Admin... by accident!

You may have chosen to be an admin. I didn't!

  • Home
  • FreeBSD
  • GNU/Linux
  • Security
  • Network
  • Virtualization
  • Politics
  • Github
  • Donate
  • Me

How to test SSL/TLS configurations

April 18, 2021 by Albert Valbuena

If you are in charge of any site with SSL/TLS conenctions enabled you are always in the chase to get the best possible and most secure configuration. This isn’t always the case and the lack of time does take its toll on many administrators. Those individuals are always asked to do more with less and sometimes what they are asked to do is simply ridiculous. Automation can help but first one needs to find the right tools.

To test SSL/TLS configurations there are a few tools in the market. There are also sites that will examine your configuration for free. One of these sites is hosted at SSLLabs.com, a site property of Qualys, a cyber security company.

If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.

By placing your domain name you get a free examination for your SSL/TLS configuration.

You should always aim to the highest result possible.

If you need to do this en mass, Qualys does also have a program to access their API and for a fee you can test as many sites as you need. However, that is a paid service.

There’s an alternative you may want to use before using any third party verification software. Enter testssl.sh.

This wonderful program helps anyone to test SSL/TLS configurations at no cost, straight from the command line and with a clear view of what is OK, what is a warning and what bits of the configuration are wrong. It is available on every GNU/Linux distro and on the BSDs as well. You can also get its latest iteration from the project’s github repostory. Donations to the project are welcome, so you can help them out on improving the tools for our security.

This is an example of how to install testssl.sh on FreeBSD.

albert@BSDVM:~ % uname -a
FreeBSD BSDVM 12.2-RELEASE-p4 FreeBSD 12.2-RELEASE-p4 GENERIC amd64
albert@BSDVM:~ % pkg search testssl.sh
testssl.sh-3.0.4 Analyze and report TLS/SSL configuration/misconfiguration
albert@BSDVM:~ % sudo pkg install -y testssl.sh
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
bash: 5.1.4_1
openssl-unsafe: 1.0.2.20170706
testssl.sh: 3.0.4

Number of packages to be installed: 3

The process will require 23 MiB more space.
4 MiB to be downloaded.
[1/3] Fetching testssl.sh-3.0.4.txz: 100% 677 KiB 693.1kB/s 00:01
[2/3] Fetching bash-5.1.4_1.txz: 100% 1 MiB 1.5MB/s 00:01
[3/3] Fetching openssl-unsafe-1.0.2.20170706.txz: 100% 2 MiB 2.1MB/s 00:01
Checking integrity... done (0 conflicting)
[1/3] Installing bash-5.1.4_1...
[1/3] Extracting bash-5.1.4_1: 100%
[2/3] Installing openssl-unsafe-1.0.2.20170706...
[2/3] Extracting openssl-unsafe-1.0.2.20170706: 100%
[3/3] Installing testssl.sh-3.0.4...
[3/3] Extracting testssl.sh-3.0.4: 100%
=====
Message from openssl-unsafe-1.0.2.20170706:

--
/!\ ================================ /!\ ============================== /!\
/!\ /!\
/!\ This openssl version is for security testing/scanning purposes only /!\
/!\ /!\
/!\ DO NOT USE FOR PRODUCTION PURPOSES /!\
/!\ /!\
/!\ ================================ /!\ ============================== /!\
albert@BSDVM:~ %

Once installed let’s test SSL/TLS configurations from some site.

To use testssl.sh one just needs to invoke it and point to a domain or IP and wait for results. Since the output is a bit long I’ll leave the full result view for the tinkerer among the Adminbyaccident.com readers. However, I’d like to comment on a few places.

This next site is not very well configured so it’s got a few places where testssl.sh will complain. Furthermore, the certificate in use is self signed which will be also pointed out by the tool.

An interesting bit is where testssl.sh looks for vulnerabilities.

This particular box is vulnerable to the SWEET attack. And the tool has found it.

But there are other interesting bits, such as how headers have been configured. This is an important bit so connection downgrade attacks (from HTTPS to HTTP) can’t be performed, or cross-site ones are also blocked.

No security headers is a bad sign. To test SSL/TLS configurations and find no results on the ‘Strict Transport Security’’ find a full ‘Server banner’ and no ‘Security headers’ gives a very bad impression.

The testssl.sh tool does also look for other misconfigurations such as offering older versions of the SSL/TLS protocols like SSLv2, SSLv3 or the already deprecated too, TLSv1.0 and TLSv1.1. Mind the only current ones are TLSv1.2 and TLSv1.3 at the time of writing this piece.

To find this old protocol versions being offered is also important. Many corporations are still offering old versions of the protocols. They why is unimportant. They need to fix this ASAP.

Another important bit is if the SSL/TLS configuration is supported on the clients that will use the server.

Testssl.sh does more things, like checking perfect forward secrecy, checks the supported cipher suites, checks the certificate in and out and a few more bits.

A very nice tool to test SSL/TLS configurations everywhere. With a bit of time and a small script this can be used to automate findings in large environments. Some may be surprised of the results.

If you are one of those do not hesitate to help the project and donate some needed money, or even some of your skills!

To conclude if you need some help on how to configure some of the security bits on your Apache HTTP you can read a couple of guides I’ve written on this topic.

https://www.adminbyaccident.com/security/how-to-harden-apache-http/

https://www.digitalocean.com/community/tutorials/recommended-steps-to-harden-apache-http-on-freebsd-12-0

If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.

Filed Under: How To's, How To's, Security

Recent Posts

  • How to install Mate on FreeBSD 12/13
  • How to install Nessus 10 on FreeBSD 12
  • How to enable TLS traffic from the origin server on Cloudflare Argo Tunnel
  • How to use Cloudflare’s Argo Tunnel service to publish a website on FreeBSD 12/13
  • How to setup MariaDB master-slave replication on FreeBSD
  • How to upload a FreeBSD custom image on DigitalOcean
  • How to install Drupal 9 on FreeBSD 13.0
  • How to manage site visitors based on IP Geolocation
  • How to enable Geolocation in AWStats on FreeBSD 13.0
  • How to install AWStats on FreeBSD 13.0
  • How to configure Modsecurity 3 for WordPress on FreeBSD
  • How to configure Apache HTTP with a TLS reverse proxy backend on FreeBSD
  • How to detect a WAF – Web Application Firewall
  • How to install Matomo 4 on FreeBSD
  • How to test SSL/TLS configurations
  • How to configure Apache HTTP as a reverse proxy on FreeBSD
  • How to install Nextcloud on FreeBSD 12
  • How to install ModSecurity 3 on FreeBSD
  • How to replace a disk on a ZFS mirror pool
  • How to install Webmin on FreeBSD 12

Archives

  • February 2023
  • January 2023
  • December 2022
  • April 2022
  • March 2022
  • October 2021
  • September 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • September 2018
  • June 2018
  • May 2018
  • April 2018
  • February 2018
  • January 2018
  • November 2017
  • April 2017

RSS Admin… by accident!

  • How to install Mate on FreeBSD 12/13
  • How to install Nessus 10 on FreeBSD 12
  • How to enable TLS traffic from the origin server on Cloudflare Argo Tunnel
  • How to use Cloudflare’s Argo Tunnel service to publish a website on FreeBSD 12/13
  • How to setup MariaDB master-slave replication on FreeBSD
  • How to upload a FreeBSD custom image on DigitalOcean
  • How to install Drupal 9 on FreeBSD 13.0
  • How to manage site visitors based on IP Geolocation
  • How to enable Geolocation in AWStats on FreeBSD 13.0
  • How to install AWStats on FreeBSD 13.0

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in