• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • You often need to debug SSL/TLS related issues while working as a web engineer, webmaster, or system administrator.

    There are plenty of online tools for SSL certificate, Testing SSL/TLS vulnerabilities, but when it comes to testing intranet-based URL, VIP, IP, then they won’t be helpful.

    To troubleshoot intranet resources, you need a standalone software/tools which you can install in your network and perform a necessary test.

    There could be various scenarios, like:

    • Having issues during SSL certificate implementation with webserver
    • Want to ensure latest/particular cipher, protocol is being used
    • Post-implementation, wish to verify the configuration
    • Security risk found in a penetration test result

    The following tools will be handy to troubleshoot such issues.

    DeepViolet

    DeepViolet is a java based SSL/TLS scanning tool available in binary, or you can compile with source code.

    If you are looking for an alternative of SSL Labs to be used on an internal network, then DeepViolet would be a good pick. It scans for the following.

    • Weak cipher exposed
    • Weak signing algorithm
    • Certification revocation status
    • Certificate expiry status
    • Visualize trust-chain, a self-signed root

    SSL Diagnos

    Quickly evaluate the SSL strength of your web site. SSL Diagnos extract SSL protocol, cipher suites, heartbleed, BEAST.

    Not just HTTPS, but you can test SSL strength for SMTP, SIP, POP3, and FTPS.

    SSLyze

    SSLyze is a Python library and command-line tool which connects to SSL endpoint and performs a scan to identify any SSL/TLS miss-configuration.

    Scan through SSLyze is fast as a test is distributed through multiple processes. If you are a developer or you would like to integrate with your existing application, then you have an option to write the result in XML or JSON format.

    SSLyze is also available in Kali Linux.

    OpenSSL

    Don’t underestimate OpenSSL, one of the powerful standalone tools available for Windows or Linux to perform various SSL related tasks like verification, CSR generation, certification conversion, etc.

    SSL Labs Scan

    Love Qualys SSL Labs? You are not alone; I love it too.

    If you are looking for a command-line tool for SSL Labs for automated or bulk testing, then SSL Labs Scan would be useful.

    SSL Scan

    SSL Scan is compatible with Windows, Linux, and MAC. SSL Scan quickly helps to identify the following metrics.

    • Highlight SSLv2/SSLv3/CBC/3DES/RC4/ ciphers
    • Report weak (<40bit), null/anonymous ciphers
    • Verify TLS compression, heartbleed vulnerability
    • and much more…

    If you are working on cipher related issues, then an SSL scan would be a helpful tool to fast-track the troubleshooting.

    TestSSL

    As the name indicates, TestSSL is a command-line tool compatible with Linux or OS. It tests all the essential metrics and gives status, whether good or bad.

    Ex:

    Testing protocols via sockets except SPDY+HTTP2
    
    SSLv2 not offered (OK)
    SSLv3 not offered (OK)
    TLS 1 offered
    TLS 1.1 offered
    TLS 1.2 offered (OK)
    SPDY/NPN h2, spdy/3.1, http/1.1 (advertised)
    HTTP2/ALPN h2, spdy/3.1, http/1.1 (offered)
    
    Testing ~standard cipher categories
    
    NULL ciphers (no encryption) not offered (OK)
    Anonymous NULL Ciphers (no authentication) not offered (OK)
    Export ciphers (w/o ADH+NULL) not offered (OK)
    LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
    Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
    Triple DES Ciphers (Medium) not offered (OK)
    High encryption (AES+Camellia, no AEAD) offered (OK)
    Strong encryption (AEAD ciphers) offered (OK)
    
    Testing server preferences
    
    Has server cipher order? yes (OK)
    Negotiated protocol TLSv1.2
    Negotiated cipher ECDHE-ECDSA-CHACHA20-POLY1305-OLD, 256 bit ECDH (P-256)
    Cipher order
    TLSv1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA 
    TLSv1.1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA 
    TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-CHACHA20-POLY1305-OLD
    ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA
    ECDHE-RSA-AES128-SHA256 AES128-GCM-SHA256 AES128-SHA AES128-SHA256
    ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 AES256-GCM-SHA384
    AES256-SHA AES256-SHA256
    
    Testing vulnerabilities
    
    Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
    CCS (CVE-2014-0224) not vulnerable (OK)
    Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)
    Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
    Secure Client-Initiated Renegotiation not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
    BREACH (CVE-2013-3587) potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
    Can be ignored for static pages or if no secrets in the page
    POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
    TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK)
    SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
    FREAK (CVE-2015-0204) not vulnerable (OK)
    DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
    make sure you don't use this certificate elsewhere with SSLv2 enabled services
    https://censys.io/ipv4?q=EDF8A1A3D0FFCBE0D6EA4C44DB5F4BE1A7C2314D1458ADC925A30AA6235B9820 could help you to find out
    LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
    BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA
    AES256-SHA DES-CBC3-SHA 
    VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
    LUCKY13 (CVE-2013-0169) VULNERABLE, uses cipher block chaining (CBC) ciphers
    RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)

    As you can see, it covers a large number of vulnerabilities, cipher preferences, protocols, etc. TestSSL.sh is also available in a docker image.

    If you need to do a remote scan using testssl.sh then you can try Geekflare TLS Scanner.

    TLS Scan

    You can either build TLS-Scan from source or download binary for Linux/OSX. It extracts certificate information from the server and prints the following metrics in JSON format.

    • Hostname verification checks
    • TLS compression checks
    • Cipher and TLS version enumeration checks
    • Session reuse checks

    It supports TLS, SMTP, STARTTLS, and MySQL protocols. You may also integrate the resulting output in a logs analyzer like Splunk, ELK.

    Cipher Scan

    A quick tool to analyze what the HTTPS website supports all ciphers. Cipher Scan also has an option to show output in JSON format. It’s wrapper and internally using OpenSSL command.

    SSL Audit

    SSL audit is an open-source tool to verify the certificate and support the protocol, ciphers, and grade based on SSL Labs.

    I hope the above, open-source tools help you to integrate the continuous scanning with your existing log analyzer and ease the troubleshooting.