Penetration Testing mailing list archives

Re: How to check for SSL1 ?

From: Thomas Springer <tuevsec () gmx net>
Date: Thu, 29 Sep 2005 11:08:12 +0200

Hi Sahir,

Foundstone has a free tool called SSL Digger which basically does what
you're looking for -- identify the cipher suites supported by a particular


I find this one nice, but I want to dig a bit deeper.

Let me explain (correct me if im wrong!)

To get an encrypted connection, you have to choose one of differentPROTOCOLS for establishing your ssl-connection:


- ssl v1 (ancient, considered vulnerable to mitm-attacks)

- ssl v2 (old, considered vulnerable to mitm-attacks, but stillsupported by some servers)

- ssl v3 (considered secure, but seldom used)
- tls 1.0 (typically preferred these days)
- tls 1.1 (rfc-draft, supported only by gnutls (server) and Opera (client))

The connection-type is determined by the client. Almost all clients(e.g. Browsers) try to establish a TLS1.0-Connection first. If TLS1.0 isnot available, they will fall back to SSLv3 (like they do athttps://www.verisign.com) or something other the client supports.

On top of this PROTOCOL the server offers a "preferred CIPHER" to beused. If the client (e.g. Browser) agrees, this one is used, otherwisethe server will present other supported ciphers until the client agreesto use one of them.

Almost all clients support the strong AES256-cipher these days.

SSLDigger only checks available CIPHERS, not PROTOCOLS, nor will it showyou the preferred cipher the server presents first!(Especially busy servers tend to present "cheap" ciphers first tominimize load on server or SSL-proxy, even when they would supportstronger ciphers.)

Have a look at the ssl-check at http://serversniff.net/sslcheck.php tosee things at work.

What i wanted to check is, wether a server still offers thesslv1-Protocol. I also think to remember that there were other SSL-Likeprotocols years ago - any hints on these?


tom

------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

How to check for SSL1 ? Thomas Springer (Sep 28)
- Re: How to check for SSL1 ? Sahir Hidayatullah (Sep 29)
  - Re: How to check for SSL1 ? Thomas Springer (Sep 29)
    - Re: How to check for SSL1 ? Michael Sierchio (Sep 29)