I suppose most if not all the hMS users are aware of the latter SSL issues and vulnerabilities; issues which, to be fixed need a reconfiguration of the SSL ciphers offered by the server; now, once the server is reconfigured as desired, one may want to check it to ensure it isn't offering vulnerable or undesired cipher suites; here's how to run such a check.
Start by configuring hMS to enable SSL/TLS on whatever port you want; in this example I'll assume you configured IMAP to also use SSL on port 993 and that your server's public IP is 192.0.2.100; now, once configured your SSL settings, just pick the attached tool. I picked the tool from the CVS here, rebuilt it and once I noticed it didn't support TLS1.1 and 1.2, slightly modified the code to support them too (in case you need the modified source it's available here, I didn't include the VS project into the zip due to attachment size limitations) .
Anyhow, assuming you have the tool ready, just fire up a command prompt and run "sslscan --no-failed 192.0.2.100:993" the program will then start, connect to the given IP/Port and negotiate the security suite showing the ones accepted by the server; the output will then show you the list of ciphers accepted by the server, the preferred ones and some details about the server certificate; for further informations, just run "sslcan" without parameters and you'll see the program help (or have a look at the source code).
SSLscan - scanning tool
Checking SSL ciphers
Checking SSL ciphers
- Attachments
-
- SSLScan.zip
- (750.02 KiB) Downloaded 651 times
Re: Checking SSL ciphers
In case someone is curious to see what the output looks like...
Code: Select all
D:\Tools\sslscan> sslscan --no-failed smtp.gmail.com:465
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.9.2-win32
http://www.titania.co.uk
Copyright 2010 Ian Ventura-Whiting / Michael Boman
Compiled against OpenSSL 1.0.1l 15 Jan 2015
Testing SSL server smtp.gmail.com on port 465
Supported Server Cipher(s):
accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA
accepted TLSv1.2 256 bits AES256-SHA
accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256
accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA
accepted TLSv1.2 128 bits AES128-GCM-SHA256
accepted TLSv1.2 128 bits AES128-SHA
accepted TLSv1.2 128 bits ECDHE-RSA-RC4-SHA
accepted TLSv1.2 128 bits RC4-SHA
accepted TLSv1.2 128 bits RC4-MD5
accepted TLSv1.2 112 bits DES-CBC3-SHA
accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA
accepted TLSv1.1 256 bits AES256-SHA
accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA
accepted TLSv1.1 128 bits AES128-SHA
accepted TLSv1.1 128 bits ECDHE-RSA-RC4-SHA
accepted TLSv1.1 128 bits RC4-SHA
accepted TLSv1.1 128 bits RC4-MD5
accepted TLSv1.1 112 bits DES-CBC3-SHA
accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
accepted TLSv1 256 bits AES256-SHA
accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
accepted TLSv1 128 bits AES128-SHA
accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
accepted TLSv1 128 bits RC4-SHA
accepted TLSv1 128 bits RC4-MD5
accepted TLSv1 112 bits DES-CBC3-SHA
accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
accepted SSLv3 256 bits AES256-SHA
accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA
accepted SSLv3 128 bits AES128-SHA
accepted SSLv3 128 bits ECDHE-RSA-RC4-SHA
accepted SSLv3 128 bits RC4-SHA
accepted SSLv3 128 bits RC4-MD5
accepted SSLv3 112 bits DES-CBC3-SHA
Prefered Server Cipher(s):
SSLv3 128 bits ECDHE-RSA-RC4-SHA
TLSv1 128 bits ECDHE-RSA-RC4-SHA
TLSv1.1 128 bits ECDHE-RSA-RC4-SHA
TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256
SSL Certificate:
Version:
Serial Number: 4294967295
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
Not valid before: Jul 15 08:40:38 2014 GMT
Not valid after: Apr 4 15:15:55 2015 GMT
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
Public Key Algorithm: rsaEncryption
rsaEncryption Public Key: (2048 bit):
Public-Key: (2048 bit)
Modulus:
00:ae:e2:f3:ab:2e:0c:8d:b0:78:9c:c4:13:91:80:
ed:8e:39:f5:ca:c4:42:9b:f3:7d:0d:cc:db:ba:7a:
5b:9b:6d:fd:53:e3:91:a2:94:1d:df:1e:00:d0:24:
42:d1:c9:d4:d1:66:29:68:11:fb:fb:e4:08:3b:b9:
14:0c:fc:cd:6d:93:ed:61:d7:cc:03:a4:96:5e:9b:
ec:c5:98:97:2c:df:47:1c:04:dd:b5:0a:70:af:aa:
c2:04:60:93:32:63:79:1c:57:8b:c3:c7:8e:1b:c7:
a5:6f:10:09:89:f7:f9:22:14:9e:f1:45:49:42:72:
1b:b9:61:53:85:a1:59:0c:68:46:b1:dd:45:9b:e4:
5b:62:f6:97:bc:56:06:1d:6a:cb:a4:e7:76:9e:f1:
9b:88:af:8a:45:7b:0f:5f:ad:ac:4e:7b:fe:8b:5c:
46:8f:31:2c:3a:db:62:92:5a:9c:8a:fc:65:1b:68:
0a:74:ee:15:75:d5:cf:8b:56:08:e5:50:34:e0:03:
ed:a4:9c:38:a0:5a:b7:5b:fb:22:cb:f4:7b:f7:58:
d2:d6:8c:40:07:15:68:44:71:ee:50:c1:5d:d2:37:
c2:4b:81:ad:d1:6f:0d:8d:de:5a:bd:69:f9:10:b4:
e9:e4:26:07:4c:50:6e:31:91:41:c6:aa:c7:20:80:
c0:c9
Exponent: 65537 (0x10001)
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:smtp.gmail.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
X509v3 Subject Key Identifier:
9A:9D:90:6F:63:E4:67:8F:41:EA:B8:99:9A:7B:D0:09:BF:08:82:CD
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.google.com/GIAG2.crl
Secure session renegotiations supported
D:\Tools\sslscan>
Re: Checking SSL ciphers
As a note, the latest version of SSLscan which also checks for TLS1.3 is available here
https://github.com/rbsec/sslscan
not willing to build it yourself, you can pick the latest binary release here
https://github.com/rbsec/sslscan/releases
https://github.com/rbsec/sslscan
not willing to build it yourself, you can pick the latest binary release here
https://github.com/rbsec/sslscan/releases
Re: Checking SSL ciphers
Thanks, useful
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Checking SSL ciphers
You're welcome; as for using it, here are a couple examples
sslscan --starttls-smtp mail.example.com:25
sslscan --starttls-pop3 mail.example.com:110
the above two will check the "mail.example.com" server for supported SSL/TLS ciphers on SMTP and POP3, for further usage, just run the tool w/o any parameters and it will show a brief help