You’ve Already Heard of testssl.sh; Now, Meet IDontSpeakSSL.
What is it? It’s a simple script designed for parsing testssl.sh results. It was created to automate the discovery of bad practices on SSL/TLS configuration, Cipher suites, and certificates. It is the most useful on projects with a broader scope; for example, it would prove highly efficient while performing internal or external network penetration testing.
What Does IDontSpeakSSL Do?
IDontSpeakSSL is a Python 3-based script designed to speed up testssl.sh and parse the results with the goal of producing a report written in HTML.
Testssl.sh is an easy and powerful tool for scanning SSL/TLS configurations and retrieving information on a certificate used by a remote server. Its output is clear, and it provides the user with information on all identified issues. For sysadmins, this makes it easier to correct and harden server configuration.
To work, testssl.sh uses configuration files and regular expression to parse results and list all assets that are affected by a finding.
testssl.sh is Great. Why Do We Need IDontSpeakSSL?
Yeah, yeah, testssl.sh is a great tool that serves a very necessary purpose. But the truth is that the tool can be slow, and it is often difficult to use on projects with larger scopes. This ultimately doesn’t make the tool very efficient or ideal for larger projects.
IDontSpeakSSL, on the other hand, allows a user to gather information on every asset impacted by a particular vulnerability. It speeds up the scan by running multiple instances of testssl.sh scans in parallel (in fact, the default setting sits at eight). It also relies on a queue system to keep track of all remaining hosts and to run a new scan as soon as another is finished.
So What Problem Does IDontSpeakSSL Solve?
IDontSpeakSSL makes a good thing even better. This tool enables auditors or sysadmins to earn back some precious time and obtain a clear output of bad SSL/TLS configuration and certificate errors.
Look below for some screenshots showing the tool in action.
Figure 1 – Showing how an IDontSpeakSSL scan works.
Figure 2 – An example of the report produced by IDontSpeakSSL
Sounds Good. Where Do I Find IDontSpeakSSL?
You can download the tool for use at the Bishop Fox Github. Feel free to tell us any problems you run into or any feedback on the user experience by contacting us on Twitter - (@BishopFox).
Florian Nivette (CEH, CHFI, CEI, GSNA) is a Security Associate at Bishop Fox, where he focuses on application and network penetration testing as well as in-depth OS-level security.
For more information on testssl.sh, please visit testssl.sh.