I have developed an application that send binary data between a .NET client and Java server via TCP.
I have recently implemented SSL for this connection and would like a way to demonstrate that it is actually secure for my college project.
What tools would you recommend? I've used Cain and Abel before but I don't think it is really suitable for this?
Thanks.
Openssl ships with a tool called "s_client" that can be used to test SSL servers. This is available for *nix, cygwin, and Win32.
$ openssl s_client -connect servername:port -CAfile /path/to/ca.pem -debug -showcerts
There are a myriad of options such as -pause, -state, etc. which you may find useful for tracking SSL through its setup and teardown.
In your original question, you wondered if your implementation was secure. By secure, do you mean that the stream is encrypted, or that you've implemented all aspects of the RFC correctly? If you mean the former, then use Wireshark as D.W. has pointed out.
If you mean the latter, then check out the OWASP SSL testing page. There's some great stuff there, but it is by no means exhaustive. These tests are geared for HTTPS, but they should work for any SSL implementation since it is analyzing the SSL protocol, not the application-level protocol on top.
Here is a simple test you could start with: collect the traffic using Wireshark, and verify that the contents of the packets look like random noise (random bytes). That should be sufficient to check that you have turned on SSL.
If you're looking to test whether your SSL code works properly, you could also check whether you can interoperate with other SSL implementations.
As far as whether it is secure, well, that's a little bit broader. Here are some of the biggest ones. Did you use a well-vetted SSL library? (Implementing it yourself is not a good idea; it is too expensive to verify you haven't made any mistakes.) Did you seed it with an adequate source of entropy? (The good SSL libraries will do that for you automatically.) Did you hardcode the public key of the server properly, or properly check the server cert to make sure it corresponds to your server and not some imposter? Did you enable client authentication? Did you set the list of acceptable ciphersuites in a reasonable way? Did you use TLS 1.2? Are you aware that TLS only secures the communication channel, but you still need to make sure that the endpoints are secure, e.g., from various malicious attacks?
That might get you started.
