SSL/TLS
Secure Sockets Layer/Transport Layer Security (SSL/TLS) testing is the process of evaluating the security and configuration of SSL/TLS protocols on a web server, making sure that data transmitted over the internet is encrypted and secure. It typically involves checking certificate validity (correctly installed and not expired), reviewing configuration (strong encryption algorithm and protocol usage), and vulnerability scanning (susceptibility against known attacks).
Tools
We can use tools, such as Qualys Online test or Burp Suite's SSL Scanner extension to quickly check for SSL/TLS issues.
Check OWASP's best practices and/or individual ciphers on CipherSuite by copying their RFC name.
nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.example.comsslyze can analyze the SSL/TLS configuration of a server by connecting to it, in order to ensure that it uses strong encryption settings and that it is not vulnerable to known TLS attacks:
sslyze --regular example.com:443 testssl is a free CLI tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws:
testssl owasp.orgo-saft lists information about remote target's SSL certificate and tests the remote target according given list of ciphers:
o-saft.pl +check +vulns example.tld sslscan2 is a TLS/SSL scanner that checks supported protocols, cipher suites, and configurations, including TLS 1.3, to identify security weaknesses in SSL-enabled services:
Resources
A great video showcasing how to test for SSL/TLS misconfigurations with
testssl(video)
Last updated