Skip to content

ivanr/ssl-dos

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code
This branch is 3 commits ahead of vincentbernat:master.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.gitignore
 
 
Makefile
 
 
README.md
 
 
brute-shake.c
 
 
certtool.cfg
 
 
common.c
 
 
common.h
 
 
iptables.sh
 
 
server-vs-client.c
 
 
server-vs-client.py
 
 

README.md

Various tools to assess SSL resistance to DoS

  • server-vs-client measures the computational difference between server and client. It needs a cipher suite (from openssl ciphers) and an appropriate certificate for the server side. Test it with RSA, DH, DSS, ECDH, ECDSA. If it is not able to do any handshake, you need to check if your certificate is compatible with the given cipher suite. Check with openssl s_client and openssl s_server.

  • iptables.sh is a set of iptables rule to help avoid SSL DoS. Note that those rules rely heavily on heuristics. It is possible to evade them and they can flag false positives. Be cautious.

  • brute-shake will do a lot of parallel handshakes against a server without doing any crypto operation (while the server will do a lot of them). Because it could be abused to take down a SSL server, it will only uses NULL-MD5 cipher suite. No serious SSL server will accept this kind of cipher suite.

You can find more information in this article: http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html

About

Various tools related to SSL denial of service

Resources

Readme
Activity

Stars

9 stars

Watchers

4 watching

Forks

15 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 79.7%
  • Python 8.6%
  • Shell 8.5%
  • Makefile 3.2%