Previous     Contents     Index     Next     
iPlanet Certificate Management System Command-Line Tools Guide



Chapter 15   SSL Strength Tool


SSL Strength Tool is a command-line tool that connects to an SSL server and reports back the encryption cipher and strength used for the connection.

This chapter has the following sections:



Availability

This tool is available for AIX 4.3, OSF/1 v4.0D, Solaris 2.6 (SunOS 5.6), Solaris 8, and Windows NT 4.0.



Syntax


sslstrength hostname[:port]
            [ciphers=ciphercode(s)]
            [verbose]
            [policy=export|domestic]

This form of the command returns a list of enabled ciphers on the client, then attempts to connect to the named SSL host, on the specified port. If the connection is successful, it returns information about the negotiated encryption strength.

sslstrength ciphers

This form of the command returns a list of the possible ciphers. A letter in the first column of the output is the code used by the ciphers= option. Pass any number of cipher codes to the ciphers= argument to identify the cipher preferences.


Options and Arguments

The SSL Strength Tool command options and their arguments are defined as follows:


Table 15-1    Description of options and arguments

Options and Arguments  

Description  

hostname  

Required. Identifies the SSL server to which to connect.  

port  

Optional. Identifies a specific port on the specified SSL server to which to connect. If not specified, defaults to the standard HTTPS port, 443.  

ciphers=  

Optional. Turns on the cipher preferences corresponding to the specified cipher codes, and turns off all other cipher preferences.

To obtain the list of cipher character codes, execute the special form of the command:

sslstrength ciphers.  

verbose  

Optional. Turns on the verbose form of command output, which provides additional information about the progress of the connection.  

policy=  

Optional. Sets your policy regarding which ciphers can be permitted. Restricts the available ciphers to the same set used by Netscape Communicator for domestic or export versions (to comply with federal export restrictions).

The value can be export or domestic. If not specified, defaults to domestic.  



Usage


During an SSL handshake, the client sends the server a list of the ciphers it can use. The server chooses one of the ciphers based on its cipher policies, and notifies the client of which one to use.

When you issue the sslstrength command, the tool first prints the list of ciphers enabled on the client. It then connects to an SSL server and reports back the following information:

  • The bulk encryption algorithm selected

  • The key size selected

  • The secret key size

  • Information about the SSL server certificate, including:

    • The issuer subject name

    • The certificate subject name

    • The validity period


Restricting Ciphers

You can selectively enable or disable specific ciphers on the client, to determine what strength of connection is used for those ciphers. Use the policy= or ciphers= option to restrict which ciphers are available.

  • To restrict the available ciphers to the same set used by Communicator for exportable or domestic versions, set the policy= option to either domestic or export. In an exportable client, only those ciphers that are valid for export are enabled.

  • To further restrict the ciphers available, use the ciphers= option. The argument to this option is a string of characters, where each single character represents a cipher. For example, ciphers=bfi turns on the cipher preferences corresponding to the codes b, f ,and i. It turns off all other cipher preferences.

    To obtain the list of cipher character codes, execute this command:

       sslstrength ciphers


Export Policy and Step-up

Some institutions, such as banks, may be qualified to obtain a special "step-up" certificate (also know as a "global server ID") that allows the server to override export policy. When this certificate is installed in the server, it allows an export client that has step-up capability to renegotiate the SSL cipher and use domestic-strength encryption.

A connection that steps up starts out with 40-bit encryption, then, upon encountering a change-cipher-spec handshake, changes to 128-bit encryption. To check whether a client has stepped up correctly upon encountering a step-up certificate, check that it is using export policy, and that the secret key size is 128 bits.



Examples


The following examples show the output from various sslstrength commands.


Example 1

This example shows output from a command that allows all options to default.

sslstrength myhost.netscape.com

Using domestic policy
Connecting to myhost.netscape.com:443
Using all ciphersuites usually found in client
Your Cipher preference:
id CipherName Domestic Export
a SSL_EN_RC4_128_WITH_MD5 (ssl2) Yes No
b SSL_EN_RC2_128_CBC_WITH_MD5 (ssl2) Yes No
c SSL_EN_DES_192_EDE3_CBC_WITH_MD5 (ssl2) Yes No
d SSL_EN_DES_64_CBC_WITH_MD5 (ssl2) Yes No
e SSL_EN_RC4_128_EXPORT40_WITH_MD5 (ssl2) Yes Yes
f SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2) Yes Yes
i SSL_RSA_WITH_RC4_128_MD5 (ssl3) Yes Step-up only
j SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3) Yes Step-up only
k SSL_RSA_WITH_DES_CBC_SHA (ssl3) Yes No
l SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3) Yes Yes
m SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (ssl3) Yes Yes
o SSL_RSA_WITH_NULL_MD5 (ssl3) Yes Yes
p SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (ssl3) Yes No
q SSL_RSA_FIPS_WITH_DES_CBC_SHA (ssl3) Yes No
SSL Connection Status
Cipher: RC4
Key Size: 128
Secret Key Size: 128
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Subject: CN=myhost.netscape.com, OU=E-Store Merchant Server, O=Netscape Communications Corp., L=Mountain View, ST=California, C=US
Valid: from Fri Oct 02, 1998 to Sat Oct 02, 1999


Example 2

This example shows output from a command that limits the client to three ciphers.

sslstrength myhost.netscape.com ciphers=jkl

Using domestic policy
Connecting to myhost.netscape.com:443
Your Cipher preference:
id CipherName Domestic Export
j SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3) Yes Step-up only
k SSL_RSA_WITH_DES_CBC_SHA (ssl3) Yes No
l SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3) Yes Yes
SSL Connection Status
Cipher: 3DES-EDE-CBC
Key Size: 168
Secret Key Size: 168
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Subject: CN=myhost.netscape.com, OU=E-Store Merchant Server, O=Netscape Communications Corp., L=Mountain View, ST=California, C=US
Valid: from Fri Oct 02, 1998 to Sat Oct 02, 1999


Example 3

This example shows output from a command that sets the client's policy to enable standard export ciphers.

sslstrength myhost.netscape.com policy=export

Using export policy
Connecting to myhost.netscape.com:443
Using all ciphersuites usually found in client
Your Cipher preference:
id CipherName Domestic Export
e SSL_EN_RC4_128_EXPORT40_WITH_MD5 (ssl2) Yes Yes
f SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2) Yes Yes
i SSL_RSA_WITH_RC4_128_MD5 (ssl3) Yes Step-up only
j SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3) Yes Step-up only
l SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3) Yes Yes
m SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (ssl3) Yes Yes
o SSL_RSA_WITH_NULL_MD5 (ssl3) Yes Yes
SSL Connection Status
Cipher: RC4-40
Key Size: 128
Secret Key Size: 40
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Subject: CN=myhost.netscape.com, OU=E-Store Merchant Server, O=Netscape Communications Corp., L=Mountain View, ST=California, C=US
Valid: from Fri Oct 02, 1998 to Sat Oct 02, 1999


Previous     Contents     Index     Next     
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated October 07, 2002