Custom OpenSSL for testssl.sh

Aleksey Kravchenko rhash.admin at gmail.com
Tue Feb 13 23:38:02 UTC 2018 

 Hello,

I believe a user of  testssl.sh wants to know about all ciphers and
features of the scanned host.
It would be a disaster if a security specialist will not notice a
vulnerability in his/her host.
So special openssl version is a must.

I agree that it should be included into the testssl.sh package, no reason
to separate it.

  Regards,
  Aleksey


On Mon, Feb 12, 2018 at 7:16 PM, Christian Haase <c.haase at ifu.com> wrote:

> Hi,
>
> testssl.sh recommends a forked version of OpenSSL. From [1]:
>
> > Which OpenSSL binary?
> >
> > As mentioned above, a prerequisite for thoroughly checking SSL/TLS
> enabled servers is that all you want to check for has to be available on
> your client. Transport encryption is not only depending on the server but
> also on your crypto provider on the client side – especially if you want to
> use it for testing. So there are drawbacks for openssl binaries distributed
> with Linux and BSD:
> >
> > * SSLv2 is most of the time disabled
> > * one cannot check 56 Bit ciphers as they are disabled during compile
> time.
> > * other ciphers are disabled for security reasons,
> > * zlib support maybe not included (intend was to disable CRIME)
> > * and last but not least: SSLv3 seems to be outphased too
>
> I just want to bring this on the table, maybe it makes sense to include
> the custom OpenSSL-Version in the package for use only by testssl.sh.
> This ensures to have good test results even when the official OpenSSL
> package gets rid of insecure features in the future.
>
> Please discuss :)
>
> Thanks,
> Christian
>
> [1] https://testssl.sh/
>
> --
> ifu Hamburg - material flows and software
> "We enable sustainable production."
>
> ifu Hamburg GmbH
> Max-Brauer-Allee 50 - 22765 Hamburg - Germany
> fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com
>
> Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
> www.ifu.com - www.umberto.de - www.e-sankey.com
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20180214/5ede5311/attachment-0001.html>

More information about the Pkg-security-team mailing list