SharpTLSScan v1.0

Update 08/13/2014: v1.1 is here.

SSL and TLS have been getting a lot of attention from me lately, and recently I found myself in want of a tool that would tell me precisely which protocol versions and cipher suites a given server supported.

Sure, there's SSLScan and SSLScan-Win, but those tools haven't been updated in 5 years, and thus don't support the newer versions of TLS, 1.1 and 1.2.  And of course there are nice websites like SSL Labs that do a fine job, but I wanted to use this tool to audit internal/private systems too, not just internet web servers.

So I created a new tool and called it SharpTLSScan.  It's pure C# and has no reliance on outside libraries (such as OpenSSL,) and I managed to avoid the pain of directly interfacing with the SChannel API as well.

SharpTLSScan comes with the "It works on my machine (tm)" guarantee.  It's free, and the source will probably show up on Github pretty soon.

Here are some screenshots:

Usage is simple - SharpTLSScan myhost:636

First, the server's certificate is inspected and validated.  Next, a default connection is negotiated, which is useful for seeing what kind of connection your system would negotiate on its own.  Then, all protocol versions and all cipher suites are tested to see what the server will support.  (This can take a couple of minutes.)  Things that are obviously good (such as the certificate validating) are highlighted in green, while things that are obviously bad (such as SSL v2 support) are highlighted in red.  Things that are fair, but not great, (such as MD5 hashes) are in yellow.


*Oh dear...*

The reason why the protocol versions seem interleaved is a side-effect of a the multithreading in the program.  I'll likely fix it in the next update.

Here you go:

SharpTLSScan.zip (14.3KB)

Comments (3) -

Mark Henderson 8/10/2014 8:54:02 PM

I like. Small suggestion - perhaps put the colour coding of the results as a legend in the output somewhere? Just for dummies who don't read the documentation. Also, your new captcha at least doesn't ask geo specific questions but maths is hard.

Glad you like! Yes, I will definitely add a legend in my next update. Also, I felt like what deserves red and what deserves yellow is a bit subjective. But I still figured color was better than no color. Smile

Joshua McKinnon 8/11/2014 12:57:16 PM

This looks great. I've been wanting a tool like this for exactly this purpose. Qualys is great but for hardening internal (non-internet-facing) sites and services, something else (like this) is needed.

Make sure to update if/when you've got it on GitHub, I'm curious to check it out further.

Comments are closed