The most common issues with TLS/SSL certificates and their configurations stem from:
- A lack of appropriate signatures (no root or leaf certificate in chain, self-signed certificate, expired certificate).
- The enablement of insecure ciphers.
Available commands:
- Full Certificate View
- Testing for TLS/SSL Configurations (Ciphers)
- Diffie-Hellman Prime Key (Cipher) Size Check
Full Certificate View
See a certificate’s details and its configurations, including:
- Expiration date
- Certificate signers/providers
- The certificate chain
openssl s_client -connect IP Address:port -servername domain.com < /dev/null | openssl x509 -in /dev/stdin -text -noout
-servername domain.com is optional depending on the testing being performed.
Testing for TLS/SSL Configurations (Ciphers)
This command outputs all ciphers enabled in the server which you can use to get a general glance.
sslscan --tlsall IP Address:port
You can test by version instead of testing all ciphers at once by specifying a version; replace --tlsall with the appropriate version:
--ssl2(for SSLv2)--ssl3(for SSLv3)--tls10(for TLSv1.0)--tls11(for TLSv1.1)--tls12(TLSv1.2).
If a result is not returned, either the server doesn’t support it or the cipher is not enabled.
Diffie-Hellman Prime Key (Cipher) Size Check
Get key size details of any configured DHE keys on the listed asset, including the bit size of the public key.
Though DH is the most common instance, you can use different key values as needed; Replace DH with EDH or ECDH depending on the type of Diffie-Hellman configuration.
openssl s_client -connect IP address:port -cipher "DH" | grep "Server Temp Key"