The OpenSSL package in Ubuntu supports SHA224, SHA256, SHA384, and SHA512, even though it's not actually shown in the help, with the command line options being -sha224, -sha256, -sha384 and -sha512.
I've been happily using SHA512 with a personal CA for the last year.
It's possible that other distributions have also compiled in support for these hash functions in their OpenSSL packages.
I just tried with a 2GB file from
I then however tried with a file that was 2GB + 1 byte, and it was still seen as headless encryption. Based on the time taken for the program to think it's headless encryption probably means it's only scanning the first X bytes, so it's possible it's just an entropy test on the header area.
This is a bit like TCHunt, except TCHunt actually does do the mod 512 test.
What an incredibly useful option, thanks!
It is worth noting that sites that use client certificates are not affected by this, as SSLStrip cannot sign the CertificateVerify TLS message due to it not having a client certificate that would be accepted (you hope), therefore the exchange between SSLStrip and the real site would fail.
Granted you can still downgrade the session to HTTP (if you start from a HTTP site), present a fake site, and possibly obtain a password or other form of authentication token, but a valid client certificate would still be required for the authentication tokens to be of any use (assuming this is the only site where said authentication tokens get used).
Faking the real site would be difficult though, as you wouldn't be able to see it as the web server would never serve it to you as you don't have a valid client certificate to view the page.
It's a simple entropy scanner, nothing more. You can prove this by doing the following like I have done. Generate a 75MB file from
The first sign of maturity is the discovery that the volume knob also turns to the left.
