Checking the Validity of SSL Certs with Vessl

Deanx has release a tool called Vessl (Verify SSL).  It’s a command-line tool which performs a large number of checks on the validity of SSL certificates.

It can check for lots of mundane issue likes expired certs, self signed certificates, etc.  The killer feature for me, though is that it uses a database of PEM files to determine if the site would be trusted by your browser.  It can pretty much answer the question “If I browse to this site, will my browser throw up a warning message?”.  This means that on large internal networks, I no longer have to browse to each SSL service to see if would be trusted by my browser.

Checking that SSL certificates are signed by a trusted CA is an important thing to check during a pentest (but possibly one of the most tedious).  If SSL certificates aren’t signed properly, users will probably get a warning message each time they connect.  They’ll get used to dismissing these warnings, leaving themselves open to man-in-the-middle attacks.

Deanx also contributed a Yaptest module to automatically run Vessl against SSL services.  The new module will be included in Yaptest v0.1.6 (not released yet at the time of posting).


Leave a Reply