Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
This repository was archived by the owner on May 18, 2024. It is now read-only.
/sslassertPublic archive

simple scripts to make sure your web server is configured correctly under HTTPS

NotificationsYou must be signed in to change notification settings

client9/sslassert

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

71 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Simple unit tests to make sure your web server is configured correctly under SSL.

It's insh (subset ofbash). Why? It's one file, noinstallation, only requires openssl, and basic posix shell stuff. Andmostly it's calling out to OpenSSL anyways, so why not bash?

sslfacts

export HOSTPORT=www.google.comexport URLPATH=/source sslassert.sh

Will then generate a number of facts based on the site:

  • accepted and rejected cipher suites
  • protocol support for sslv2 - tls1.2
  • various statistics on symmetric and public key cryptography
  • various certificate facts
  • common problems and attacks

You can see the full fact list by running the sample script

./sslfact.sh libinjection.client9.com

sslassert

Then you'll want to test the facts against what your expectations.

The same script below shows how. You can use any of the bash testoperators (e.g. -gt,-ge,-lt,-le,-ne,-eq, =, !=, > etc)

#!/bin/shexport HOSTPORT=www.google.comexport URLPATH=/source sslassert.shsslassert 'secure-renegotiation               = on'sslassert 'compression                        = off'sslassert 'certificate-length               -ge 1024'sslassert 'protocol-ssl-v2                    = off'sslassert 'protocol-tls-v12                   = on'sslassert 'crypto-weak                        = off'sslassert 'beast-attack                       = off'exit $SSLASSERT_EXIT

and that's it.

Note for later reference:

Certificate chain is not self-signed

Certificate chain 0 s:/OU=Domain Control Validated/CN=YOUR SERVER HERE   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=1234 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=1234   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

Looking at #2 in the chain, you'll see a self-signed cert forGo-Daddy. That's normally inside the http-client already, so sendingit is kinda weird, and might cause problems. It's certainly a wasteof space.

About

simple scripts to make sure your web server is configured correctly under HTTPS

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published
[8]ページ先頭
©2009-2025 Movatter.jp