Support for detecting extensions supported by a scanned server.

Question

Support for detecting extensions supported by a scanned server.

GoogleCodeExporter opened this issue 8 years ago · comments

Google Code Exporter commented 8 years ago

TLS now supports extensions, some of which have impact on security; for example 
OCSP Stapling makes it possible for a client to reliably get the revocation 
status of the servers certificate.

OpenSSL v0.9.8h added support for this extension, if you pass -status it checks 
it.

The COMMODO SSL Scanner includes a check for this: 
https://sslanalyzer.comodoca.com/?url=LOGIN.LIVE.COM

It would also be helpful to check for other extensions like SNI since its 
needed to manage v4 address depletion until v6 is fully viable.

Original issue reported on code.google.com by ryan.hu...@gmail.com on 29 Mar 2012 at 4:02

Google Code Exporter · Answer 1 · Thu Feb 11 2016 16:46:01 GMT+0800 (China Standard Time)

Thanks for the feedback.
That would be useful indeed. OpenSSL provides no documentation at all when it 
comes to TLS extensions, which makes using them much harder but we'll see.

Original comment by nabla.c...@gmail.com on 2 Apr 2012 at 3:17

Changed state: Accepted

Google Code Exporter · Answer 2 · Thu Feb 11 2016 16:46:01 GMT+0800 (China Standard Time)

Issues are now tracked on Github:
https://github.com/nabla-c0d3/sslyze/issues/3

Original comment by nabla.c...@gmail.com on 8 Jul 2012 at 11:30

Changed state: Invalid