Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
aeris b83cda618a Change dependencies for dev 1 ano atrás
bin Binaries for new version 1 ano atrás
lib As usual, ECDSA/ECDHE is nightmare. Need to use at least the ECDSA curve 1 ano atrás
output New servers for regular analysis 2 anos atrás
spec Fix faketime for tests 1 ano atrás
.gitignore Change dependencies for dev 1 ano atrás
.rspec Better rspec output 2 anos atrás
Gemfile Better rspec output 2 anos atrás
LICENSE Initial commit 5 anos atrás
Makefile Fix badly named patch 1 ano atrás
README.md Readme 4 anos atrás
cryptcheck.gemspec Change dependencies for dev 1 ano atrás
disable_digest_check.patch Fix badly named patch 1 ano atrás
fallback_scsv.patch Update patches 2 anos atrás
multiple_certs.patch Fix certs and keys pointing to the same variable 2 anos atrás
set_ecdh_curves.patch Update patches 2 anos atrás
tmp_key.patch Update patches 2 anos atrás



CryptCheck is a Ruby toolbox that help anybody to check for cryptography security level and best practices compliance.

CryptCheck is released under AGPLv3+ license.

Preliminary warning

*/!\ This tool use custom weak builds of OpenSSL library and OpenSSL Ruby extension /!*.

Those builds are cryptographically weaken to be able to test for (very) weak and today totally deprecated ciphers.

Don’t deploy it on production machine to avoid any security troubles, or use VM to isolate them !



You need a fully operationnal Ruby stack. Because of the warning above, don’t use your system Ruby.

I recommend to use RBEnv and it Ruby-build plugin to build a new ruby environment instead of your system one.

Currently supported Ruby stack is v2.2.2.

OpenSSL library and Ruby extension

To be able to test for (very) weak ciphers and to have access to DH parameters, CryptCheck need custom build of OpenSSL library and patched build of OpenSSL Ruby extension.

Once you have cloned CryptCheck repository, just run make inside to build the needed libraries.

If make fails with the following error :

make: *** No rule to make target 'lib/libssl.so.1.0.0', needed by 'libs'.  Stop.

just run again make (if you understand this problem, contact me !).

The built libraries (libcrypto.so, libssl.so and openssl.so) are located under the lib directory.
CryptCheck use LD_LIBRARY_PATH and Ruby load path hack to inject those weaken libraries instead of the system ones.

Ruby dependencies

CryptCheck relies on few Ruby libraries, managed with Bundler.

To fetch and install them, just run bundle install.


Simply run the corresponding runner of what you want to test :

  • HTTPS : bin/check_https example.org
  • XMPP : bin/check_xmpp example.org
  • SMTP : bin/check_smtp example.org

If you want more information of what is going on under the hood, run the command with debug enabled, like bin/check_https example.org debug

Understanding results

Rank goes from “A+” (perfect) to “F” (very weak).
“M” means your certificate and your hostname mismatch.
“T” means your certificate is not issued by a valid root certificate authority.

Only a perfect setup gets a perfect score and a “A” rank :).
“A” score is based on RFC 7525 recommandations.

  • Protocol
    • SSL (v2 and v3) are totally deprecated now, because of very serious known vulnerabilities (Poodle…). Using one of them cap your rank to ”F”.
    • TLSv1 and TLSv1.1 suffer of the Poodle TLS vulnerability.
    • TLSv1.2 is the only remaining protocol with no known vulnerabilities, so if you don’t support it, your rank is cap to “B”.
  • Key size
    • If you use certificate key less than 2048 bits, your rank is cap to “B”.
  • Ciphers

    • Very weak ciphers, including MD5 hash, anonymous DH parameters, NULL ciphers (yes, it exits…), export ciphers (Freak) or weak ciphers (RC4, DES…) cap your rank to “F”.
    • 3DES is considered weak and must be avoided, using it cap your score to “C”.
  • Score

    • Protocol score is based on the weakest protocol you support :
      SSLv2 = 0, SSLv3 = 20, TLSv1 = 60, TLSv1.1 = 80, TLSv1.2 = 100.
    • Key score is based on your certificate key size :
      <512 = 10, <1024 = 20, <2048 = 50, <4096 = 90, ≥4096 = 100.
    • Cipher score is based on the weakest cipher you support :
      0 = 0, <112 = 10, <128 = 50, <256 = 90, ≥256 = 100.
    • Overall score is based on the other scores :
      overall = 0.3 * protocol + 0.3 * key + 0.4 * cipher
  • Best practices

    • PFS : you gain this flag when you support only perfect forward secrecy ciphers (DHE or ECDHE)
    • HSTS : you gain this flag when you protect yourself with HTTP Strict Transport Security.
    • Long HSTS : you gain this flag when you support HSTS with a duration of at least 6 monthes.
  • Rank

    • Rank is based on your overall score and above caps :
      <20 = F, <35 = E, <50 = D, <65 = C, <80 = B, ≥80 = A.
    • If you get an “A” and you have all the best practices above, you get “A+”.