since common functions between projects. 2011-03-18 James 0.8.1b - Bug workaround. If start-TLS (such as with smtp) is chosen, before we had a PCT-false-positive. Now we disable PCT-test. Also a bugfix in sslpressure when testing for ssl2. 2011-06-20 James 0.8.1c - Added some error checks for null pointers. 2012-11-11 James 0.9a - Added tests for TLS1.1, TLS1.2 and the SSL BEAST bug. Also moved solution to VS 2012. 2013-02-20 James 0.9.2a - No code changes in ssldiagnos. However, upon requests I have added the windows-port of Pavel Kankovskys proof of concept for: CVE-2009-3555 to the project solution. 2013-03-17 James Versions are now by date. Simpler to keep track. Fixed some small issues in sslpressure. Also some code cleaning (needs a lot more of course). 2013-03-30 James 0.9.3a - Since Nessus has some bugs in the BEAST-mitigation test I have added some tests for it here. OpenSSL 1.01e has been patched to accomplish this. 2013-04-27 James 0.9.4 - Small change with verbose-argument and added info how openssl was patched. 2013-05-05 James 0.9.5 - Added a small proxy to make it possible to scan mssql SSL-settings (not possible in nessus now). 2013-07-04 James 0.9.6 - Added some functionality to mitm an mssql-connection to strip away SSL (proof-of-concept). 2013-09-22 James Fixed a bug in parsing initial TDS-negotiation packet for Mssql-connections (in ssl2tds project). 2014-04-19 James Well... the heartbleed-bug-test added. --heartbleed-flag is required since the test may be dangerous for some systems (did not want to add this to the default)