Tools to check your SSL Installation

I have tried some tools to diagnose my SSL certificate installation.

Some related to correct certificate, and more on certificate chain issues.

SSL Certificates are trusted from its parent, or issued by its high lever certificate. It looks like a chain, one connect to other one and gos to the CA root.

Say, I have a SSL certificate for domain seo.g2soft.net.

  • Certificate of seo.g2osft.net is issued by Comodo RSA domain Validation Secure Server CA
  • Comodo RSA domain Validation Secure Server CA is issued by Comodo RSA certification Authority
  • Comodo Rsa Certification Authority is issued by AddTrust External CA Root.

The last one, AddTrust External CA Root is one of root CAs.  It is issued by itself. Root Certificates was installed in every computer or browsers already. It is trusted and in the trust store.

certificate-chain

The above is a corrected installation.

Tool One:

Geocerts SSL Checker

https://www.geocerts.com/ssl_checker

Tool Two:

DigiCert SSL Installation Diagnostics Tool

https://www.digicert.com/help/

Tool Three:

Symantec CryptoReport – Check SSL/TLS certificate installation

https://cryptoreport.websecurity.symantec.com/checker/

symantec-check-certs

Tool Four:

The most powerful tool, SSL Server Test from Qualys SSL LABs

https://www.ssllabs.com/ssltest/

It provides more details of your SSL implement.

Let me show you the SSL Report: seo.g2soft.net

seo-test-reslut

Server Key and Certificate #1
Common names seo.g2soft.net
Alternative names seo.g2soft.net www.seo.g2soft.net
Prefix handling Both (with and without WWW)
Valid from Sun, 05 Apr 2015 00:00:00 UTC
Valid until Wed, 04 Apr 2018 23:59:59 UTC (expires in 2 years and 6 months)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer COMODO RSA Domain Validation Secure Server CA
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency No
Revocation information CRL, OCSP
Revocation status Good (not revoked)
Trusted Yes
Additional Certificates (if supplied)
Certificates provided 3 (4310 bytes)
Chain issues None
#2
Subject COMODO RSA Domain Validation Secure Server CA 
Fingerprint: 339cdd57cfd5b141169b615ff31428782d1da639
Valid until Sun, 11 Feb 2029 23:59:59 UTC (expires in 13 years and 4 months)
Key RSA 2048 bits (e 65537)
Issuer COMODO RSA Certification Authority
Signature algorithm SHA384withRSA
#3
Subject COMODO RSA Certification Authority 
Fingerprint: f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0
Valid until Sat, 30 May 2020 10:48:38 UTC (expires in 4 years and 8 months)
Key RSA 4096 bits (e 65537)
Issuer AddTrust External CA Root
Signature algorithm SHA384withRSA
Certification Paths
Path #1: Trusted
1 Sent by server seo.g2soft.net 
Fingerprint: 8546af1a5d3f71e8001434e08df90e5b412f59f0 
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server COMODO RSA Domain Validation Secure Server CA 
Fingerprint: 339cdd57cfd5b141169b615ff31428782d1da639 
RSA 2048 bits (e 65537) / SHA384withRSA
3 In trust store COMODO RSA Certification Authority   Self-signed
Fingerprint: afe5d244a8d1194230ff479fe2f897bbcd7a8cb4 
RSA 4096 bits (e 65537) / SHA384withRSA
Path #2: Trusted
1 Sent by server seo.g2soft.net 
Fingerprint: 8546af1a5d3f71e8001434e08df90e5b412f59f0 
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server COMODO RSA Domain Validation Secure Server CA 
Fingerprint: 339cdd57cfd5b141169b615ff31428782d1da639 
RSA 2048 bits (e 65537) / SHA384withRSA
3 Sent by server COMODO RSA Certification Authority 
Fingerprint: f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0 
RSA 4096 bits (e 65537) / SHA384withRSA
4 In trust store AddTrust External CA Root   Self-signed
Fingerprint: 02faf3e291435468607857694df5e45b68851868 
RSA 2048 bits (e 65537) / SHA1withRSA 
Weak or insecure signature, but no impact on root certificate


Configuration

Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH 256 bits (eq. 3072 bits RSA)   FS 112
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112

 

Handshake Simulation
Android 2.3.7   No SNI 2 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS 128
Android 4.0.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Android 4.1.1 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Android 4.2.2 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Android 4.3 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Android 4.4.2 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Android 5.0.0 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Baidu Jan 2015 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
BingPreview Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Chrome 43 / OS X  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Firefox 31.3.0 ESR / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Firefox 39 / OS X  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Googlebot Feb 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
IE 6 / XP   No FS 1   No SNI 2 Protocol or cipher suite mismatch Fail3
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
IE 8 / XP   No FS 1   No SNI 2 TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS 112
IE 8-10 / Win 7  R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
IE 11 / Win 7  R TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS 128
IE 11 / Win 8.1  R TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS 128
IE 10 / Win Phone 8.0 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
IE 11 / Win Phone 8.1  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
IE 11 / Win Phone 8.1 Update  R TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS 128
Edge 12 / Win 10 (Build 10130) R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Java 6u45   No SNI 2 Client does not support DH parameters > 1024 bits Fail3
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Java 8u31 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS 128
OpenSSL 1.0.1l  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
OpenSSL 1.0.2  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Safari 6 / iOS 6.0.1  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 6.0.4 / OS X 10.8.4  R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Safari 7 / iOS 7.1  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 7 / OS X 10.9  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 8 / iOS 8.4  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 8 / OS X 10.10  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Yahoo Slurp Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
YandexBot Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
Protocol Details
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Not mitigated server-side (more info)   TLS 1.0: 0xc013
POODLE (SSLv3) No, SSL 3 not supported (more info)
POODLE (TLS) No (more info)
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info)
SSL/TLS compression No
RC4 No
Heartbeat (extension) Yes

 

Heartbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
Forward Secrecy Yes (with most browsers)   ROBUST (more info)
Next Protocol Negotiation (NPN) Yes   spdy/3.1 http/1.1
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling Yes
Strict Transport Security (HSTS) Yes   max-age=15768000
Public Key Pinning (HPKP) No
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance No
Incorrect SNI alerts No
Uses common DH primes No
DH public server param (Ys) reuse No
SSL 2 handshake compatibility Yes

 

Miscellaneous
Test date Sat, 19 Sep 2015 00:12:02 UTC
Test duration 110.111 seconds
HTTP status code 200
HTTP server signature nginx/1.8.0
Server hostname seo.g2soft.net

Above is the full report I made today.