Tools to check your SSL Installation

I have tried some tools to diagnose my SSL certificate installation.

Some related to correct certificate, and more on certificate chain issues.

SSL Certificates are trusted from its parent, or issued by its high lever certificate. It looks like a chain, one connect to other one and gos to the CA root.

Say, I have a SSL certificate for domain seo.g2soft.net.

  • Certificate of seo.g2osft.net is issued by Comodo RSA domain Validation Secure Server CA
  • Comodo RSA domain Validation Secure Server CA is issued by Comodo RSA certification Authority
  • Comodo Rsa Certification Authority is issued by AddTrust External CA Root.

The last one, AddTrust External CA Root is one of root CAs.  It is issued by itself. Root Certificates was installed in every computer or browsers already. It is trusted and in the trust store.

certificate-chain

The above is a corrected installation.

Tool One:

Geocerts SSL Checker

https://www.geocerts.com/ssl_checker

Tool Two:

DigiCert SSL Installation Diagnostics Tool

https://www.digicert.com/help/

Tool Three:

Symantec CryptoReport – Check SSL/TLS certificate installation

https://cryptoreport.websecurity.symantec.com/checker/

symantec-check-certs

Tool Four:

The most powerful tool, SSL Server Test from Qualys SSL LABs

https://www.ssllabs.com/ssltest/

It provides more details of your SSL implement.

Let me show you the SSL Report: seo.g2soft.net

seo-test-reslut

Server Key and Certificate #1
Common namesseo.g2soft.net
Alternative namesseo.g2soft.net www.seo.g2soft.net
Prefix handlingBoth (with and without WWW)
Valid fromSun, 05 Apr 2015 00:00:00 UTC
Valid untilWed, 04 Apr 2018 23:59:59 UTC (expires in 2 years and 6 months)
KeyRSA 2048 bits (e 65537)
Weak key (Debian)No
IssuerCOMODO RSA Domain Validation Secure Server CA
Signature algorithmSHA256withRSA
Extended ValidationNo
Certificate TransparencyNo
Revocation informationCRL, OCSP
Revocation statusGood (not revoked)
TrustedYes
Additional Certificates (if supplied)
Certificates provided3 (4310 bytes)
Chain issuesNone
#2
SubjectCOMODO RSA Domain Validation Secure Server CA 
Fingerprint: 339cdd57cfd5b141169b615ff31428782d1da639
Valid untilSun, 11 Feb 2029 23:59:59 UTC (expires in 13 years and 4 months)
KeyRSA 2048 bits (e 65537)
IssuerCOMODO RSA Certification Authority
Signature algorithmSHA384withRSA
#3
SubjectCOMODO RSA Certification Authority 
Fingerprint: f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0
Valid untilSat, 30 May 2020 10:48:38 UTC (expires in 4 years and 8 months)
KeyRSA 4096 bits (e 65537)
IssuerAddTrust External CA Root
Signature algorithmSHA384withRSA
Certification Paths
Path #1: Trusted
1Sent by serverseo.g2soft.net 
Fingerprint: 8546af1a5d3f71e8001434e08df90e5b412f59f0 
RSA 2048 bits (e 65537) / SHA256withRSA
2Sent by serverCOMODO RSA Domain Validation Secure Server CA 
Fingerprint: 339cdd57cfd5b141169b615ff31428782d1da639 
RSA 2048 bits (e 65537) / SHA384withRSA
3In trust storeCOMODO RSA Certification Authority   Self-signed
Fingerprint: afe5d244a8d1194230ff479fe2f897bbcd7a8cb4 
RSA 4096 bits (e 65537) / SHA384withRSA
Path #2: Trusted
1Sent by serverseo.g2soft.net 
Fingerprint: 8546af1a5d3f71e8001434e08df90e5b412f59f0 
RSA 2048 bits (e 65537) / SHA256withRSA
2Sent by serverCOMODO RSA Domain Validation Secure Server CA 
Fingerprint: 339cdd57cfd5b141169b615ff31428782d1da639 
RSA 2048 bits (e 65537) / SHA384withRSA
3Sent by serverCOMODO RSA Certification Authority 
Fingerprint: f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0 
RSA 4096 bits (e 65537) / SHA384withRSA
4In trust storeAddTrust External CA Root   Self-signed
Fingerprint: 02faf3e291435468607857694df5e45b68851868 
RSA 2048 bits (e 65537) / SHA1withRSA 
Weak or insecure signature, but no impact on root certificate


Configuration

Protocols
TLS 1.2Yes
TLS 1.1Yes
TLS 1.0Yes
SSL 3No
SSL 2No
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   FS256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH 256 bits (eq. 3072 bits RSA)   FS112
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)256
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112

 

Handshake Simulation
Android 2.3.7   No SNI 2TLS 1.0TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS128
Android 4.0.4TLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
Android 4.1.1TLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
Android 4.2.2TLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
Android 4.3TLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
Android 4.4.2TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
Android 5.0.0TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
Baidu Jan 2015TLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
BingPreview Jan 2015TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
Chrome 43 / OS X  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
Firefox 31.3.0 ESR / Win 7TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
Firefox 39 / OS X  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
Googlebot Feb 2015TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
IE 6 / XP   No FS 1   No SNI 2Protocol or cipher suite mismatchFail3
IE 7 / VistaTLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
IE 8 / XP   No FS 1   No SNI 2TLS 1.0TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS112
IE 8-10 / Win 7  RTLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
IE 11 / Win 7  RTLS 1.2TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS128
IE 11 / Win 8.1  RTLS 1.2TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS128
IE 10 / Win Phone 8.0TLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
IE 11 / Win Phone 8.1  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS128
IE 11 / Win Phone 8.1 Update  RTLS 1.2TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS128
Edge 12 / Win 10 (Build 10130) RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
Java 6u45   No SNI 2Client does not support DH parameters > 1024 bitsFail3
Java 7u25TLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
Java 8u31TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
OpenSSL 0.9.8yTLS 1.0TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS128
OpenSSL 1.0.1l  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
OpenSSL 1.0.2  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
Safari 5.1.9 / OS X 10.6.8TLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
Safari 6 / iOS 6.0.1  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS128
Safari 6.0.4 / OS X 10.8.4  RTLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS128
Safari 7 / iOS 7.1  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS128
Safari 7 / OS X 10.9  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS128
Safari 8 / iOS 8.4  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS128
Safari 8 / OS X 10.10  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS128
Yahoo Slurp Jan 2015TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
YandexBot Jan 2015TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS128
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
Protocol Details
Secure RenegotiationSupported
Secure Client-Initiated RenegotiationNo
Insecure Client-Initiated RenegotiationNo
BEAST attackNot mitigated server-side (more info)   TLS 1.0: 0xc013
POODLE (SSLv3)No, SSL 3 not supported (more info)
POODLE (TLS)No (more info)
Downgrade attack preventionYes, TLS_FALLBACK_SCSV supported (more info)
SSL/TLS compressionNo
RC4No
Heartbeat (extension)Yes

 

Heartbleed (vulnerability)No (more info)
OpenSSL CCS vuln. (CVE-2014-0224)No (more info)
Forward SecrecyYes (with most browsers)   ROBUST (more info)
Next Protocol Negotiation (NPN)Yes   spdy/3.1 http/1.1
Session resumption (caching)Yes
Session resumption (tickets)Yes
OCSP staplingYes
Strict Transport Security (HSTS)Yes   max-age=15768000
Public Key Pinning (HPKP)No
Long handshake intoleranceNo
TLS extension intoleranceNo
TLS version intoleranceNo
Incorrect SNI alertsNo
Uses common DH primesNo
DH public server param (Ys) reuseNo
SSL 2 handshake compatibilityYes

 

Miscellaneous
Test dateSat, 19 Sep 2015 00:12:02 UTC
Test duration110.111 seconds
HTTP status code200
HTTP server signaturenginx/1.8.0
Server hostnameseo.g2soft.net

Above is the full report I made today.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *