Tuesday, November 9, 2010

Version 0.3 of SSL Testing Tool ssltest.pl

I have released a new version of ssltest.pl - version 0.3.  This new version has two changes from version 0.2:
  • The tool now checks to see that it can make a connection to the provided host and port before it performs all of its SSL tests.  This will allow you to differentiate a non listening socket or non working network connection from an SSL service that supports no ciphers (mostly there to remind you when you mistype the hostname/port or when the service is down).  Thanks to Gitsnik for suggesting this (months ago...).
  • The tool now implements some crude detection for sites that allow an SSL connection using weak ciphers exclusively to provide "friendly" advice to the end user to upgrade their browser.  In response to a comment from Anton here.  Basically, I make a simple HTTP 1.1 request over any SSL socket that gets established, check the response for a "401 Unauthorized" response, and treat as unsupported any associated ciphers.  Im reasonably sure that this response should not be generated when authentication is required to access the web resource (that should be "401 Authorization Required"), but just in case the tool will tell you when it considers one or more ciphers to be unsupported because of this reason, and it will give you instructions on how to get more information to confirm.  If this causes false negatives, let me know so I can resolve the issue.  This new feature can also be disabled using the -f switch if it causes problems - see the help for more information.

Download below - this link will always point to the latest version of the tool:

4 comments:

  1. You have a problem with the --pci switch. No SSLv2 ciphers are ok to use in a PCI environment.

    ReplyDelete
  2. Thanks for fixing it. The next small issue:
    it's fine to have a link to the latest version, however could you also host an archive with a version number, something like ssltest-0.3.pl? It's necessary for a proper version control using package managers, such as portage of Gentoo Linux.

    ReplyDelete
  3. Skyoyern

    Thanks for pointing that out - its fixed in version o.4.

    Anton

    All previous versions uploaded using your suggested naming convention. Have been planning to create an ssltest page, so I will stick the links on that when its done - in the meantime Im sure you can guess the links. ;)

    ReplyDelete
  4. Ok, I'm back with the "friendly messages" problem.
    ebay.com:443 returns "HTTP/1.1 500 Internal Server Error". Could you add it to the list?

    ReplyDelete