Previous Contents Index Next |
iPlanet Certificate Management System Command-Line Tools Guide |
Chapter 15 SSL Strength Tool
SSL Strength Tool is a command-line tool that connects to an SSL server and reports back the encryption cipher and strength used for the connection.
This chapter has the following sections:
Availability
This tool is available for AIX 4.3, OSF/1 v4.0D, Solaris 2.6 (SunOS 5.6), Solaris 8, and Windows NT 4.0.
Syntax
sslstrength hostname[:port]
[ciphers=ciphercode(s)]
[verbose]
[policy=export|domestic]
This form of the command returns a list of enabled ciphers on the client, then attempts to connect to the named SSL host, on the specified port. If the connection is successful, it returns information about the negotiated encryption strength.
This form of the command returns a list of the possible ciphers. A letter in the first column of the output is the code used by the ciphers= option. Pass any number of cipher codes to the ciphers= argument to identify the cipher preferences.
Options and Arguments
The SSL Strength Tool command options and their arguments are defined as follows:
Usage
During an SSL handshake, the client sends the server a list of the ciphers it can use. The server chooses one of the ciphers based on its cipher policies, and notifies the client of which one to use.
When you issue the sslstrength command, the tool first prints the list of ciphers enabled on the client. It then connects to an SSL server and reports back the following information:
Restricting Ciphers
You can selectively enable or disable specific ciphers on the client, to determine what strength of connection is used for those ciphers. Use the policy= or ciphers= option to restrict which ciphers are available.
To restrict the available ciphers to the same set used by Communicator for exportable or domestic versions, set the policy= option to either domestic or export. In an exportable client, only those ciphers that are valid for export are enabled.
To further restrict the ciphers available, use the ciphers= option. The argument to this option is a string of characters, where each single character represents a cipher. For example, ciphers=bfi turns on the cipher preferences corresponding to the codes b, f ,and i. It turns off all other cipher preferences.
Export Policy and Step-up
Some institutions, such as banks, may be qualified to obtain a special "step-up" certificate (also know as a "global server ID") that allows the server to override export policy. When this certificate is installed in the server, it allows an export client that has step-up capability to renegotiate the SSL cipher and use domestic-strength encryption.
A connection that steps up starts out with 40-bit encryption, then, upon encountering a change-cipher-spec handshake, changes to 128-bit encryption. To check whether a client has stepped up correctly upon encountering a step-up certificate, check that it is using export policy, and that the secret key size is 128 bits.
Examples
The following examples show the output from various sslstrength commands.
Example 1
This example shows output from a command that allows all options to default.
sslstrength myhost.netscape.com
Using domestic policy
Connecting to myhost.netscape.com:443
Using all ciphersuites usually found in client
Your Cipher preference:
id CipherName Domestic Export
a SSL_EN_RC4_128_WITH_MD5 (ssl2) Yes No
b SSL_EN_RC2_128_CBC_WITH_MD5 (ssl2) Yes No
c SSL_EN_DES_192_EDE3_CBC_WITH_MD5 (ssl2) Yes No
d SSL_EN_DES_64_CBC_WITH_MD5 (ssl2) Yes No
e SSL_EN_RC4_128_EXPORT40_WITH_MD5 (ssl2) Yes Yes
f SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2) Yes Yes
i SSL_RSA_WITH_RC4_128_MD5 (ssl3) Yes Step-up only
j SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3) Yes Step-up only
k SSL_RSA_WITH_DES_CBC_SHA (ssl3) Yes No
l SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3) Yes Yes
m SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (ssl3) Yes Yes
o SSL_RSA_WITH_NULL_MD5 (ssl3) Yes Yes
p SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (ssl3) Yes No
q SSL_RSA_FIPS_WITH_DES_CBC_SHA (ssl3) Yes No
SSL Connection Status
Cipher: RC4
Key Size: 128
Secret Key Size: 128
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Subject: CN=myhost.netscape.com, OU=E-Store Merchant Server, O=Netscape Communications Corp., L=Mountain View, ST=California, C=US
Valid: from Fri Oct 02, 1998 to Sat Oct 02, 1999
Example 2
This example shows output from a command that limits the client to three ciphers.
sslstrength myhost.netscape.com ciphers=jkl
Using domestic policy
Connecting to myhost.netscape.com:443
Your Cipher preference:
id CipherName Domestic Export
j SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3) Yes Step-up only
k SSL_RSA_WITH_DES_CBC_SHA (ssl3) Yes No
l SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3) Yes Yes
SSL Connection Status
Cipher: 3DES-EDE-CBC
Key Size: 168
Secret Key Size: 168
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Subject: CN=myhost.netscape.com, OU=E-Store Merchant Server, O=Netscape Communications Corp., L=Mountain View, ST=California, C=US
Valid: from Fri Oct 02, 1998 to Sat Oct 02, 1999
Example 3
This example shows output from a command that sets the client's policy to enable standard export ciphers.
sslstrength myhost.netscape.com policy=export
Using export policy
Connecting to myhost.netscape.com:443
Using all ciphersuites usually found in client
Your Cipher preference:
id CipherName Domestic Export
e SSL_EN_RC4_128_EXPORT40_WITH_MD5 (ssl2) Yes Yes
f SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2) Yes Yes
i SSL_RSA_WITH_RC4_128_MD5 (ssl3) Yes Step-up only
j SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3) Yes Step-up only
l SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3) Yes Yes
m SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (ssl3) Yes Yes
o SSL_RSA_WITH_NULL_MD5 (ssl3) Yes Yes
SSL Connection Status
Cipher: RC4-40
Key Size: 128
Secret Key Size: 40
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Subject: CN=myhost.netscape.com, OU=E-Store Merchant Server, O=Netscape Communications Corp., L=Mountain View, ST=California, C=US
Valid: from Fri Oct 02, 1998 to Sat Oct 02, 1999
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated October 07, 2002