With all the recent bugs in OpenSSL, every security officer needs her SSL / TLS scanning infrastructure to make sure she does not miss a service when updating and fixing everything.

hrafn

Why an SSL / TLS scanner

Running encryption has become a hassle recently. Mostly because of four factors.

1. Everybody and the world is using OpenSSL to secure transport to and from (mostly) web applications.
2. OpenSSL has an excellent track record of messing up secure code.
3. OpenSSL is also used in applications and appliances which are seldom or never updated.
4. Crypto is hard, configuring it none the less.

While this might sound like a rant against OpenSSL, it is not. OpenSSL is not the only one to mess crypto up. But it is the one which did so royally. Multiple times.

So to get a chance to find out if your servers are configured as your policy requires them to be, one option is to run a regular scan.

sslyze

sslyze is an excellent tool to check some of the configuration of an SSL / TLS server. With sslyze it is possible to find out which ciphers are in use in which protocol version.

nmap

nmap is a free security scanner for network exploration. With nmap you can quickly check what kind of server software runs on a host.

hrafn

hrafn is the tool putting everything together. hrafn reads a list of domains and ciphers from a configuration file and runs sslyze as well as nmap against those domains.

Currently, hrafn reports on the protocols in use, as well as on the ciphers in use per protocol. The tool then checks the used ciphers with the allowed ciphers, reporting on the policy violations. hrafn also reports the signature of the certificate in use so that you can check if the certificate changed over time.

The results of these scans are written to the disc and can be rendered into a CSV file for further analysis and processing.

hrafn is written in JavaScript and runs on Node.js.

You can get our hrafn tool on our github page at https://github.com/le-krogoth/hrafn