{"id":13586825,"url":"https://github.com/aeris/cryptcheck","last_synced_at":"2026-01-19T12:36:40.654Z","repository":{"id":22599081,"uuid":"25941124","full_name":"aeris/cryptcheck","owner":"aeris","description":"Verify some SSL/TLS website or XMPP implementation","archived":false,"fork":false,"pushed_at":"2024-09-27T12:55:52.000Z","size":422,"stargazers_count":187,"open_issues_count":21,"forks_count":18,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-04-07T18:44:33.365Z","etag":null,"topics":["best-practices","crypto","openssl","ruby","score","tls"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aeris.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-10-29T20:59:20.000Z","updated_at":"2025-02-11T09:36:06.000Z","dependencies_parsed_at":"2025-04-07T18:38:50.435Z","dependency_job_id":"cc377f5c-195a-44c9-9d29-b4b2dabc07b7","html_url":"https://github.com/aeris/cryptcheck","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/aeris/cryptcheck","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aeris%2Fcryptcheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aeris%2Fcryptcheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aeris%2Fcryptcheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aeris%2Fcryptcheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aeris","download_url":"https://codeload.github.com/aeris/cryptcheck/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aeris%2Fcryptcheck/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28567938,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-19T08:53:44.001Z","status":"ssl_error","status_checked_at":"2026-01-19T08:52:40.245Z","response_time":67,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["best-practices","crypto","openssl","ruby","score","tls"],"created_at":"2024-08-01T15:05:50.235Z","updated_at":"2026-01-19T12:36:40.638Z","avatar_url":"https://github.com/aeris.png","language":"Ruby","readme":"# Introduction\nCryptCheck is a Ruby toolbox that help anybody to check for cryptography security\nlevel and best practices compliance.\n\nCryptCheck is released under\n[AGPLv3+](https://www.gnu.org/licenses/agpl-3.0.en.html) license.\n\n# Preliminary warning\n**/!\\ This tool use custom weak builds of OpenSSL library and OpenSSL Ruby extension /!\\**.\n\nThose builds are cryptographically weaken to be able to test for (very) weak and\ntoday totally deprecated ciphers.\n\nDon’t deploy it on production machine to avoid any security troubles, or use VM\nto isolate them !\n\n# Setup\n## Ruby\nYou need a fully operationnal Ruby stack.\nBecause of the warning above, don’t use your system Ruby.\n\nI recommend to use [RBEnv](https://github.com/sstephenson/rbenv) and it\n[Ruby-build](https://github.com/sstephenson/ruby-build) plugin to build a new\nruby environment instead of your system one.\n\nCurrently supported Ruby stack is v2.2.2.\n\n## OpenSSL library and Ruby extension\nTo be able to test for (very) weak ciphers and to have access to DH parameters,\nCryptCheck need custom build of OpenSSL library and patched build of OpenSSL Ruby\nextension.\n\n\nOnce you have cloned CryptCheck repository, just run `make` inside to\nbuild the needed libraries.\n\nIf `make` fails with the following error :\n```\nmake: *** No rule to make target 'lib/libssl.so.1.0.0', needed by 'libs'.  Stop.\n```\njust run again `make` (if you understand this problem, contact me !).\n\nThe built libraries (*libcrypto.so*, *libssl.so* and *openssl.so*) are located\nunder the *lib* directory.\u003cbr/\u003e\nCryptCheck use *LD_LIBRARY_PATH* and Ruby load path hack to inject those weaken\nlibraries instead of the system ones.\n\n## Ruby dependencies\nCryptCheck relies on few Ruby libraries, managed with [Bundler](http://bundler.io/).\n\nTo fetch and install them, just run `bundle install`.\n\n# Usage\nSimply run the corresponding runner of what you want to test :\n\n * HTTPS : ```bin/check_https example.org```\n * XMPP : ```bin/check_xmpp example.org```\n * SMTP : ```bin/check_smtp example.org```\n\nIf you want more information of what is going on under the hood, run the command\nwith debug enabled, like ```bin/check_https example.org debug```\n\n## Understanding results\nRank goes from \"A+\" (perfect) to \"F\" (very weak).\u003cbr/\u003e\n\"M\" means your certificate and your hostname mismatch.\u003cbr/\u003e\n\"T\" means your certificate is not issued by a valid root certificate authority.\n\nOnly a perfect setup gets a perfect score and a \"A\" rank :).\u003cbr/\u003e\n\"A\" score is based on [RFC 7525](https://tools.ietf.org/html/rfc7525) recommandations.\n\n * Protocol\n   * SSL (v2 and v3) are totally [deprecated](https://tools.ietf.org/html/rfc7568)\n     now, because of very serious known vulnerabilities\n     ([Poodle](https://www.openssl.org/~bodo/ssl-poodle.pdf)…).\n     Using one of them cap your rank to \"F\".\n   * TLSv1 and TLSv1.1 suffer of the\n     [Poodle TLS](https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls)\n     vulnerability.\n   * TLSv1.2 is the only remaining protocol with no known vulnerabilities, so if\n     you don’t support it, your rank is cap to \"B\".\n * Key size\n   * If you use certificate key less than 2048 bits, your rank is cap to \"B\".\n * Ciphers\n   * Very weak ciphers, including MD5 hash, anonymous DH parameters, NULL ciphers \n     (yes, it exits…), export ciphers ([Freak](https://freakattack.com/)) or weak \n     ciphers (RC4, DES…) cap your rank to \"F\".\n   * 3DES is considered weak and must be avoided, using it cap your score to \"C\".\n\n * Score\n   * Protocol score is based on the **weakest** protocol you support :\u003cbr/\u003e\n     SSLv2 = 0, SSLv3 = 20, TLSv1 = 60, TLSv1.1 = 80, TLSv1.2 = 100.\n   * Key score is based on your certificate key size :\u003cbr/\u003e\n     \u003c512 = 10, \u003c1024 = 20, \u003c2048 = 50, \u003c4096 = 90, ≥4096 = 100.\n   * Cipher score is based on the **weakest** cipher you support :\u003cbr/\u003e\n     0 = 0, \u003c112 = 10, \u003c128 = 50, \u003c256 = 90, ≥256 = 100.\n   * Overall score is based on the other scores :\u003cbr/\u003e\n     overall = 0.3 * protocol + 0.3 * key + 0.4 * cipher\n\n * Best practices\n   * PFS : you gain this flag when you support **only**\n     [perfect forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy)\n     ciphers (DHE or ECDHE)\n   * HSTS : you gain this flag when you protect yourself with\n     [HTTP Strict Transport Security](https://tools.ietf.org/html/rfc6797).\n   * Long HSTS : you gain this flag when you support HSTS with a duration of at\n     least 6 monthes.\n\n * Rank\n   * Rank is based on your overall score and above caps :\u003cbr/\u003e\n     \u003c20 = F, \u003c35 = E, \u003c50 = D, \u003c65 = C, \u003c80 = B, ≥80 = A.\n   * If you get an \"A\" and you have all the best practices above, you get \"A+\".\n","funding_links":[],"categories":["Ruby"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faeris%2Fcryptcheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faeris%2Fcryptcheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faeris%2Fcryptcheck/lists"}