index.rst (2867B)
1 .. _mozilla_projects_nss_nss_tools_sslstrength: 2 3 NSS Tools sslstrength 4 ===================== 5 6 `sslstrength <#sslstrength>`__ 7 ------------------------------ 8 9 .. container:: 10 11 `Summary <#summary>`__ 12 ~~~~~~~~~~~~~~~~~~~~~~ 13 14 .. container:: 15 16 A simple command-line client which connects to an SSL-server, and reports back the encryption 17 cipher and strength used. 18 19 `Synopsis <#synopsis>`__ 20 ~~~~~~~~~~~~~~~~~~~~~~~~ 21 22 .. container:: 23 24 1) sslstrength ciphers 25 2) sslstrength hostname[:port] [ciphers=xyz] [debug] [verbose] [policy=export|domestic] 26 27 `Description <#description>`__ 28 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 29 30 .. container:: 31 32 The first form simple lists out the possible ciphers. The letter in the first column of the 33 output is used to identify the cipher preferences in the ciphers= command. 34 The second form attempts to connect to the named ssl host. The hostname argument must be present. 35 However, the port number is an optional argument, and if not given, will default to the https 36 port (443). 37 38 .. rubric:: Restricting Ciphers 39 :name: restricting_ciphers 40 41 By default, sslstrength assumes that all the preferences are on, so it will use any preferences 42 in your policy. The enabled ciphersuites will always be printed out before the connection is 43 made. If you want to test out a particular cipher, there are two ways to affect which ciphers are 44 available. Firstly, you can set **policy** to be either domestic or export. This restricts the 45 available ciphers to the same set used by Communicator. In addition to this, the **ciphers** 46 command can be used to further restrict the ciphers available. The argument to the ciphers 47 command is a string of characters, where each single character represents a cipher. You can 48 obtain this list of character->cipher mappings by doing 'sslstrength ciphers'. For example, 49 ** ciphers=bfi** will turn on these cipher preferences and turn off all others. 50 51 ** policy=export** or **policy=domestic** will set your policies appropriately. 52 53 | ** policy** will default to domestic if not specified. 54 55 .. rubric:: Step-up 56 :name: step-up 57 58 Step up is a mode where the connection starts out with 40-bit encryption, but due to a 59 'change-cipher-spec' handshake, changes to 128-bit encryption. This is only done in 'export 60 mode', with servers with a special certificate. You can tell if you stepped-up, because the 61 output will says 'using export policy', and you'll find the secret key size was 128-bits. 62 63 `Prerequisites <#prerequisites>`__ 64 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 65 66 .. container:: 67 68 You should have a cert7.db in the directory in which you run sslstrength. 69 70 `Other <#other>`__ 71 ~~~~~~~~~~~~~~~~~~ 72 73 .. container:: 74 75 For references, here is a table of well-known SSL port numbers: 76 77 ===== === 78 HTTPS 443 79 IMAPS 993 80 NNTPS 563 81 ===== ===