TLSSLed v1.2 has been released and can be downloaded, as usual, from Taddong's lab.
This new version incorporates feedback from several people, as well as new features, including support for Mac OS X (TLSSLed should now run in both Linux and Mac OS X; check how to build sslscan on Mac OS X first), an initial check to verify if the target service speaks SSL/TLS (finishing its execution if it does not), a few other optimizations and error checks, and new tests for TLS v1.1 and v1.2.
The latter feature has been added as a result of the recent BEAST vulnerability and research, CVE-2011-3389. In order to be able to check for TLS v1.1 and v1.2 you need to use openssl-1.0.1-stable, available from the openssl snapshot repository. TLSSLed identifies if the target service supports TLS v1.1 and v1.2, if it does not, or if your local openssl version does not support these TLS versions.
This new test simply checks if the target service supports these two TLS versions, however, this does not mean the implementation is secure from a BEAST perspective, as lots of other factors can influence this, such as:
- The implementation could downgrade from TLS v1.1 or v1.2 to TLS v1.0 or SSLv3 if these versions are also supported by the server and a client requests it.
- The implementation can use RC4 instead of AES CBC to mitigate this vulnerability.
- Certain SSL/TLS implementations might not be vulnerable to BEAST, such as openssl since version 0.9.6d, as they already added empty plaintext fragments (problem #2) - if SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not set.
The output below shows this new feature against "tls.woodgrovebank.com", an SSL/TLS public Interop Test Server from Microsoft, using openssl 1.0.1-dev:
$ ./TLSSLed.sh tls.woodgrovebank.com 443
If the target service does not support TLS v1.1 or v1.2 it will say "... IS NOT supported" instead. If your local openssl version does not support TLS v1.1 and v1.2, you will get the following output:
$ ./TLSSLed.sh www.example.com 443
Some people suggested new additions to TLSSLed based on adding checks from other already available SSL/TLS related tools, such as openssl-blacklist or ssl-cipher-check.pl. After a careful thought and detailed analysis process, TLSSLed will remain loyal to its original spirit and design, trying to keep to a minimum the prerequisites to run it (just openssl and sslscan since version 1.0). Therefore, the goal is not to make use of any additional tools from within TLSSLed except openssl and sslscan, unless there is a very critical security test that cannot be accomplished with these two. However, I'm open to implementing other missing tests using these two tools.
One of the future releases will include an associated user guide that briefly explains the different TLSSLed results and their meaning, so that you can easily understand the security implications of the findings reported by the tool without been well versed on SSL/TLS (HTTPS).
Remember, the tool is open to comments, suggestions, improvements, and new tests from the community. Do not hesitate to contact me with ideas! Thanks to Abraham Aranguren and others that want to remain anonymous for their feedback!