regarding ssl_server test

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

regarding ssl_server test

R-D intern
Hello,
         I have implemented ssl for my internal server that listens over a private ip. Can anyone suggest how can I test my ssl_server? For eg. Qualys test shows the amount of ssl implementation of a server listening over public ip  and even checks for vulnerabilities in ssl implementation. How can such a thing be tested for a server listening over private ip?
Please help. Awaiting response.
Regards,
R-D Intern
Reply | Threaded
Open this post in threaded view
|

Re: regarding ssl_server test

Walter H.
On 26.05.2016 18:33, R-D intern wrote:
> Hello,
>           I have implemented ssl for my internal server that listens over a
> private ip. Can anyone suggest how can I test my ssl_server? For eg. Qualys
> test shows the amount of ssl implementation of a server listening over
> public ip  and even checks for vulnerabilities in ssl implementation. How
> can such a thing be tested for a server listening over private ip?
>
you can't because, your site listens
for e.g.
https://host.domain.local/...
and domain.local is the CN of your SSL-certificate, but not a real
public domain name;
so a port forwarding in a NAT router won't help you ...

you only can do - in case you have a public webserver - implement it
there and test with
Qualys ...
and then take the same configuration parameters to your internal server

Walter


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: regarding ssl_server test

Matěj Cepl
In reply to this post by R-D intern
On 2016-05-26, 16:33 GMT, R-D intern wrote:
> I have implemented ssl for my internal server that listens
> over a private ip. Can anyone suggest how can I test my
> ssl_server? For eg. Qualys test shows the amount of ssl
> implementation of a server listening over public ip  and even
> checks for vulnerabilities in ssl implementation. How can such
> a thing be tested for a server listening over private ip?

Are we talking about unit testing or functional testing? For the
former, just use whatever tools are appropriate for your
language, and for the latter, ... I am trying to revive M2Crypto
(Python bindings to OpenSSL), which has a lot of tests done via
running the OpenSSL’s binary s_client against the server and
checking the reaction of the server. That could work for you as
well, couldn't it?

Matěj

--
https://matej.ceplovi.cz/blog/, Jabber: [hidden email]
GPG Finger: 3C76 A027 CA45 AD70 98B5  BC1D 7920 5802 880B C9D8

Courage is resistance of fear, mastery of fear, not absence of
fear.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: regarding ssl_server test

Jakob Bohm-7
In reply to this post by R-D intern
On 26/05/2016 18:33, R-D intern wrote:

> Hello,
>           I have implemented ssl for my internal server that listens over a
> private ip. Can anyone suggest how can I test my ssl_server? For eg. Qualys
> test shows the amount of ssl implementation of a server listening over
> public ip  and even checks for vulnerabilities in ssl implementation. How
> can such a thing be tested for a server listening over private ip?
> Please help. Awaiting response.
> Regards,
> R-D Intern
>

Indeed, there are many servers that cannot be reached by the
online configuration tests such as the one run by Qualsys.

What would be really nice would be if one of the good test
suites could be downloaded and run locally on internal servers,
non-web servers, staging servers etc. to verify that
configurations are correct, or at least as good as possible.

Note (for some of the other repliers) that this is not about
unit-testing or software testing, but about testing if a
finished system has been correctly configured and assembled.
In other words, the question isn't "is there a bug in my
new/changed code?".  But "Did I accidentally configure this
Apache HTTPS server with RSA-EXPORT enabled or something
equally dangerous?", "Does the STARTLS mail server I just
installed implement OCSP stapling safely?", "Did I install
the correct set of intermediary CA certs in the returned
chain?", and hundreds of similar questions.

QualSys does an excellent job checking this for public port 443
https servers, but nothing else, a downloadable copy of the
QualSys code without the policy restrictions of the online
service would be one way of filling the gap.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: regarding ssl_server test

R-D intern
Thank you so much.I tried  searching for a downloadable  ssl_server test source  code for internal servers but couldn't get any.how could  I get one?
Thanks and regards,
R-D Intern
Reply | Threaded
Open this post in threaded view
|

Re: regarding ssl_server test

Jeffrey Walton-3
In reply to this post by Jakob Bohm-7
On Thu, May 26, 2016 at 5:51 PM, Jakob Bohm <[hidden email]> wrote:

> On 26/05/2016 18:33, R-D intern wrote:
>>
>> Hello,
>>           I have implemented ssl for my internal server that listens over
>> a
>> private ip. Can anyone suggest how can I test my ssl_server? For eg.
>> Qualys
>> test shows the amount of ssl implementation of a server listening over
>> public ip  and even checks for vulnerabilities in ssl implementation. How
>> can such a thing be tested for a server listening over private ip?
>> Please help. Awaiting response.
>> Regards,
>> R-D Intern
>>
>
> Indeed, there are many servers that cannot be reached by the
> online configuration tests such as the one run by Qualsys.
>
> What would be really nice would be if one of the good test
> suites could be downloaded and run locally on internal servers,
> non-web servers, staging servers etc. to verify that
> configurations are correct, or at least as good as possible.

That's sslscan (http://sourceforge.net/projects/sslscan/). You need a
modern fork because the original version by Ventura-Whiting and Bowman
has been abandoned. The abandoned version lacks things like TLV 1.2
support and SNI support.

You can find lots of forks of the original sslscan on GitHub:
http://www.google.com/search?q=sslscan+site:github.com

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users