SSL Configuration Testing

Any security analysis (manual or automatic) is always starting against checking SSL configuration strength. There are five protocols in the SSL/TLS family: SSL v2, SSL v3, TLS v1.0, TLS v1.1, and TLS v1.2:

  • SSL v2 is insecure, obsolete and must not be used. See the DROWN attack on this protocol.
  • SSL v3 is insecure and obsolete tool. See the POODLE attack.
  • TLS v1.0 is also a legacy protocol that shouldn't be used, but it's typically still necessary in practice. Its major weakness (BEAST) has been mitigated in modern browsers.
  • TLS v1.1 and TLS v1.2 are both without known security issues, but only v1.2 provides modern cryptographic algorithms.
SSL 2.0, SSL 3.0 and TLS 1.0 are not supported in PCI DSS 3.1 security standards.

SSL Configuration Analysis

Just use SSLLabs Test Tool to check the level of you configuration.

A+ and A level of SSL Configuration is good. F is the worst level. Read recommendations that the SSL Tool will produce.

Example of Dhound SSL Test

Below is another example how to quickly check SSL Configuration strength using nmap tool:

 nmap --script ssl-enum-ciphers -p 443

Strong Ciphers

Low level of SSL Configuration is connected with using legacy weak encryption algoritms in mostly cases.

The following resource provides information how to configure strong SSL algoritms on Apache, nginx, HAProxy, etc.

See Also

Published on Apr 11, 2017