Testing SSL/TLS
How to review TLS configurations.
Last updated
How to review TLS configurations.
Last updated
Personally, I find the best tool for reviewing TLS protocols and ciphers is
However, you could also use this public web application to do it:
TestSSL is very easy, you simply use the following command with the hostname you're testing:
testssl google.com
TestSSL will firstly show you any SSL/TLS protocols that are enabled on the server. These protocols are what setup and enable the encryption mechanisms to function.
These days, all SSL protocols and TLS 1.0 should NEVER be enabled as they are very weak.
TLS 1.1 is not recommended either but is normally enabled to support legacy systems. If this is not a worry for you, then disable TLS1.1 and use TLS1.2. Better yet, use TLS1.3.
The next thing TestSSL presents is the enabled cipher sets per SSL/TLS protocol. Ciphers are the entities that determine how the data in transit is encrypted. Some configurations are weak:
An example weak 3DES cipher can be viewed via the URL below:
This page shows all the reasons why this cipher should not be used:
This website also presents the current recommended ciphers that should be enabled:
If you would like to see this in action, take a look at the video below:
Ciphers can be weak because they use various components that have known vulnerabilities. For example, any cipher that uses 3DES as the encryption algorithm (shown above) is weak due to known timing attack against the algorithm and leads to data decryption. There are many reasons a cipher may be vulnerable and thus, the best way to check this is by using
