Skip to content

Instantly share code, notes, and snippets.

@gwarf
Last active January 31, 2023 09:05
Show Gist options
  • Save gwarf/850654de8049831b490d25c4c8afe3bb to your computer and use it in GitHub Desktop.
Save gwarf/850654de8049831b490d25c4c8afe3bb to your computer and use it in GitHub Desktop.
Checking TLS/SSL/certificate configuration

TLS configuration checking

Using online tools

SSL Labs is great, but only support port 443. `htbridge and digicert allows to use a custom port.

Using command line tools

OpenSSL

OpenSSL s_client can make TLS connections to any endpoint. It's the underlying tool for lots of other tools.

echo 0 | openssl s_client -ign_eof -prexit -connect $HOST:$PORT
# Enabling TLSv1.0 (disabled by default as unsecure)
echo 0 | openssl s_client -ign_eof -prexit -connect $HOST:$PORT -tls1

Testssl.sh

testssl.sh is a great and complete SSL test tool.

# Testing with standard CAs
testssl.sh $HOST:$PORT
# Testing with IGTF CAs
export CA_BUNDLES_PATH=/etc/grid-security/certificates
testssl.sh $HOST:$PORT

check_ssl_cert

check_ssl_cert is a nagios probes used by EGI Monitoring.

git clone https://github.com/matteocorti/check_ssl_cert
cd check_ssl_cert
# Testing with standard CAs
./check_ssl_cert -p $PORT -H $HOSTNAME
# Testing with IGTF CAs
./check_ssl_cert -p $PORT -H $HOSTNAME -r /etc/grid-security/certificates
# Testing (broken!!) TLSv1.0 support with IGTF CAs
./check_ssl_cert -p $PORT -H $HOSTNAME -r /etc/grid-security/certificates --tls1
# Debugging
./check_ssl_cert -p $PORT -H $HOSTNAME -d
sh -x ./check_ssl_cert -p $PORT -H $HOSTNAME -d

Testing using curl

curl -tls1_0 https://tlstest.paypal.com
curl -tls1_1 https://tlstest.paypal.com
curl -tls1_2 https://tlstest.paypal.com
curl -tls1_3 https://tlstest.paypal.com

TLS versions

TLS vulnerabilities

TLS Deprecation

TLSv1.0 and TLSv1.1 support is expected to be dropped by major browsers in March 2020.

To be avoided

To be used

  • TLSv1.2
  • TLSv1.3 (when available)

TLS Config generator

Checking client certificates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment