Press "Enter" to skip to content

Updated ssltest.sh

I had to update my ssl cipher testing script, the output from openssl changed enough in recent versions of RedHat/CentOS 6.x which broke the reporting. I tried to write in in simple code so it would be easy to understand and facilitate those wanting to improve upon it (if you do… please share!)

What does it do? I scans your installed copy of openssl for all supported ciphers, and tests the target webserver and reports back what ciphers and ssl/tls versions it will support. I added a little color coding to the ciphers to quickly point out less than optimal (ie non-FIPS ciphers) in red. FIPS ciphers will display in green.

Why is this important? That’s akin to asking the difference between padlocks.. the better the lock the more relative security it will provide and resist being broken.

How do I use it? Simple invoke the script and the hostname;port you want to test. If you see red… you should consider limiting the ciphers your webserver will support. (I’ll post these detailed how-to’s for apache, tomcat and weblogic in a future edition)

[code]
./ssltest.sh www.greyfuzz.com:443
or
./ssltest.sh www.greyfuzz.com:443 -v ( adding -v displays the ciphers being tested instead of just the results)
[/code]

[code]
#!/bin/sh
## ssltest.sh version 0.4 (last update 4/10/2014)
## – Dave Cochran
##
## Location of openssl
openssl=/usr/bin/openssl

## Make a request (may be altered)
echo "GET / HTTP/1.1" > ssltest.tmp

###### END OF CONFIGURATION #####

if ! [ $1 ]; then
echo syntax: $0 host:sslport [-v] optional for verbose testing
exit
fi

if ! [ -e $openssl ]; then
echo The path to openssl is wrong, please edit $0
exit
fi

## temp file for output – removed at script end
tempfile=./ssltest.tmp

touch $tempfile

if ! [ -e $tempfile ]; then
echo Cannot create temp file in this directory… exiting $0
exit
fi

## Request available ciphers from openssl and test them
for ssl in ssl2 ssl3 tls1
do
echo -e ‘E[37;30mnn’ Testing `echo $ssl ` ….

$openssl ciphers -$ssl -v | while read line

do
cipher=`echo $line | awk ‘{print $1}’`
bits=`echo $line | awk ‘{print $5}’ | cut -f2 -d( | cut -f1 -d)`
if [ $2 ]; then
echo -n $cipher – $bits bits…
fi

if ($openssl s_client -$ssl -cipher $cipher -connect $1 < $tempfile 2>&1 | grep "^Certificate chain" > /dev/null); then
# if [ $2 ]; then
# echo -en ‘E[37;32m’"Cipher Enabled"’E[37;30m’"n"
# else
if [[ $cipher = "EDH-RSA-DES-CBC3-SHA" || $cipher = "EDH-DSS-DES-CBC3-SHA" || $cipher = "DHE-RSA-AES256-SHA" || $cipher = "DES-CBC3-SHA" || $cipher = "AES256-SHA" || $cipher = "DES-CBC3-SHA" || $cipher = "AES128-SHA" || $cipher = "DHE-RSA-AES128-SHA" || $cipher = "DHE-DSS-AES128-SHA" || $cipher = "ADH-AES128-SHA" || $cipher = "DHE-DSS-AES256-SHA" || $cipher = "ADH-AES256-SHA" ]]; then
echo -en ‘E[37;32m’"$cipher – $bits bits – FIPS APPROVED CIPHER enabledn";
else
echo -en ‘E[37;31m’"$cipher – $bits bits – WEAK CIPHER enabledn";
fi
fi
#else
if [ $2 ]; then
echo -en ‘E[37;30m’"Cipher Not Enabled"’E[37;30m’"n"
fi
# fi
echo " " > $tempfile
done | grep -v error

done
echo -en ‘E[37;30m’"nTesting Complete.nn"
## Remove temporary file
rm -f $tempfile
[/code]