|aeris 416737d33c Move checks from grade to server/cert/key/dh||4 years ago|
|bin||4 years ago|
|lib||4 years ago|
|output||5 years ago|
|spec||4 years ago|
|.gitignore||4 years ago|
|.rspec||5 years ago|
|Gemfile||4 years ago|
|LICENSE||7 years ago|
|Makefile||4 years ago|
|README.md||6 years ago|
|cryptcheck.gemspec||4 years ago|
|disable_digest_check.path||4 years ago|
|fallback_scsv.patch||5 years ago|
|multiple_certs.patch||4 years ago|
|set_ecdh_curves.patch||5 years ago|
|tmp_key.patch||5 years ago|
CryptCheck is a Ruby toolbox that help anybody to check for cryptography security level and best practices compliance.
CryptCheck is released under AGPLv3+ license.
**/!\ This tool use custom weak builds of OpenSSL library and OpenSSL Ruby extension /!**.
Those builds are cryptographically weaken to be able to test for (very) weak and today totally deprecated ciphers.
Don’t deploy it on production machine to avoid any security troubles, or use VM to isolate them !
You need a fully operationnal Ruby stack. Because of the warning above, don’t use your system Ruby.
Currently supported Ruby stack is v2.2.2.
To be able to test for (very) weak ciphers and to have access to DH parameters, CryptCheck need custom build of OpenSSL library and patched build of OpenSSL Ruby extension.
Once you have cloned CryptCheck repository, just run
make inside to
build the needed libraries.
make fails with the following error :
make: *** No rule to make target 'lib/libssl.so.1.0.0', needed by 'libs'. Stop.
just run again
make (if you understand this problem, contact me !).
The built libraries (libcrypto.so, libssl.so and openssl.so) are located
under the lib directory.
CryptCheck use LD_LIBRARY_PATH and Ruby load path hack to inject those weaken libraries instead of the system ones.
CryptCheck relies on few Ruby libraries, managed with Bundler.
To fetch and install them, just run
Simply run the corresponding runner of what you want to test :
If you want more information of what is going on under the hood, run the command
with debug enabled, like
bin/check_https example.org debug
Rank goes from “A+” (perfect) to “F” (very weak).
“M” means your certificate and your hostname mismatch.
“T” means your certificate is not issued by a valid root certificate authority.
Only a perfect setup gets a perfect score and a “A” rank :).
“A” score is based on RFC 7525 recommandations.