• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

bin/H04-Apr-2016-3,1842,275

conf/H04-Apr-2016-11581

files/H04-Apr-2016-340339

lib/H04-Apr-2016-7,7183,353

t/H03-May-2022-3,8372,553

.gitignoreH A D04-Apr-2016471 4340

.includepathH A D04-Apr-2016130 64

.projectH A D04-Apr-2016640 2928

Build.PLH A D04-Apr-20163.2 KiB7856

ChangesH A D04-Apr-2016423 1712

LICENSEH A D04-Apr-201623.3 KiB312245

MANIFESTH A D04-Apr-20162.2 KiB7978

MANIFEST.SKIPH A D04-Apr-20161.3 KiB9781

README.mdH A D04-Apr-201613 KiB231142

README.md

1# TLS-Check – Collect information about domains and their servers
2
3TLS-Check is
4
51. a modular framework for collecting and summarizing arbitrary key figures for a lot of domains and their running servers (usually Web- and Mailserver)
62. a software for analyzing and summarizing the security and encryption of given domains, e.g. supported SSL/TLS-Versions and cipher suites.
7
8Its primary goal is to get key figures about SSL/TLS connections. It can count how many servers support encryption or not, good or weak SSL/TLS-Versions, good or weak cipher suites, how many websites or mailservers are vulnerable to security problems like Heartbleed, how many support IPv6, how many support all recommendations of the BSI or Bettercrypto project and much much more.
9
10TLS-Check comes with a lot of checks. But it is very easy to add more tests. It is highly modular and each part of the code can be replaced (e.g. input or output).
11
12Development contracted by Chamber of Commerce and Industry of the Stuttgart (Germany) Region and its committee of information technology, information services and telecommunication.
13
14
15## Why writing another SSL/TLS testing tool? What are the primary goals?
16
17There are a lot of tools, which check servers for their SSL/TLS capabilities (e.g. SSLyze, OWASP O-Saft, ssl-cipher-suite-enum, testssl.sh and much more). But none meets all our requirements at starting with TLS-Check in 2014:
18
19* We need a flexible and extensible tool to check every possible key figure for a given domain – e.g. from counting how many servers support IPv6 or the different top level domains to counting how many supports the really old SSLv2 protocol.
20* The most important subtests in TLS-Check are SSL/TLS checks. TLS-Check uses it's own SSL/TLS handshake implementation, because we found no acceptable other solution. Some of the tools for checking SSL/TLS cipher suites are really ugly hacks, violating all best practice rules, have no or very few automated tests, have ugly spaghetti code, are unmaintainable or buggy. TLS-Check is not free of errors, but tries to have testable, extendable, maintainable code.
21* It should allow to check every known or unknown cipher suite, not limited to e.g. the cipher suites supported by OpenSSL. Because TLS-Check uses it's own code for SSL/TLS Handshake, it supports every possible ciphersuite. It knows about 362 different cipher suites, 455 with duplicates.
22* It should be easy to add new checks: *It makes easy things easy and hard things possible – reliable, testable.*
23* Tests must run in parallel to reduce the runtime.
24* We have some limitations because of privacy reasons.
25* The output should be parseable. The output of TLS-Check is CSV by default, for import in Excel, Numbers, LibreOffice or similar. But it is easy to write a module which outputs the result as JSON, XML or whatever.
26
27
28## Checks
29
30TLS-Check comes with the following check modules; they are enabled by default. If a check is dependant on another, then the order is important. The default order is fine.
31
32For more Documentation see the doc in Security::TLSCheck::Checks::xxx
33
34* **DNS** – Does some DNS Checks, tests for IPv4 and IPv6 IPs, counts MX (Mail eXchanger).
35* **Web** – Basic web tests: check if there is a website and if HTTPS is supported; redirect checks and some more.
36* **Mail** - Checks if the MX are reachable an support STARTTLS; DNS must run before, some results are used here.
37* **Dummy** – A small and simple example module; counts the top level domains.
38* **CipherStrength** – Checks for supported SSL/TLS versions and cipher suites of websites, checks if BSI and Bettercrypto recommendations are met and much more. Web must run first, its output is used.
39* **MailCipherStrength** – the same, but for mailserver. Mail must run before.
40* **CipherStrengthOnlyValidCerts** – exactly the same as CipherStrength, but counts only web cipher strengths when the certificate is valid. CipherStrength must run first, its result is used.
41* **AgeDE** – checks, if a server supports the german age declaration for youth protection and which default/minimum age are given. Web must run first.
42* **Heartbleed** – Heartbleed check, web and mail; Web and DNS must run before.
43* **FinalScore** – calculates a final score for websites (only websites). Web and CipherStrength must run before.
44
45As example here a summary of the most important tests of a real life check, generated with TLS-Check and converted with the summary script:
46* [TLS-Check summary IHK Region Stuttgart, Q1 2016](https://www.stuttgart.ihk24.de/blob/sihk24/Fuer-Unternehmen/innovation/downloads/3300084/5a1ce6ed286e7385afb6e878a95dcc65/TLS-Check---Zusammenfassung-data.pdf) (in german)
47
48Full output has much more details.
49
50
51## Installation
52
53TLS-Check was developed on FreeBSD and OS X, but also works with Linux. It's not tested on Windows. TLS-Check is written in Perl with Moose and uses a lot of CPAN modules.
54
55### Install as packages
56
57The most easy way to install TLS-Check is using FreeBSD and install it as port or package.
58
59    cd /usr/ports/security/tls-check && make install clean
60    # Or as package
61    pkg install security/tls-check
62
63### Manual installation on Linux/Unix/…:
64
65#### Install the following dependencies:
66
67##### • LibIDN
68
69If you want to use IDN domain names (with charactes other then US-ASCII, e.g. äöü.tld), LibIDN is needed. You should install it with the package manager of your OS, e.g. `apt-get install libidn11-dev` should do this on Debian and Ubuntu.
70
71##### • Perl
72
73TLS-Check should work with an old Perl 5.10 and is tested with 5.14 and up.
74
75* Perl is usually installed by your OS. Some Linux distributions deliver broken Perl packages and maybe you should install the perl default modules `perl-modules`. (untested, please report issues here)
76* If you don't want to (or can't) install all dependencies with the package manager of your OS, it may be better to install your own Perl to avoid conflicts with system packages. The best way is to use [perlbrew](http://perlbrew.pl) for this. A Perl without ithreads and full optimizations (-O3) is recommended.
77
78##### • `Module::Build`, Perl Build manager
79
80On some Perl versions this is already installed, you can check this with:
81
82```
83perl -MModule::Build -E 'say "Module-Build-version installed: $Module::Build::VERSION"'
84```
85
86When there is an error message, you must `Module::Build`, either with your package manager or via CPAN:
87
88```
89cpan Module::Build
90```
91
92`Module::Build`is only needed at build time, not for running TLS-Check.
93
94#### Install TLS-Check
95
96Now download Download and unpack TLS-Check. Then run in the main source directory:
97
98    perl Build.PL
99
100It may complain about missing dependencies. Install them manually with your favorite package manager, install them manually via CPAN or use the buildin CPAN installer:
101
102    ./Build installdeps
103
104Because CPAN runs a lot of tests, this may take a long time. If you want to do DNS checks on IDN-Domains, the installation of the `Net::LibIDN` module is necessary. But this needs the LibIDN library, so you should install this before, see above.
105
106Then you may install TLS-Check:
107
108    ./Build install
109
110As alternative you can start everything without installing directly from `bin`, e.g. as `bin/tls-check-parallel.pl`.
111
112
113## Example Usage
114
115### Short summary
116
117    tls-check-parallel.pl --files=path/to/domain-file.txt --outfile=result/my-result.csv
118    csv-result-to-summary.pl result/my-result.csv > result/summary.csv
119
120You may also run it without parameter, then it gets input from STDIN and writes the result to STDOUT.
121
122csv-result-to-summary.pl is a hack to extract the most important results and create an easy to read CSV, which can be used with LibreOffice, Excel, Numbers, … But at the moment the descriptions of the summary are in german.
123
124You can also use the full result, but it's hard to read.
125
126### More detailed usage
127
128After installation there are some new executables:
129
130    tls-check.pl
131    tls-check-parallel.pl
132
133They are the same, but, tls-check-parallel can query domains in parallel.
134
135Usage:
136
137    > tls-check-parallel.pl --help
138    usage: tls-check-parallel.pl [-?h] [long options...]
139      --configfile STR          Configuration file
140      --jobs INT                Number of max. parallel worker jobs
141      --log_config STR          Alternative logging config
142      --checks STR...           List of checks to run
143      --user_agent_name STR     UserAgent string for web checks
144      --my_hostname STR         Hostname for SMTP EHLO etc.
145      --timeout INT             Timeout for networking
146      --separator STR           CSV Separator char(s)
147      --files STR...            List of files with domain names to check
148      --verbose                 Verbose Output/Logging
149      --temp_out_interval INT   Produce temporary output every # Domains
150      -h -? --usage --help      Prints this usage information.
151      --undef_string STR        String for undef with show_options
152      --show_options            List all Options
153      --results KEY=STR...
154      --outfile STR             Output file name; - for STDOUT (default)
155
156Each config parameter can be set in the configuration file. This is searched in the following places:
157
158    ~/.tls-check.conf
159    /usr/local/etc/tls-check.conf
160    /etc/tls-check.conf
161    <perl installation dir>/tls-check.conf
162
163You can view the default and used values by adding `--show_options`:
164
165    tls-check-parallel.pl --show_options
166    tls-check-parallel.pl --configfile=~/my-config.conf --show_options
167
168The domain file is a CSV and has one or more colums: first column is a domain name, the second a category; so it looks usually like:
169
170    domain.tld;Category
171    other-domain.tld;Other Category
172
173It's OK to have no category, so the file simply contains one domain per line.
174
175If you have enough memory it's OK to set --jobs to a high value. But at the moment the parallel mode is not optimal.
176
177
178### Logfiles
179
180You find log files (trace, info and error) usually in ~/.perl/dist/TLS-Check by default, or in your data-directory if your OS supports this. When running without installation, the logfiles will be stored in the logs folder in die main diretory.
181
182
183## Bugs
184
185It's sure, that there are bugs. Please report them, patches and fixes are welcome.
186
187### Known other issues
188
189* Some documentation (POD) for code and internal API should be (re)written
190* Parallel fork mode does not scale well, should be rewritten with a fork pool and queue handling
191* Some tests are written for execution in my local development environment, should be rewritten
192* write more and better tests, e.g. with different SSL implementations
193* Single standalone program for getting SSL/TLS properties should be rewritten (Net::SSL::GetServerProperties module should provide list of all checks)
194* Split some modules into extra Distributions
195* publish everything on CPAN (after splitting in distributions)
196* There are some other TODOs … ;-)
197* MX handling works as expected, but should be rewritten, e.g. to better handle categories
198
199
200## Mailing list and support
201
202There is a mailing list. Until there is much traffic, we have only one for developers and users together.
203
204* [Info Page](https://lists.odem.org/sympa/info/tls-check)
205* [Subscribe via web interface](https://lists.odem.org/sympa/subscribe/tls-check)
206* To subscribe via mail, send a mail to [sympa@lists.odem.org with Subject "subscribe tls-check"](mailto:sympa@lists.odem.org?subject=subscribe%20tls-check)
207
208
209## Author
210
211TLS-Check is written by [Alvar C.H. Freude](http://alvar.a-blast.org/), 2014–2016.
212
213Development contracted by Chamber of Commerce and Industry of the Stuttgart (Germany) Region and its committee of information technology, information services and telecommunication.
214
215https://www.stuttgart.ihk24.de
216
217## Links
218
219* [TLS-Check page, IHK Region Stuttgart](https://www.stuttgart.ihk24.de/Fuer-Unternehmen/innovation/E-Businessberatung/IT-Sicherheits-Check/664320)  (in german)
220* [TLS-Check summary IHK Region Stuttgart, Q1 2016](https://www.stuttgart.ihk24.de/blob/sihk24/Fuer-Unternehmen/innovation/downloads/3300084/5a1ce6ed286e7385afb6e878a95dcc65/TLS-Check---Zusammenfassung-data.pdf); output from the TLS-Check summary script (in german)
221* [Description TLS Check and results](https://www.stuttgart.ihk24.de/blob/sihk24/Fuer-Unternehmen/innovation/downloads/3300070/801b0ef29405c1710223f9a76bc24c06/TLS-Check-Ergebnisse-data.pdf) (in german)
222* [Bettercrypto project](https://bettercrypto.org), [Bettercrypto guide](https://bettercrypto.org/static/applied-crypto-hardening.pdf) with copy&paste configuration examples for hardening your servers (in english)
223* [BSI Guideline TR-01102-2](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.html) (in german)
224* [Press Release IHK Region Stuttgart](https://www.stuttgart.ihk24.de/presse/Pressemitteilungen/IHK-Pressemitteilungen_2016/Januar-bis-Maerz_2016/PM-Nr--17-Sicherheitscheck/3302518) to the first public launch (in german)
225
226## License
227
228TLS-Check is licensed under the [Artistic License 2.0](https://opensource.org/licenses/Artistic-2.0) or the [European Public Licence 1.1 (EUPL)](https://joinup.ec.europa.eu/community/eupl/og_page/european-union-public-licence-eupl-v11).
229
230
231