Contents

SSL Validation and Troubleshooting

Contents

There may be times when we have a problem with SSL certificate because of some issues such a missing intermediate certificate, self-sign certificate and etc,. It may be exhausting to figure out what exactly the problem is. Even though, web browsers give some details about problem, It is not enough to solve the problem sometimes. Actually some tools has existed battling with this problem. In this post I will give you an information about the tools. I hope it will be fruitful. 1- SSL Labs: This web site is very helpful. It shows all TLS versions and cipher suits that your website support. Besides, supported java versions and web browsers by your website. If you do not like working on command prompt, it is for you! 2- Calomel:  Add-on SSL Validation toolbar for Mozilla Firefox. It grades your SSL website strength in terms of some parameters such PFS, cipher suits, Key exchange, Signature etc,. You can see below sample validation for manintheit.org

/natro/calomel1.png  

3- Nmap:Nmap(Network Mapper) is open source tool. It was designed  for network exploration and scanning large networks. It is so versatile that It is also used for OS detection, Host discovery and  SSL validation. You can see below example for the website manintheit.org.

Install Nmap:

#yum install nmap
[root@rhce ~]# nmap -sV --script ssl-enum-ciphers -p 443 manintheit.org

Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-06 18:17 +03
Nmap scan report for manintheit.org (94.73.150.177)
Host is up (0.0086s latency).
rDNS record for 94.73.150.177: 94-73-150-177.cizgibilgisayar.com
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Apache httpd
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: weak

4-OpenSSL: OpenSSL is a open source implementation of SSL and TLS protocols. Libraries written in the C language. It can be used for creating random keys, signing certificate, creating self-signed certificate, debugging of SSL websites. Personally I prefer using OpenSSL due to the fact that it is very fast and no need to install extra dependencies. It saved my life all the time :) . In debug mode it prints everything client hello,server hello, cipher suites , TLS version, SSL certificates etc,. Almost everything.

[demo@rhce ~]$ openssl s_client -connect manintheit.org:443 -debug