This version is the result of testing lots of HTTPS (SSL/TLS) implementations during real-world pen-tests, so it is full of minor improvements and extra checks to identify different behaviors we have found in the wild (see the changelog inside the tool/script: "New in version 1.3" section). In several of my "Security of National eID (smartcard-based) Web Application" talks during the last year I mentioned that an upcoming TLSSLed version was going to be released... so here it is! :) Additionally, the tool output has been changed for easy reading and to provide quick information for each finding: negative [-], positive [+], or informational [.] (as well as grouping tests [*] and highlight warning and error messages [!]).
The tool usage has not changed. Simply run the tool by providing the target hostname or IP address plus the target port:
$ ./TLSSLed_v1.3.sh <hostname or IP_address> <port>
Instructions to get and compile sslscan for Mac OS X are available on the original webpage, although for Mountain Lion, if you have Xcode installed (or even without it?), you simply need to run the following command and ignore the openssl deprecated warnings:
$ gcc -lssl -lcrypto -o sslscan sslscan.c
Additionally, TLSSLed v1.3 has also been recently tested with a newest sslscan fork project that was released to better support STARTTLS, currently at version 1.8.3rc3, and available at GitHub.
If you find any bug, misbehavior, openssl/sslscan version combination, or target HTTPS (SSL/TLS) implementation that cannot be properly tested, please let us know so that we can fix it and add new features. Enjoy it!
TLSSLed v1.3 can be downloaded, as usual, from Taddong's lab.
Posts
No comments:
Post a Comment