Quicklinks: Home | Contact |

Subscribe to the RSS feed in case you are interested in updates

At last. What started as an "I need an overview of best practise in SSL/TLS configuration" type of idea, ended in a 3 month code, reverse engineer and writing effort. I really hope this comes in handy for you and was worth the effort. This is the "Release candidate" version of the paper, should no errors be found it will be the final version.

This paper aims at answering the following questions :
  • What SSL/TLS configuration is state of the art and considered secure (enough) for the next years?
  • What SSL/TLS ciphers do modern browsers support ?
  • What SSL/TLS settings do server and common SSL providers support ? 
  • What are the cipher suites offering most compatibility and security ?
  • Should we really disable SSLv2 ? What about legacy browsers ?
  • How long does RSA still stand a chance ?
  • What are the recommended hashes,ciphers for the next years to come

The paper includes two tools :
  • SSL Audit (alpha) :  SSL scanner scanning remote hosts for SSL/TLS support (Video)
  • Harden SSL/TLS (beta) : Windows server and client SSL/TLS hardening tool (Video)
Without further ado here is the complete package

PS: In order to know whether this type of publication is useful to some and whether I should spend time on such publications in the future, I would appreciate a heads-up if you find this to be interesting. Thierry

Harden SSL/TLS - Tool release

Subscribe to the RSS feed in case you are interested in updates
 
“Harden SSL/TLS” allows hardening the SSL/TLS settings of Windows 2000,2003,2008,2008R2, XP,Vista,7. It allows locally and remotely set SSL policies allowing or denying certain ciphers/hashes or complete ciphersuites.

^This tool specifically allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance Google Chrome as well as Apple Safari are a few of these. By changing the settings you can indirectly control what ciphers these applications are allowed to use.



Advanced mode
· re-enable ECC P521 mode on Windows7 and 2008R2
· Set TLS Cache size and timeout

Known issues:
· none

Author :
Thierry ZOLLER for G-SEC
Download: Harden TLS/SSL (beta)
Download: Documentation


Subscribe to the RSS feed in case you are interested in updates

Developed as part of G-SEC's investigation into the "Secure SSL/TLS configuration Report 2010" (to be published) we developed this little tool called SSL Audit. (More to follow in the next days - stay tuned).

SSL Audit scans web servers for SSL support, unlike other tools it is not limited to ciphers supported by SSL engines such as OpenSSL or NSS and can detect all known cipher suites over all SSL and TLS versions.


Apart from scanning available ciphersuites it has an interesting tidbit : The Fingerprint mode (Experimental). Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways.

SSL Audit is able to fingerprint :
· IIS7.5 (Schannel)
· IIS7.0 (Schannel)
· IIS 6.0 (Schannel)
· Apache (Openssl)
· Apache (NSS)
· Certicom
· RSA BSAFE