0

My znc's SSL port is not 443. Various SSL vulnerability tests on the web work only on 443 port.

znc SSL port serves a web server and an IRC bouncer simultaneously.

How can I test whether znc SSL port is not vulnerable against SSL vulnerabilities like logjam, poodle, freak, and so on?

crocket
  • 143
  • 3

2 Answers2

3

You can test your SSL connection by using the openssl and nmap tool.

Heartbleed

openssl version

Your OpenSSL installation is vulnerable to Hertbleed if the version output is one of these values: 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1 source

As pointed out in the comments below just checking the version might give you a false positive as most distributions offer security patches which don't change the version of openssl.

I found this answer on the serverfault to check for heartbleed:

openssl s_client -connect example.com:443 -tlsextdebug 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo safe

Poodle

openssl s_client -connect example.com:443 -ssl3

if you get something like this

3073927320:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40 3073927320:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

everything is ok. source

Logjam

openssl s_client -connect example.com:443 -ssl3

This should output two lines: Server public key is 4096 bit is your RSA Key size.

Server Temp Key: DH, 4096 bits is your DH-Parameter size.

If this is 1024 bits or lower you need up upgrade your configuration.

source

Freak

I have found no way to test against freak attack by just using openssl. You can use nmap instead.

nmap --script ssl-enum-ciphers -p 443 example.com | grep EXPORT -l | wc -l

prints 1 for vulnerable and 0 for clean.

source

Community
  • 1
Henrik Pingel
  • 8,676
  • 2
  • 24
  • 38
  • Checking the OpenSSL version is a very poor way of testing for Heartbleed susceptibility, completely misunderstanding as it does (*inter alia*) [Red Hat's patching policy](http://serverfault.com/questions/583455/apache-upgrade-strategy/583458#583458). – MadHatter Oct 20 '15 at 13:55
  • ok thanks for your advise. I think your right about that. Edited my answer to reflect that. – Henrik Pingel Oct 21 '15 at 06:19
  • Fair enough; I have removed my downvote. – MadHatter Oct 21 '15 at 07:03
  • You should not use `-ssl3` for the Logjam test, and `s_client` shows the Temp Key info (if applicable) only in version 1.0.2+. In lower versions you can use `-msg` and decode the ServerKeyExchange message but that's tedious. – dave_thompson_085 Oct 26 '15 at 09:58
2

Try testssl.sh. Great tool that can be run from command line and give pretty much the same output as ssllabs.com (though without browser info unfortunately), but not limited by port or to public facing websites.

Note this is a shell script which, as I understand it from a quick look at the source, basically wraps all the openssl commands that knowhy has suggested in his answer and more into one nice, easy to use, script.

Barry Pollard
  • 4,461
  • 14
  • 26