SSL TLS cipher suites testing - PSJoshi/Notes GitHub Wiki

• Testing TLS/SSL encryption anywhere on any port - https://github.com/drwetter/testssl.sh

• Fast and powerful SSL/TLS scanning library - https://github.com/nabla-c0d3/sslyze

• find out which SSL ciphersuites are supported by a target - https://github.com/jvehent/cipherscan

• C-based sslscan tests SSL/TLS enabled services to discover supported cipher suites - https://github.com/rbsec/sslscan

• Online tool on SSL Labs' website to query the Public SSL Server Database - https://www.ssllabs.com/ssltest/index.html

• SSLMap - TLS/SSL cipher suite scanner - https://github.com/iphelix/sslmap

• blazing fast SSL/TLS scanner ( non-blocking, event-driven ) and x.509 certificate scanner - https://github.com/prbinu/tls-scan

• Cipher suite hardening - https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/

Ranking ciphers criterion

Rank goes from "A+" (perfect) to "F" (very weak). "M" means your certificate and your hostname mismatch. "T" means your certificate is not issued by a valid root certificate authority.

Only a perfect setup gets a perfect score and a "A" rank :). "A" score is based on RFC 7525 recommandations.

• Protocol

  • SSL (v2 and v3) are totally deprecated now, because of very serious known vulnerabilities (Poodle…). Using one of them cap your rank to "F".
  • TLSv1 and TLSv1.1 suffer of the Poodle TLS vulnerability.
  • TLSv1.2 is the only remaining protocol with no known vulnerabilities, so if you don’t support it, your rank is cap to "B".

• Key size If you use certificate key less than 2048 bits, your rank is cap to "B".

• Ciphers

  • Very weak ciphers, including MD5 hash, anonymous DH parameters, NULL ciphers (yes, it exits…), export ciphers (Freak) or weak ciphers (RC4, DES…) cap your rank to "F".
  • 3DES is considered weak and must be avoided, using it cap your score to "C".

• Score

  • Protocol score is based on the weakest protocol you support : SSLv2 = 0, SSLv3 = 20, TLSv1 = 60, TLSv1.1 = 80, TLSv1.2 = 100.
  • Key score is based on your certificate key size : <512 = 10, <1024 = 20, <2048 = 50, <4096 = 90, ≥4096 = 100.
  • Cipher score is based on the weakest cipher you support : 0 = 0, <112 = 10, <128 = 50, <256 = 90, ≥256 = 100.
  • Overall score is based on the other scores : overall = 0.3 * protocol + 0.3 * key + 0.4 * cipher

• Best practices

  • PFS : you gain this flag when you support only perfect forward secrecy ciphers (DHE or ECDHE)
  • HSTS : you gain this flag when you protect yourself with HTTP Strict Transport Security.
  • Long HSTS : you gain this flag when you support HSTS with a duration of at least 6 monthes.

• Rank

  • Rank is based on your overall score and above caps : <20 = F, <35 = E, <50 = D, <65 = C, <80 = B, ≥80 = A.
  • If you get an "A" and you have all the best practices above, you get "A+".