Why You Need IDontSpeakSSL in Your Life

Screen with computer code on it

Share

You’ve Already Heard of testssl.sh; Now, Meet IDontSpeakSSL.

What is it? It’s a simple script designed for parsing testssl.sh results. It was created to automate the discovery of bad practices on SSL/TLS configuration, Cipher suites, and certificates. It is the most useful on projects with a broader scope; for example, it would prove highly efficient while performing internal or external network penetration testing.

What Does IDontSpeakSSL Do?

IDontSpeakSSL is a Python 3-based script designed to speed up testssl.sh and parse the results with the goal of producing a report written in HTML.

Testssl.sh is an easy and powerful tool for scanning SSL/TLS configurations and retrieving information on a certificate used by a remote server. Its output is clear, and it provides the user with information on all identified issues. For sysadmins, this makes it easier to correct and harden server configuration.

To work, testssl.sh uses configuration files and regular expression to parse results and list all assets that are affected by a finding.

testssl.sh is Great. Why Do We Need IDontSpeakSSL?

Yeah, yeah, testssl.sh is a great tool that serves a very necessary purpose. But the truth is that the tool can be slow, and it is often difficult to use on projects with larger scopes. This ultimately doesn’t make the tool very efficient or ideal for larger projects.

IDontSpeakSSL, on the other hand, allows a user to gather information on every asset impacted by a particular vulnerability. It speeds up the scan by running multiple instances of testssl.sh scans in parallel (in fact, the default setting sits at eight). It also relies on a queue system to keep track of all remaining hosts and to run a new scan as soon as another is finished.

So What Problem Does IDontSpeakSSL Solve?

IDontSpeakSSL makes a good thing even better. This tool enables auditors or sysadmins to earn back some precious time and obtain a clear output of bad SSL/TLS configuration and certificate errors.

Look below for some screenshots showing the tool in action.

Image of IDontSpeakSSL in action

 Figure 1 – Showing how an IDontSpeakSSL scan works

An image showing IDontSpeakSSL in action.

Figure 2An example of the report produced by IDontSpeakSSL

Sounds Good. Where Do I Find IDontSpeakSSL?

You can download the tool for use at the Bishop Fox GitHub. Feel free to tell us any problems you run into or any feedback on the user experience by contacting us on Twitter - (@BishopFox). 

For more information on testssl.sh, please visit testssl.sh.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Florian nivette

About the author, Florian Nivette

Senior Security Consultant

Florian Nivette (CEH, CHFI, CEI, GSNA) is a Bishop Fox Alumnus who was a Senior Security Consultant at Bishop Fox, where he focused on application and network penetration testing and in-depth OS-level security. Florian is an active security researcher focusing on web applications, with a number of published CVEs (CVE-2018-11349, CVE-2018-11350, CVE-2018-11351, CVE-2018-13407, CVE-2018-11408, CVE-2018-13409, CVE-2017-77737, CVE-2017-5870, and CVE-2017-6086). He is one of the chief organizers of Nuit du Hack CTF, the largest and most well-known capture-the-flag competition in France, which draws thousands of security researchers annually.

More by Florian

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.