Posted inCardiagtech

Enhance Your Website Security with a Cipher Scan Tool

No Comments

In today’s digital landscape, ensuring robust security for your website is paramount. One critical aspect of web security lies in the implementation of SSL/TLS protocols, which encrypt data transmitted between web servers and browsers. A Cipher Scan Tool plays a vital role in this process by allowing you to analyze and understand the cipher configurations of your servers. This article delves into the world of cipher scanning, exploring how tools like CipherScan can help you strengthen your website’s defenses against potential vulnerabilities.

Understanding CipherScan: Your Go-To Cipher Analysis Tool

CipherScan is an open-source cipher scan tool designed to meticulously examine the SSL/TLS cipher ordering on a specified target. It’s engineered to test across all major versions of SSL and TLS, providing a comprehensive view of your server’s cipher suite. Beyond simply listing ciphers, CipherScan extracts valuable certificate information, TLS options, and even checks for OCSP stapling support. At its core, CipherScan operates as a sophisticated wrapper around the widely-used openssl s_client command-line tool, automating and streamlining the process of in-depth cipher analysis.

This powerful tool is built for cross-platform compatibility, running seamlessly on various Unix-based systems. For Linux/64 and Darwin/64 platforms, CipherScan conveniently includes its own pre-built version of OpenSSL. On other operating systems, it intelligently utilizes the OpenSSL version available on the system – with an option to specify a custom OpenSSL version using the -o flag, especially useful if the system’s default version has limited cipher support.

Practical Examples of CipherScan in Action

Let’s explore some practical examples to illustrate how to use CipherScan to analyze cipher configurations.

Basic Cipher Suite Test:

To perform a fundamental scan of a website, such as google.com, simply run the following command in your terminal:

$ ./cipherscan google.com
................... Target: google.com:443
 prio ciphersuite                      protocols  pfs curves
 1 ECDHE-RSA-CHACHA20-POLY1305        TLSv1.2    ECDH,P-256,256bits prime256v1
 2 ECDHE-RSA-AES128-GCM-SHA256        TLSv1.2    ECDH,P-256,256bits prime256v1
 3 ECDHE-RSA-AES128-SHA               TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
 4 ECDHE-RSA-RC4-SHA                  SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
 5 AES128-GCM-SHA256                  TLSv1.2    None None
 6 AES128-SHA256                      TLSv1.2    None None
 7 AES128-SHA                         TLSv1.1,TLSv1.2 None None
 8 RC4-SHA                            SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None
 9 RC4-MD5                            SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None
10 ECDHE-RSA-AES256-GCM-SHA384        TLSv1.2    ECDH,P-256,256bits prime256v1
11 ECDHE-RSA-AES256-SHA384        TLSv1.2    ECDH,P-256,256bits prime256v1
12 ECDHE-RSA-AES256-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
13 AES256-GCM-SHA384                  TLSv1.2    None None
14 AES256-SHA256                      TLSv1.2    None None
15 AES256-SHA                         SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None
16 ECDHE-RSA-AES128-SHA256        TLSv1.2    ECDH,P-256,256bits prime256v1
17 ECDHE-RSA-DES-CBC3-SHA             SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
18 DES-CBC3-SHA                       SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 100800
OCSP stapling: not supported
Cipher ordering: server

This command initiates a scan against google.com on port 443 (the default HTTPS port). The output neatly presents the cipher suites supported by the server, their priority, the protocols they use, Perfect Forward Secrecy (PFS) status, and curve information. It also provides details about the server certificate, TLS ticket lifetime hint, and OCSP stapling support.

Testing STARTTLS for Email Servers:

CipherScan isn’t limited to web servers; it can also test STARTTLS connections, commonly used for email services. For example, to analyze the STARTTLS configuration of an XMPP server like jabber.ccc.de on port 5222, use the following command:

darwin$ $ ./cipherscan --curves -starttls xmpp jabber.ccc.de:5222
................................ Target: jabber.ccc.de:5222
 prio ciphersuite                      protocols  pfs curves
 1 ECDHE-RSA-AES256-GCM-SHA384        TLSv1.2    ECDH,P-256,256bits prime256v1
 2 ECDHE-RSA-AES256-SHA384        TLSv1.2    ECDH,P-256,256bits prime256v1
 3 ECDHE-RSA-AES256-SHA               TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
 4 DHE-RSA-AES256-GCM-SHA384          TLSv1.2    DH,1024bits None
 5 DHE-RSA-AES256-SHA256              TLSv1.2    DH,1024bits None
 6 DHE-RSA-AES256-SHA                 TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None
 7 DHE-RSA-CAMELLIA256-SHA            TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None
 8 AES256-GCM-SHA384                  TLSv1.2    None None
 9 AES256-SHA256                      TLSv1.2    None None
10 AES256-SHA                         TLSv1,TLSv1.1,TLSv1.2 None None
11 CAMELLIA256-SHA                    TLSv1,TLSv1.1,TLSv1.2 None None
12 ECDHE-RSA-AES128-GCM-SHA256        TLSv1.2    ECDH,P-256,256bits prime256v1
13 ECDHE-RSA-AES128-SHA256        TLSv1.2    ECDH,P-256,256bits prime256v1
14 ECDHE-RSA-AES128-SHA               TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
15 DHE-RSA-AES128-GCM-SHA256          TLSv1.2    DH,1024bits None
16 DHE-RSA-AES128-SHA256              TLSv1.2    DH,1024bits None
17 DHE-RSA-AES128-SHA                 TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None
18 DHE-RSA-SEED-SHA                   TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None
19 DHE-RSA-CAMELLIA128-SHA            TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None
20 AES128-GCM-SHA256                  TLSv1.2    None None
21 AES128-SHA256                      TLSv1.2    None None
22 AES128-SHA                         TLSv1,TLSv1.1,TLSv1.2 None None
23 SEED-SHA                           TLSv1,TLSv1.1,TLSv1.2 None None
24 CAMELLIA128-SHA                     TLSv1,TLSv1.1,TLSv1.2 None None
Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: server
Curves fallback: False

This command uses the --starttls xmpp option to initiate a STARTTLS handshake over XMPP and then performs the cipher scan. The --curves flag is also used to gather information about elliptic curves supported by the server.

JSON Output for Automated Analysis:

For integration into scripts or automated security assessments, CipherScan allows you to export results in JSON format using the -j option:

<span>$</span> <span>.</span><span>/</span><span>cipherscan</span> <span>--</span><span>curves</span> <span>-</span><span>j</span> <span>www</span><span>.</span><span>ebay</span><span>.</span><span>com</span> <span>|</span> <span>j</span>
{
  "curves_fallback": "False",
  "serverside": "True",
  "target": "www.ebay.com:443",
  "utctimestamp": "2015-04-03T14:54:31.0Z",
  "ciphersuite": [
    {
      "cipher": "AES256-SHA",
      "ocsp_stapling": "False",
      "pfs": "None",
      "protocols": [
        "TLSv1",
        "TLSv1.1",
        "TLSv1.2"
      ],
      "pubkey": [
        "2048"
      ],
      "sigalg": [
        "sha1WithRSAEncryption"
      ],
      "ticket_hint": "None",
      "trusted": "True"
    },
    {
      "cipher": "ECDHE-RSA-DES-CBC3-SHA",
      "curves": [
        "prime256v1",
        "secp384r1",
        "secp224r1",
        "secp521r1"
      ],
      "curves_ordering": "server",
      "ocsp_stapling": "False",
      "pfs": "ECDH,P-256,256bits",
      "protocols": [
        "TLSv1",
        "TLSv1.1",
        "TLSv1.2"
      ],
      "pubkey": [
        "2048"
      ],
      "sigalg": [
        "sha1WithRSAEncryption"
      ],
      "ticket_hint": "None",
      "trusted": "True"
    }
  ]
}

This outputs the scan results in a structured JSON format, making it easy to parse and process the data programmatically for further analysis or reporting.

Leveraging Cipher Scan Tools for Configuration Analysis

The real power of a cipher scan tool like CipherScan extends beyond just listing cipher suites. It’s instrumental in analyzing your TLS configurations against established security guidelines. CipherScan includes a helpful script, analyze.py, which compares CipherScan results against Mozilla’s Server Side TLS guidelines (https://wiki.mozilla.org/Security/Server_Side_TLS). This script provides a security level assessment and actionable recommendations for improvement.

For instance, running analyze.py against jve.linuxwall.info might yield output similar to this:

$ ./analyze.py -t jve.linuxwall.info
jve.linuxwall.info:443 has intermediate tls
Changes needed to match the old level:
* consider enabling SSLv3
* add cipher DES-CBC3-SHA
* use a certificate with sha1WithRSAEncryption signature
* consider enabling OCSP Stapling
Changes needed to match the intermediate level:
* consider enabling OCSP Stapling
Changes needed to match the modern level:
* remove cipher AES128-GCM-SHA256
* remove cipher AES256-GCM-SHA384
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* disable TLSv1
* consider enabling OCSP Stapling

This output indicates that jve.linuxwall.info currently aligns with Mozilla’s “intermediate” TLS configuration level. It also details the changes needed to achieve “old,” “intermediate,” or “modern” levels, allowing administrators to make informed decisions based on their desired security posture and compatibility requirements. It’s crucial to consult the Mozilla Server Side TLS guidelines to understand the implications of each level and choose the one that best suits your needs.

For automated monitoring, analyze.py can be used in Nagios monitoring systems using the --nagios flag. In Nagios mode, the script’s exit code reflects the security status: 0 (OK) for a matching level, 1 (Warning) for not matching the desired level, and 2 (Critical) for a bad TLS configuration.

OpenSSL and CipherScan’s Custom Build

CipherScan relies on OpenSSL for its cipher scanning capabilities. For optimal performance and access to a wide range of ciphers, CipherScan ships with a custom-built OpenSSL version for Linux 64-bit and Darwin 64-bit systems. This custom build is based on a branch maintained by Peter Mosmans (https://github.com/PeterMosmans/openssl), incorporating patches not yet included in the upstream OpenSSL project. For users who need to build OpenSSL themselves, the repository provides clear instructions.

Conclusion: Proactive Security with Cipher Scan Tools

Employing a cipher scan tool like CipherScan is an essential step in proactively managing your website’s security. By providing detailed insights into your server’s SSL/TLS cipher configurations and offering analysis against industry best practices, CipherScan empowers you to optimize your TLS settings, mitigate vulnerabilities, and ensure a secure browsing experience for your users. Regularly utilizing a cipher scan tool should be a cornerstone of any organization’s security hygiene, contributing to a stronger and more trustworthy online presence.

References:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *