Name Last modified Size Description
Parent Directory -
LICENSE 21-Jun-2010 14:19 18K
snapshot.jpg 30-Jun-2010 10:04 98K
testssl.sh 21-Jun-2010 14:18 4.7K
|
testssl.sh is a Unix command line tool which checks for the support of weak SSL ciphers and the old
SSL version 2. It is working on every Linux distribution which has openssl installed. Since it is pretty much portable it should work on any other Unix system and on cygwin, supposed it can find openssl. Contributions are welcome. |
|
|
For more info on SSL/TLS see Wikipedia. As far as the depricated usage of SSLv2 is concerned two quotes why you should not eanble this on your server:
Depending on the time and resources of an attacker, any communication protected by SSLv2 may be vulnerable to Man-in-The-Middle (MiTM) attacks that could allow data tampering or disclosure. SSLv2 flaws in summary: - SSL encrypted web requests traffic analysis can disclose which pages were downloaded, length of data downloaded, what web servers were accessed and more. This requires sniffing or physical access and is considered a passive attack. (Source and further reading: OSVDB)
SSL 2.0 is vulnerable to a "man-in-the-middle" attack. An active attacker can invisibly edit the list of ciphersuite preferences in the hello messages to invisibly force both client and server to use 40-bit encryption. SSL 3.0 defends against this attack by having the last handshake message include a hash of all the previous handshake messages. (Source: SSL discussion list)
