18

I am looking for a tool to rate the configuration of SSL/TLS settings in the browser. I have found a few sites that enumerate supported ciphers and the preferences but none of them seem to provide judgement for what should be enabled and what should be disabled. In fact most of the sites I have stumbled across merely show what is supported and do not show what is not supported.

Essentially I am looking for an SSL Labs for the client not for servers. Any pointers?

StackzOfZtuff
  • 17,923
  • 1
  • 51
  • 86
dfc
  • 336
  • 3
  • 14
  • 1
    Could you please clarify what you want to verify ? You can already get a lot of information of how a specific SSL connection is handled simply by using packet monitoring software with a good parser like wireshark. – Stephane Jun 27 '13 at 09:56
  • Stephanie have you seen SSL Labs? I dont want to see a specific connection. – dfc Jun 27 '13 at 16:15

4 Answers4

8
  • I appreciate the answer sadly this is actually the site I was thinking of when I wrote the question. It is a great example of "merely show what is supported and do not show what is not supported" and providing no judgement about the configuration. Surely 56 bit RSA-3DES-EDE-SHA should be on the tsk tsk list? – dfc Jun 27 '13 at 16:20
  • I forgot to add to my comment above: "If a cipher I expected to show up on the supported list is not there is the omission due to the fact the server did not probe for the cipher or because it did try the cipher and my browser did not support it. – dfc Jun 27 '13 at 16:29
  • i'm going to ask iristic for a tool like ssl-labs for browsers – that guy from over there Jun 28 '13 at 09:11
  • @dfc From the speed and number of requests the browser makes, I'd guess that the info is what the browser sends upon connecting. The browser tells the server "hey I wanna setup SSL/TLS and support the following: x, y, z. What's it gonna be?" This website then displays back to you what the browser offered to use. So it's not "only those that the server probed for" but the other way around. See also the second sentence of the "high level description" in this post of mine: http://security.stackexchange.com/a/20833/10863 – Luc Jul 10 '13 at 15:25
  • @dfc Late but: RSA-3DES-EDE-SHA seems to be a nonstandard name for SSL_RSA_WITH_3DES_EDE_CBC_SHA which has nominal keysize 168 and strength 112 which is not "tsky" except maybe for plain-RSA no-Forward-Secrecy which applies to many other suites also – dave_thompson_085 Oct 14 '15 at 06:23
1

BTW, there are also plenty of software libraries which would need scrutiny if someone is into that sorta thing. There's a pretty neat tool called TryTLS (shameless self promo) that is used to check whether a specific library checks TLS certificates properly.

Mamietti
  • 11
  • 2
0

From SSLLabs:

The SSL client test shows the SSL/TLS capabilities of your browser.

https://www.ssllabs.com/ssltest/viewMyClient.html

Colonel Panic
  • 2,134
  • 2
  • 22
  • 24
-2

Browsers almost always use the Operating System for SSL connectivity, so that is what you need to look at. You don't need a specialist tool for that to be honest, you simply need to look at the OS configuration. In windows that means looking at the registry using regedit, and in linux it's a simple text editor.

Here is how to make the changes in windows. Linux is distribution dependent, you'd need to look at the specific version to find it, however it's almost always going to be in /etc somewhere. I'd do a find /etc | egrep "ssl.conf" to get an idea of where the files hide.

GdD
  • 17,321
  • 2
  • 41
  • 63
  • 7
    I'm sorry, but that both overly general and also incorrect. For instance, on windows, IE and Firefox uses different SSL libraries completely. Furthermore, each application can decide exactly how to uses these libraries and what option to use. – Stephane Jun 27 '13 at 09:54
  • 2
    In addition to Stephane's criticism I would like to add that I am not trying identify how my browser is configured. I want to verify how the browser is operating. If I configure the browser to do X and Y and not do Z is it actually doing X and Y and rejecting Z? – dfc Jun 27 '13 at 16:54