When running web application security assessments it is mandatory to evaluate the security stance of the SSL\/TLS (HTTPS) implementation and configuration. OWASP has a couple of references the author strongly recommends taking a look at, the “OWASP-CM-001: Testing for SSL-TLS” checks, part of the OWASP Testing Guide v3, and the Transport Layer Protection Cheat Sheet.<\/p>\n
There have been several tools to test for SSL and TLS security misconfiguration along the years, but still today, lots of people get the output from all these tools and are not very sure what they need to look at. Apart from the SSL\/TLS web application best practices, it is important to also check the security of SSL\/TLS at the web platform layer. One such tool is:<\/p>\n
SSLyze v0.4 Released \u2013 Scan & Analyze SSL Server Configuration<\/a><\/p>\n The purpose of the TLSSLed tool (named from the idea of your website being TLS\/SSL-ed, that is, using “https;\/\/”) is to simplify the output of a couple of commonly used tools, and highlight the most relevant security findings of any target SSL\/TLS implementation. It is based on sslscan, a thorough SSL\/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool.<\/p>\n TLSSLed is a Linux shell script inspired on ssl_test.sh by Aung Khant, where a few optimizations have been made to reduce the stress on the target web server (sslscan is run only once and the results are stored on a local file), and some tests have been added and tuned.<\/p>\n The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL\/TLS renegotiation capabilities.<\/p>\n New in version 1.2:<\/strong> Mac OS X support, an initial check to verify if the target service speaks SSL\/TLS, a few optimizations, and new tests for TLS v1.1 & v1.2 (CVE-2011-3389 aka BEAST).<\/p>\n New in version 1.1:<\/strong> Certificate public key length, the certificate subject and issuer (CA), as well as the validity period. It also checks the existence of HTTP secure headers, such as Strict-Transport-Security and cookies with and without the “secure” flag set.<\/p>\n You can download TLSSLed v1.2 here:<\/p>\n