10 free SSL /TLS diagnostic tools for the
You are often forced to solve problems related to SSL /TLS if you are a web engineer, webmaster or system administrator.
There are many online tools for working with SSL-certificates , testing weak points in the SSL /TLS protocols, but when it comes to testing the internal network based on URL, VIP, IP, then they are unlikely to be useful.
To diagnose internal network resources, you need separate software /tools that you can install on your network and conduct the necessary verification.
Various scenarios are possible, for example:
there are problems with
Installing the SSL certificate on the web server;
It is required to use the latest /specific code, protocol;
I want to check the configuration after commissioning;
A security threat has been identified during the tests for the vulnerability .
The following tools will be helpful in eliminating these problems.
SSL Labs Scan
DeepViolet Is a Java-written SSL /TLS analysis tool, available in binary code, you can also compile it from the source code.
If you are looking for an alternative to SSL Labs for use on the internal network, then DeepViolet will be a good choice. It scans the following:
use of weak encryption;
weak signature algorithm;
certificate revocation status;
status validity period of the certificate ;
visualization of the chain of trust, self-signed root certificate.
SSL Diagnos analyzes SSL protocol, encryption algorithms, vulnerabilities Heartbleed , BEAST.
It is used not only for HTTPS, it is possible to check the stability of SSL for SMTP, SIP, POP3 and FTPS.
SSLyze Is a Python library and command-line tools that connect to the SSL endpoint and scan to detect any missing SSL /TLS configuration.
Scanning through SSLyze is fast, because the test is distributed among several processes. If you are a developer or want to integrate into your existing application, then you have the option to write the result in XML or JSON format.
SSLyze is also available in Kali Linux .
OpenSSL Is one of the most powerful offline tools available for Windows or Linux for performing various tasks related to SSL, such as verification, CSR generation, conversion of the certificate format and others
SSL Labs Scan will undoubtedly be useful.
TestSSL Is a command line tool that is compatible with Linux and other OSs. He checks all the most important indicators and shows what is in order and what is not.
For example [/b]
Testing protocols via sockets except SPDY + HTTP2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY /NPN h? spdy /3.? http /1.1 (advertised)
HTTP2 /ALPN h? spdy /3.? http /1.1 (offered)
Testing ~ standard cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w /o ADH + NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w /o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) Not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES + Camellia, no AEAD) offered (OK)
Strong encryption (AEAD ciphers) offered (OK)
Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv???r3r3481.
Negotiated cipher ECDHE-ECDSA-CHACHA20-POLY1305-OLD, 256 bit ECDH (P-256)
TLSv1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA
TLSv1.1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-CHACHA20-POLY1305-OLD
ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES128-SHA256 AES128-GCM-SHA256 AES128-SHA AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 AES256-GCM-SHA384
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587). Most NOT, uses gzip HTTP compression. - only supplied "/" tested
Can be ignored for static pages or if no secrets in the page
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK)
SWEET32 (CVE-2016-218? CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-080? CVE-2016-0703) is not vulnerable on this host and port (OK)
make sure you do not use this certificate.
https://censys.io/ipv4?q=EDF8A1A3D0FFCBE0D6EA4C44DB5F4BE1A7C2314D1458ADC925A30AA6235B9820 could help you to find out
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA
VULNERABLE - but also supports higher protocols (possible mitigation): TLSv1.1 TLSv???r3r3481.
LUCKY13 (CVE-2013-0169) VULNERABLE, uses cipher block chaining (CBC) ciphers
RC4 (CVE-2013-256? CVE-2015-2808) no RC4 ciphers detected (OK)
As you can see, it covers a large number of vulnerabilities, encryption preferences, protocols, etc.
TestSSL.sh is also available in Docker-image .
TLS-Scan from the source code or download binary code for Linux /OSX. It extracts information from the certificate from the server and displays the following metrics in the JSON format:
verification of the host name;
TLS compression check;
checking the numbering of encryption versions and TLS;
check the reuse of sessions.
It supports the protocols TLS, SMTP, STARTTLS and MySQL. You can also integrate the results in log analyzer , for example, such as Splunk, ELK.
Cipher Scan It also allows you to display the results in JSON format. This is the shell that uses the OpenSSL package commands.
SSL Audit Is an open source tool for verifying the certificate and supporting protocols, encryption and standards based on SSL Labs.
I hope that these open source tools will help you integrate continuous scanning into your current log analyzers and make troubleshooting easier.
Look at VPS.today - A site for searching virtual servers. 1500 tariffs from 130 hosters, user-friendly interface and a large number of criteria for finding the best virtual server.
It may be interesting
Situs QQ Online
Situs QQ Online