Friday, February 1, 2013

TLSSLed v1.3

After more than one year since the previous TLSSLed version, we are happy to announce TLSSLed v1.3!

This version is the result of testing lots of HTTPS (SSL/TLS) implementations during real-world pen-tests, so it is full of minor improvements and extra checks to identify different behaviors we have found in the wild (see the changelog inside the tool/script: "New in version 1.3" section). In several of my "Security of National eID (smartcard-based) Web Application" talks during the last year I mentioned that an upcoming TLSSLed version was going to be released... so here it is! :) Additionally, the tool output has been changed for easy reading and to provide quick information for each finding: negative [-], positive [+], or informational [.] (as well as grouping tests [*] and highlight warning and error messages [!]).

The tool usage has not changed. Simply run the tool by providing the target hostname or IP address plus the target port:
$ ./ <hostname or IP_address> <port> 

This version has been tested on updated versions of Samurai WTF 2.0 (running openssl 1.0.1 and sslscan 1.8.2), Backtrack5 R3 (running openssl 0.9.8k and sslscan 1.8.2), and Mac OS X Mountain Lion 10.8.x (running openssl 0.9.8r and sslscan 1.8.2; it requires to add and compile sslscan manually, see below). Samurai WTF 2.0 is the only one of these three that includes openssl v1.0.x by default, providing support for the TLS v1.1 and v1.2 protocol tests.

Instructions to get and compile sslscan for Mac OS X are available on the original webpage, although for Mountain Lion, if you have Xcode installed (or even without it?), you simply need to run the following command and ignore the openssl deprecated warnings:
$ gcc -lssl -lcrypto -o sslscan sslscan.c

Additionally, TLSSLed v1.3 has also been recently tested with a newest sslscan fork project that was released to better support STARTTLS, currently at version 1.8.3rc3, and available at GitHub.

If you find any bug, misbehavior, openssl/sslscan version combination, or target HTTPS (SSL/TLS) implementation that cannot be properly tested, please let us know so that we can fix it and add new features. Enjoy it!

TLSSLed v1.3 can be downloaded, as usual, from Taddong's lab.

No comments:

Post a Comment