Check of disabled specific TLS ciphers and algorithms


(David Papay) #1

Hello,
According to this manual below I disabled specific TLS ciphers and algorithms.
Do you know where I can check if parameters were set successfully please?

http://docs.graylog.org/en/latest/pages/configuration/https.html?highlight=ciphers#disabling-specific-tls-ciphers-and-algorithms


#2

I use three different ways.

  1. Quick and dirty with OpenSSL.

[CODE]
#!/bin/bash
SERVER=127.0.0.1:9000
DELAY=1
ciphers=$(openssl ciphers ‘ALL:eNULL’ | sed -e ‘s/:confused: /g’)

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing cipher... result=(echo -n | openssl s_client -cipher “$cipher” -connect $SERVER 2>&1)
if [[ "result" =~ ":error:" ]] ; then error=(echo -n $result | cut -d’:’ -f6)
echo NO ($error)
else
if [[ “$result” =~ “no peer certificate available” ]] ; then
echo "NO (no peer certificate available)"
else
if [[ “result" =~ "Cipher is {cipher}” ]] ; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
fi
sleep $DELAY
done
[/CODE]
I found the script somewhere and adapted it.
2. https://tls.imirhil.fr/
3. https://www.ssllabs.com/ This service only checks servers listening on port 443. You may change your Graylog configuration to do that. I prefer nat-ing with something like:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 9000


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.