[Cialug] TLS Scanning/Testing
Sean Flattery
sean.r.flattery at gmail.com
Tue Apr 28 15:43:06 UTC 2020
Sslscan s another good tool to check out. Nmap scripts can be helpful too,
but they're not as in depth as other specialty scanners. Nmap is
especially good at finding your HTTPS services, which you can then feed
into other SSL scanners.
There are some network scanners that cover most checks you could use.
Qualys and Nessus are free for 16 hosts. OpenVAS is open source and free.
TLS/SSL cipher settings can be confusing. Sometimes a certain cipher is
terrible, but if its used with another cipher it becomes good. I've spent
a fair amount of time going through SSL stuff so if you have questions
about settings, risk, and compatibility let me know.
Sean
---------------------------
Date: Mon, 27 Apr 2020 16:09:15 -0400
From: Todd Walton <tdwalton at gmail.com>
To: Central Iowa Linux Users Group <cialug at cialug.org>
Subject: [Cialug] TLS Scanning/Testing
Message-ID:
<CALm_Md_DR9fzaO+mX=YtFyYpWv9HqY_tGwjY75N-De7c9ZLMnw at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
I would like to scan my local network for HTTPS endpoints and get back a
useful report (of some sort) telling me what listeners are not up to date,
TLS-wise. Where I have outdated ciphers. What's still supporting TLS 1.0.
Et cetera. I have found testssl.sh, which is really sweet, but is a bit of
overload on the info and there's no way that I can tell to limit what it
looks for. And ssylze, which is more configurable.
Anyone have any suggestions in this area?
--
Todd
More information about the Cialug
mailing list