SSL / TLS Certificate Validation / Checker Tools :
Http clear-text protocol is normally secured via an SSL or TLS tunnel, resulting in https traffic. In addition to providing encryption of data in transit, https allows the identification of servers (and, optionally, of clients) by means of digital certificates.
SSL Testing Criteria :Large number of available cipher suites and quick progress in cryptoanalysis makes judging a SSL server a non-trivial task. These criteria are widely recognised as minimum checklist:
- SSLv2, due to known weaknesses in protocol design
- SSLv3, due to known weaknesses in protocol design
- Compression, due to known weaknesses in protocol design
- Cipher suites with symmetric encryption algorithm smaller than 112 bits
- X.509 certificates with RSA key smaller than 2048 bits
- X.509 certificates with DSA key smaller than 2048 bits
- X.509 certificates signed using MD5 hash, due to known collision attacks on this hash
- TLS Renegotiation vulnerability
- NIST SP 800-52 recommends U.S. federal systems to use at least TLS 1.0 with ciphersuites based on RSA or DSA key agreement with ephemeral Diffie-Hellman, 3DES or AES for confidentality and SHA1 for integrity protection. NIST SP 800-52 specifically disallows non-FIPS compliant algorithms like RC4 and MD5. An exception is U.S. federal systems making connections to outside servers, where these algorithms can be used in SSL client mode.
- PCI-DSS v1.2 in point 4.1 requires compliant parties to use "strong cryptography" without precisely defining key lengths and algorithms. Common interpretation, partially based on previous versions of the standard, is that at least 128 bit key cipher, no export strength algorithms and no SSLv2 should be used.
- SSL Server Rating Guide has been proposed to standardize SSL server assessment and currently is in draft version.
SSLDigger v1.02 :
is a tool to assess the strength of SSL servers by testing the ciphers supported. Some of these ciphers are known to be insecure
Download Link :
Windows .NET Framework (can be installed using Windows Update)