Wednesday, November 10, 2010

Version 0.4 of SSL Testing Tool ssltest.pl

New version, fixing a bug with the list command and resolving an issue from Skoyern relating to SSLv2 compliance with PCI DSS.

Download below - this link will always point to the latest version:

Tuesday, November 9, 2010

Version 0.3 of SSL Testing Tool ssltest.pl

I have released a new version of ssltest.pl - version 0.3.  This new version has two changes from version 0.2:
  • The tool now checks to see that it can make a connection to the provided host and port before it performs all of its SSL tests.  This will allow you to differentiate a non listening socket or non working network connection from an SSL service that supports no ciphers (mostly there to remind you when you mistype the hostname/port or when the service is down).  Thanks to Gitsnik for suggesting this (months ago...).
  • The tool now implements some crude detection for sites that allow an SSL connection using weak ciphers exclusively to provide "friendly" advice to the end user to upgrade their browser.  In response to a comment from Anton here.  Basically, I make a simple HTTP 1.1 request over any SSL socket that gets established, check the response for a "401 Unauthorized" response, and treat as unsupported any associated ciphers.  Im reasonably sure that this response should not be generated when authentication is required to access the web resource (that should be "401 Authorization Required"), but just in case the tool will tell you when it considers one or more ciphers to be unsupported because of this reason, and it will give you instructions on how to get more information to confirm.  If this causes false negatives, let me know so I can resolve the issue.  This new feature can also be disabled using the -f switch if it causes problems - see the help for more information.

Download below - this link will always point to the latest version of the tool: