Checking the certs remotely

Below you will find a few commands to check against SSL/TLS services. Here's what you should look for:

  • look at the CN= entry, it should have an FQDN
  • look at the cert chain, the authority should be an official one, not one's own CA
  • look at the Protocol used, it should be TLSv1.1 and TLSv1.2, nothing else ! SSLv1,2,3 is deprecated and TLSv1.0 has a vulnerability in conjunction with SSLv3.
  • look at the ciphers, e.g. RC4 should not be used anymore

SSL/TLS against any port and service

Check the certificate e.g.,

openssl s_client -connect address:port
#openssl s_client -connect address:port </dev/null

STARTTLS / SMTP

What ports should we look for?

    egrep 'submission|smtp' /etc/services

See what ports an MX or SMARTHOST offers (25 or 587 / STARTTLS are prefered),

nmap -Pn -p 25,465,587 SMTP_SERVER

Check the certificate provided through SMTP STARTTLS remotely e.g. against port 25,

openssl s_client -starttls smtp -crlf -connect SMTP_SERVER:25 </dev/null

STARTTLS / IMAP

What ports should we look for?

    grep 'imap' /etc/services

See what ports an MX or SMARTHOST offers (143 / STARTTLS is prefered,

nmap -Pn -p 143,993 IMAP_SERVER

Check the certificate provided through IMAP STARTTLS remotely e.g. against port 143,

openssl s_client -starttls imap -crlf -connect IMAP_SERVER:143 </dev/null

openssl s_client -connect IMAP_SERVER:143 -starttls imap
openssl s_client -connect IMAP_SERVER:143 -starttls imap -quiet -crlf
1 login TESTACCOUNT PASSWORD
1 list "" "*"
1 logout

#openssl s_client -connect IMAP_SERVER:143
#openssl s_client -tls1 -connect IMAP_SERVER:143
#-tls1_2

Check that it does NOT respond to SSL version 3,

openssl s_client -connect IMAP_SERVER:993 -ssl3

References

Ruby