Monday, November 18, 2013

SSL / TLS Certificate Validation / Checker Tools

 SSL / TLS Certificate Validation / Checker Tools :

                                                    Http clear-text protocol is normally secured via an SSL or TLS tunnel, resulting in https traffic. In addition to providing encryption of data in transit, https allows the identification of servers (and, optionally, of clients) by means of digital certificates.



SSL Testing Criteria :

Large number of available cipher suites and quick progress in cryptoanalysis makes judging a SSL server a non-trivial task. These criteria are widely recognised as minimum checklist:
  • SSLv2, due to known weaknesses in protocol design 
  • SSLv3, due to known weaknesses in protocol design 
  • Compression, due to known weaknesses in protocol design 
  • Cipher suites with symmetric encryption algorithm smaller than 112 bits
  • X.509 certificates with RSA key smaller than 2048 bits
  • X.509 certificates with DSA key smaller than 2048 bits
  • X.509 certificates signed using MD5 hash, due to known collision attacks on this hash
  • TLS Renegotiation vulnerability 
The following standards can be used as reference while assessing SSL servers:
  • NIST SP 800-52 recommends U.S. federal systems to use at least TLS 1.0 with ciphersuites based on RSA or DSA key agreement with ephemeral Diffie-Hellman, 3DES or AES for confidentality and SHA1 for integrity protection. NIST SP 800-52 specifically disallows non-FIPS compliant algorithms like RC4 and MD5. An exception is U.S. federal systems making connections to outside servers, where these algorithms can be used in SSL client mode.
  • PCI-DSS v1.2 in point 4.1 requires compliant parties to use "strong cryptography" without precisely defining key lengths and algorithms. Common interpretation, partially based on previous versions of the standard, is that at least 128 bit key cipher, no export strength algorithms and no SSLv2 should be used.
  • SSL Server Rating Guide has been proposed to standardize SSL server assessment and currently is in draft version.
SSL Server Database can be used to assess configuration of publicly available SSL servers based on SSL Rating Guide.

SSLDigger v1.02 :

                       is a tool to assess the strength of SSL servers by testing the ciphers supported. Some of these ciphers are known to be insecure

System Requirements:

Windows .NET Framework (can be installed using Windows Update)

 Download Link :

SSLAudit :

             is a tool that verifies SSL certificate and supported protocols/ciphers of a SSL-enabled webserver.


            It is open source and is easily modified to support new protocols and ciphers as they become available, the result is graded and it runs both on Linux and Windows. 

Download Link :

 Online Tools :

Qualys SSL Lab :

                      Free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.




Symantec SSL Tool :

GeoCerts SSL Checker :

SSL Shopper :

             will help you diagnose problems with your SSL certificate installation. You can verify the SSL certificate on your web server to make sure it  is correctly installed, valid, trusted and doesn't give any errors to any of your users. To use the SSL Checker, simply enter your server's hostname (must be public) in the box below and click the Check SSL button.