18 posts categorized "cnark"


CryptoNark 0.5 Released

It has been a while since the last release but here's new version 0.5 of CryptoNark. New features and changes in this release include the following (but are mainly centered on certificate validation):

  • Modifed DHE- cipher strings to note that they also support Forward Secrecy
  • Added more OpenSSL version strings. This is now current to the most recent OpenSSL version
  • CryptoNark will check to see if you are running 0.9.8l or less and warn that your version doesn't support secure client renegotation.
  • The cert_info() subroutine has been modified to use the AES265-SHA cipher from RC4-SHA. This is purely just to support the eventual phasing out of RC4 ciphers
  • The cert_info() subroutine now displays the expiration date of the peer certificate
  • Finally, a behavior change, which works around a problem reported when running against a server using a self-signed certificate. A server using a self-signed certificate no longer fails certificate validation. This might seem counter to what you're seeing when you connect with a web browser to a web site using a self-signed certificate but keep in mind that if your browser trusts that self-signed certificate, then data and channel encryption isn't much different. The reason behind this change is to workaround an issue that is ultimately going to require a rewrite to how I am doing certificate validation today. Previous versions of CryptoNark would fail certificate validation when using a self-signed certificate but when run with the --insecure switch, some platforms would incorrectly report the bit length of the private key and then croak with a segmentation fault. This version worksaround that issue.

A big thank you to all who have downloaded this over the years and emailed issues to me. As always, downloads are available off of the CryptoNark page.


CryptoNark 0.4.9 Released

Here is another new release of CryptoNark. This release has a new feature: it will check the bit length of the private key on the ssl site or server being scanned and will warn if the bit length is less than 2048 bits. Since many Certificate Authorities will be revoking certificates at the end of this year if the bit length is 1024 bits or less, this is a useful feature if you need to know whether you need to replace that certificate soon.

You can download CryptoNark v0.4.9 from the Downloads page.

This release was tested on perl 5.10.1 and 5.12.5


CryptoNark 0.4.8 Released

So, it has been quite a while since I last posted an update to CryptoNark. Over one year actually. During that time, there have been quite a few high profile vulnerabilities like BEAST, CRIME, TLS Renegotiation. There have also been quite a few improvements to SSL/TLS during that time. OpenSSL 1.0 introduced support for TLS1.2, for example. Today, I'm posting the availability of cryptonark v0.4.8.

Changes and enhancements in CryptoNark v0.4.8:

  • All non-SSL related functionality has been removed from CryptoNark. I personally use it primarily as an ssl tool and there are other tools out there that do a better job of scanning for unsafe URLs or TRACE/TRACK vulnerabilities. Normally, I will use one of my own scripts dedicated to those tasks any way and rarely used cnark's -xl option.
  • Removing the -xl/--kitchen-sink options negates the needs for CPAN modules XML::LibXML, HTTP::Headers, and HTTP::Request.
  • Added OpenSSL version detection. Nothing fancy here but if your openssl version is 1.0.0 or greater. CryptoNark will scan with TLS 1.2 ciphers in addition to SSL2, SSL3, and TLS1.
  • Added elliptic curve (ECDH/ECDHE) cipher suites to SSL3/TLS1/TLS1.2 scans.
  • MD5 ciphers are now flagged as weak.

You can download a copy from the Downloads page and thanks a lot for giving cryptonark a try!