Alexis Kestler
Introduction
SSL certificate misissuances increased 200% over the past year according to Venafi research. At the same time, F5 Labs reports TLS 1.0 and TLS 1.1 still enabled on 20% of domains, opening dangerous gaps for exploits.
As an IT security analyst at a cloud MSP, I encounter scenarios like this daily from clients. Outdated ciphers that security scans mysteriously missed. Wildcard certs that were never revoked, now exploited. To effectively combat threats, having the right SSL/TLS troubleshooting tools is essential.
Across my 12 years in cybersecurity, I‘ve collated the best-of-breed utilities for unraveling SSL/TLS issues quickly and methodically. Consider this your starter kit for hardening the encryption safeguarding your websites and infrastructure against data breaches.
DeepViolet
DeepViolet is my go-to for scrutinizing internal systems‘ encryption configurations. Superior to online scanning tools, this open source Java app identifies the specific missteps external tools overlook behind your firewall perimeter.
For example, one manufacturing client had securely deployed TLS 1.2 and modern ECDHE-RSA-AES ciphers for their website. Yet internally, back-office ERP traffic rode on outdated 3DES and RC4 protocols. DeepViolet revealed these risky internal weaknesses that free scanners missed.
We used DeepViolet for routine codebase scans before major commits to confirm cipher policies and certificate hygiene. Within months, the client eliminated obsolete ciphers and adopted TLS 1.3 universally.
You too can leverage DeepViolet capabilities like:
- Enumerating vulnerable cipher suites still lurking internally
- Catching soon-to-expire certificates before outages occur
- Graphing relationships in certificate chains to spot breaks
- Automating checks through CLI and baked-in Java APIs
Find weaknesses before pen testers do by integrating DeepViolet scans into CI/CD. Protect your most sensitive environments by inspecting them directly rather than relying on external proxy checks.
Get DeepViolet: https://github.com/spoofzu/DeepViolet
SSL Diagnos
When you need a quick pulse-check on SSL/TLS health, SSL Diagnos delivers simple yet meaningful verdicts.Think of it like an open-source alternative to the trusty A+ through F grades from school days.
One use case is measuring the success of changes over time. Like after disabling TLS 1.0, use SSL Diagnos to confirm it no longer appears active across your infrastructure, bumping you to an "A"
Internally, this scanner mainly leverages OpenSSL. Consider it a user-friendly front-end that distills key details into an overall score measuring adherence to latest best practices, like compliance with PCI DSS 3.2.
Additional perks include:
- Multi-protocol testing including SMTP and FTP
- Support for IPv6 environments
- Unique visualization of traffic lights to denote secure configuration status
Keep your grade improving by using SSL Diagnos monthly. Think of it like an SSL/TLS report card motivating you to keep good security hygiene.
Get SSL Diagnos: https://sourceforge.net/projects/ssldiagnos/
SSLyze
SSLyze is that expert advisor you want inspecting your configured ciphers, protocols and examining endpoints for overlooked holes.
This open source Python scanner has helped me convince numerous stubborn clients to finally retire TLS 1.0 and sketchy CBC suites once they see clear evidence of the risk. The detailed yet understandable JSON/XML output gives that indisputable proof to back informed recommendations.
Beyond surfacing issues, SSLyze empowers automation and scaling TLS management initiatives across server and load balancer fleets. For example, one cloud customer needed centralized visibility across their AWS ELB instances dispersed globally.
By containerizing SSLyze into their CI/CD pipeline, every build bakes-in checks for newly-banned ciphers based on internal polices. Now they realize consistent TLS hardening globally rather than relying on error-prone manual regional configurations.
You too can operationalize SSLyze by:
- Adding scans into your CI/CD framework like Jenkins for consistent standards enforcement
- Supporting SSH scans for probing internal east-west traffic often ignored
- Generating machine-readable output to feed into analytics stacks
Download SSLyze to take advantage of its robust feature set and act on its actionable findings.
Get SSLyze: https://github.com/nabla-c0d3/sslyze
Comparison of Tools
With so many utilities available, it helps to contrast capabilities spanning compatibility, integrations, output formats and more.
Here‘s a high-level overview of key decision points:
| Tool | Platforms Supported | Integrations | Output Formats | Protocols Tested | Best For |
|---|---|---|---|---|---|
| DeepViolet | Windows, Linux, macOS | Jenkins, CI/CD | Text, JSON | HTTPS, LDAP | Internal testing |
| SSL Diagnos | Windows, Linux, macOS | None | Text | HTTPS, FTPS, SMTPS, etc | Quick overall rating |
| SSLyze | Windows, Linux, macOS | Jenkins, Docker | Text, XML, JSON | HTTPS, XMPP, SMTP, SSH | Centralized/automated scanning |
| OpenSSL | Windows, Linux, macOS | Shell scripts | Text | HTTPS and many others | General cryptography troubleshooting |
| SSL Labs Scan | Windows, Linux, macOS | None | Text | HTTPS | Offline simulation of SSL Labs Test |
Complementary Tools
These SSL/TLS scanners help find specific encryption-related configuration issues and vulnerabilities. However, more general IT security scanning tools should run alongside for comprehensive protection.
Network vulnerability scanners like OpenVAS and Nessus will detect adjacent weaknesses like outdated web server versions with their own bugs.
Combining network scans checking raw sockets and services with TLS-aware tools inspecting cipher configurations provides layered insight. This reduces blindspots.
Log aggregation platforms like Splunk and Elastic offer further ways to scale oversight by centralizing outputs from these decryption detectors.
Funnel checker findings into Splunk or other security information and event management (SIEM) solutions to build dashboards and historical tracking across on-premise and cloud infrastructure.
Kicking the Tires
These SSL/TLS tools generate loads of useful data. But what does it look like in practice when trouble strikes?
Recently one financial services customer endured an ominous penetration test finding: vulnerable to Sweet32 attacks enabling ciphers with 64-bit blocks that could allow plaintext exfiltration.
Armed with tools like SSLyze already integrated into their Jenkins pipelines and dashboarding via Splunk, they quickly identified the risky outdated 3DES and Blowfish symmetric ciphers supported on their main banking portal and three payment processors.
By using TestSSL.sh they also confirmed the presence of vulnerable block ciphers:
Testing vulnerabilities
SWEET32 (CVE-2016-2183, CVE-6329) VULNERABLE:
64 bit block cipher 3DES vulnerable to SWEET32 attack
Known vulnerable:
3DES 168 bits
Susceptible to SWEET32 attack:
Blowfish 160 bitsSince SSL Scan gave them A ratings on these systems just months earlier, at first this seemed like a false positive.
However by using Geekflare‘s TLS scanning API, they validated these backend systems did still accept deprecated symmetric ciphers allowing 64-bit blocks even though their front-end portal did use modern ciphers:
{
"protocols": [
"TLSv1.2"
],
"key_algorithms": [
"RSA"
],
"cipher_algorithms": [
"3DES",
"Blowfish"
],
"grade": "F"
}This clear evidence validated the pen test report. Even more powerfully, the executive dashboard visibility demonstrating this risk allowed them to rapidly drive remediation globally across 22 affected systems in just 2 weeks.
They discussed cuts and bruises along the way at the recent SecureWorld Expo. Had they relied solely on external scans, or not instrumented unified visibility leveraging tools like Cipher Scan, this serious vulnerability could have gone undiscovered.
Conclusion
I hope this breakdown gives you a launching pad towards robust SSL management as it has for so many peers and customers I‘ve advised.
Please reach out on Twitter @jpwu101 with any requests for other tools you rely on that deserve mention. I‘m always looking to improve coverage through crowd wisdom! Chime in with your war stories and use cases as well.
