# How do I test for … bad SSL and TLS implementations

26/07/2013 Article

The easiest way to find poor implementations of SSL and TLS encryption algorithms is to run the SSL Scan tool. If you run it against this website you will get something along the lines of:

```
sslscan --no-failed www.yg.ht:443
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_
__ __ __ (_| (_| | | | |
|___/___/_|___/_____,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server www.yg.ht on port 443
Supported Server Cipher(s):
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-SEED-SHA
Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits SEED-SHA
Accepted SSLv3 128 bits CAMELLIA128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-SEED-SHA
Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits SEED-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits RC4-SHA
Prefered Server Cipher(s):
SSLv3 256 bits DHE-RSA-AES256-SHA
TLSv1 256 bits DHE-RSA-AES256-SHA
```

In that long list you are looking for any old cipher suites that have known cryptographic weaknesses. For example any which use “SSLv2”. You possibly want to also identify any symmetric algorithms that have a bit length smaller than 128 and a-symmetric algorithms that have a bit length smaller than 2048 as well.

It is important to keep relatively up-to-date with the various cipher suites available as over time weaknesses are found in older suites making them vulnerable to attack. There are, for example, currently questions and indeed vulnerabilities for some of the encryption algorithms that are in popular use today. Lookup the BEAST attack and the RC4 problems and decide for yourself what you would do.

Keep in mind that the list of known “good” and “bad” ciphers changes pretty often.

*** UPDATE *** The tool demonstrated above has changed significantly since this article was published as a result of many additional cryptographic qualities that need checking. The current version of SSLScan can be found here

YGHT can help you increase your cybersecurity

Learn how by contacting us

"*" indicates required fields