detect weak encryption and outdated protocols

networking ssl tls network-monitoring

I don't believe you can snoop the traffic once the SSL handshake between the server and client is completed. You probably will need to scan the server to see if it's offering weak ciphers. Maybe "sslscan"?

http://sourceforge.net/projects/sslscan/

https://www.titania-security.com/labs/sslscan

I know there's a Ubuntu package available for this.

This will show the cipher suite being offered by a server.

So, scanning GMail with sslscan, I get:

$ sslscan --no-failed mail.google.com:443
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server mail.google.com on port 443

  Supported Server Cipher(s):
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  RC4-SHA
    TLSv1  128 bits  RC4-SHA

  SSL Certificate:
    Version: 2
    Serial Number: 4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    Not valid before: Oct 26 00:00:00 2011 GMT
    Not valid after: Sep 30 23:59:59 2013 GMT
    Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Modulus (1024 bit):
          00:af:39:15:98:68:e4:92:fe:4f:4f:f1:bb:ff:0d:
          2e:b0:fe:25:aa:bd:68:04:67:27:ea:6c:43:4c:a7:
          6d:cb:c8:8f:7e:81:ee:87:26:25:10:12:54:33:9e:
          aa:3d:9b:8f:8e:92:b3:4b:01:e3:f9:4a:29:c3:0f:
          fd:ac:b7:d3:4c:97:29:3f:69:55:cf:70:83:04:af:
          2e:04:6e:74:d6:0f:17:09:fe:9e:20:24:24:e3:c7:
          68:9c:ac:11:bd:92:e4:b2:1b:09:f2:02:32:bb:55:
          1b:2d:16:5f:30:12:23:e2:4c:4a:8d:c2:da:3f:e1:
          b8:bf:f7:3a:b1:86:be:f0:c5
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 CRL Distribution Points: 
        URI:http://crl.thawte.com/ThawteSGCCA.crl

      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
      Authority Information Access: 
        OCSP - URI:http://ocsp.thawte.com
        CA Issuers - URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt

  Verify Certificate:
    unable to get local issuer certificate

EDIT:

Ah, look at this page: http://prefetch.net/articles/debuggingssl.html

So, you can use that tool to see the handshake and what the agreed upon cipher is.


You can use the ssl-enum-ciphers script from nmap to get an estimate of the cypher adequacy.

An example:

$ nmap --script ssl-enum-ciphers.nse mail.google.com

Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-22 14:09 CET
Nmap scan report for mail.google.com (173.194.34.245)
Host is up (0.0050s latency).
Other addresses for mail.google.com (not scanned): 173.194.34.246 173.194.34.247
rDNS record for 173.194.34.245: mad01s09-in-f21.1e100.net
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3
|     Ciphers (9)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|   TLSv1.0
|     Ciphers (9)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|_  Least strength = unknown strength

Nmap done: 1 IP address (1 host up) scanned in 16.38 seconds

Related

What is the common name for amateurs who maintain and repair automobiles, particularly their own automobile?
Is it possible to remove part of a path in HAProxy in a redirect?
Determining cause of TCP/IP connect issue without traceroute
Why does Debian squeeze forget its static IP address and seek a DHCP lease?
Can Importance Be Different?
Does IPMI always include KVM?
Sealing Tiles and Cable routes in datacenter fire supression
What is the Microsoft Loopback Adapter used for?
What are some ways to switch conversation topics?
Cron job with $(date) command and redirect won't run
PATH variable and quotation marks (windows)
British English plural verb for group noun in a contraction