Skip to content
This repository has been archived by the owner on May 18, 2024. It is now read-only.
/ sslassert Public archive

simple scripts to make sure your web server is configured correctly under HTTPS

57 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

client9/sslassert

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

71 Commits
static
static
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
connect.py
connect.py
 
 
dnsassert.py
dnsassert.py
 
 
example-citibank.sh
example-citibank.sh
 
 
example-google.sh
example-google.sh
 
 
example-libinjection.sh
example-libinjection.sh
 
 
example-paypal.sh
example-paypal.sh
 
 
example-twitter.sh
example-twitter.sh
 
 
home.html
home.html
 
 
httpassert.py
httpassert.py
 
 
install.sh
install.sh
 
 
nmapfacts.py
nmapfacts.py
 
 
openssl-ciphers.sh
openssl-ciphers.sh
 
 
references.md
references.md
 
 
scan.py
scan.py
 
 
server.py
server.py
 
 
sshassert.py
sshassert.py
 
 
ssl-recommendations-general.sh
ssl-recommendations-general.sh
 
 
sslassert.py
sslassert.py
 
 
sslassert.sh
sslassert.sh
 
 
ssldoctor.py
ssldoctor.py
 
 
sslfacts.sh
sslfacts.sh
 
 
wordpressfacts.py
wordpressfacts.py
 
 

Repository files navigation

sslassert

Simple unit tests to make sure your web server is configured correctly under SSL.

It's in sh (subset of bash). Why? It's one file, no installation, only requires openssl, and basic posix shell stuff. And mostly it's calling out to OpenSSL anyways, so why not bash?

sslfacts

export HOSTPORT=www.google.com
export URLPATH=/
source sslassert.sh

Will then generate a number of facts based on the site:

  • accepted and rejected cipher suites
  • protocol support for sslv2 - tls1.2
  • various statistics on symmetric and public key cryptography
  • various certificate facts
  • common problems and attacks

You can see the full fact list by running the sample script

./sslfact.sh libinjection.client9.com

sslassert

Then you'll want to test the facts against what your expectations.

The same script below shows how. You can use any of the bash test operators (e.g. -gt,-ge,-lt,-le,-ne,-eq, =, !=, > etc)

#!/bin/sh

export HOSTPORT=www.google.com
export URLPATH=/

source sslassert.sh

sslassert 'secure-renegotiation               = on'
sslassert 'compression                        = off'
sslassert 'certificate-length               -ge 1024'
sslassert 'protocol-ssl-v2                    = off'
sslassert 'protocol-tls-v12                   = on'
sslassert 'crypto-weak                        = off'
sslassert 'beast-attack                       = off'

exit $SSLASSERT_EXIT

and that's it.

Note for later reference:

Certificate chain is not self-signed

Certificate chain
 0 s:/OU=Domain Control Validated/CN=YOUR SERVER HERE
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=1234
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=1234
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

Looking at #2 in the chain, you'll see a self-signed cert for Go-Daddy. That's normally inside the http-client already, so sending it is kinda weird, and might cause problems. It's certainly a waste of space.

About

simple scripts to make sure your web server is configured correctly under HTTPS

Resources

Readme
Activity

Stars

57 stars

Watchers

7 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages