How would you test an SSL connection?

Question

I'm experimenting with OpenSSL on my network application and I want to test if the data sent is encrypted and can't be seen by eavesdropper.

What tools can you use to check? Could this be done programmatically so it could be placed in a unit test?

Answer 1

I found this guide very helpful. These are some of the tools that he used:

$ openssl s_client -connect mail.prefetch.net:443 -state -nbio 2>&1 | grep "^SSL"

$ ssldump -a -A -H -i en0

$ ssldump -a -A -H -k rsa.key -i en0

$ ssldump -a -A -H -k rsa.key -i en0 host fred and port 443

Answer 2

As mentioned before http://www.wireshark.org/, you can also use cain & able to redirect the traffic to a 3rd machine and anylze the protocol from there.

Answer 3

Franci Penov made an answer to one of my questions "Log Post Parameters sent to a website", suggesting I take a look at Fiddler: http://www.fiddler2.com/fiddler2/

I tried it and it works beautifully, if you're interested in viewing HTTP requests. :)

Answer 4

openssl has an s_client, which is a quick and dirty generic client that you can use to test the server connection. It'll show the server certificate and negotiated encryption scheme.

Answer 5

Yeah - Wire Shark (http://www.wireshark.org/) is pretty cool (filters, reports, stats).

As to testing you could do it as a part of integration tests (there are some command line options in wireshark)

Answer 6

For a quick check you can use Wireshark (formerly known as Ethereal) to see if your data is transmitted in plain-text or not.

Answer 7

check out wire shark http://www.wireshark.org/

and tcp dump http://en.wikipedia.org/wiki/Tcpdump

Not sure about integrating these into unit tests. They will let you look at a very low level whats going on at the network level.

Perhaps for the unit test determine what the stream looks like unencrypted and make sure the encrypted stream is not similar