Not only when working on IT-Security related things but also for daily sysadmin stuff, it’s essential to have the right tool to do the job. Below are my three favorite tools I use when configuring, debugging and researching SSL/TLS related things. Let’s face it… with all these recent issues, it’s necessary to deal with SSL quiet often. To make it less of a hassle, you should know these tools!
OpenSSL is my favorite tool when it comes to researching things without downloading and installing extra software. You’ll probably find OpenSSL installed on all the linux servers you’re working on. For researching, I usually use a special virtual machine with OpenSSL and SSLyze installed. Here are some commands you need to know:
Remote: Checking SSL certificate chain
openssl s_client -connect www.infected.io:443 -showcerts
Local: Get certificate information
openssl x509 -in worldofmultiplayer.com.crt -text -noout
There is a lot more OpenSSL can do. When I’m searching for something specific, I usually either google or use the somewhat useful openssl help command.
Working with SSL is much more than just checking for certificates. Where you’re not allowed or it’s not possible to use external tools like Qualys SSL Labs, SSLyze is a real alternative. It can not only check for web SSL/TLS but also STARTTLS for smtp, xmpp, pop3, ftp, imap, ldap and rdp. To get started, you must download the current files in the repo. After extracting it you’re able to use the ./sslyze.py command. SSLyze depends on OpenSSL.
Getting useful information about a host
./sslyze.py --regular infected.io
This command will output the most interesting information: Session Renegotiation, Deflate Compression, OpenSSL Heartbleed vulnerabilities, Session Resumption, Certificate Content, Certificate Trust (Chains and actual trust tested against various trust stores), OCSP Stapling and all protocols cipher suits.
It’s important to know that this tool will not give you any recommendations. You’ll need to know what you’re looking for and what you need to change in order to make your SSL setup a strong one. If you’re seeking for good configurations, check out the “Not a tool: cipherli.st” section below.
Qualys SSL Labs
Qualys is a known cloud security provider for network security scans and vulnerability management. Qualys SSL Labs is a free tool to check details of HTTPS secured websites. Of course, you have to keep in mind that you’re allowing another company to scan your SSL settings. Obviously, those are “public” anyway, but it’s something to keep in mind. In all cases, you should tick “Do not show the results on the boards” as we don’t know who’s recording all the bad results out there…
I like Qualys because the results are easy to compare between sites with grades ranging from F to A+ and colors show you what’s good and what isn’t. (Also, try making a competition with your colleague who’s better at configuring nginx). You’re welcome to check out the infected.io SSL Labs results!
Not a tool: cipherli.st
Cipherli.st isn’t really a tool. If you’re lost and don’t have too much knowledge about SSL setups and cipher suits, it’s the website you’re looking for. Cipherli.st doesn’t only have a memorable name, it’s also featuring really good configurations for most linux server software with SSL configuration: Apache, Nginx, Lighttpd, haproxy, Postfix, Exim, Dovecot ProFTPd, MySQL, DirectAdmin, Postgresql and OpenSSH.
I’m sure that there are plenty more tools out there which help you when working with SSL/TLS! Let me know what I missed in the comments below.