Testing for SSL/TLS flaws

Ciphers can be weak because they use various components that have known flaws. In this blog we show how to determine if a protocol or cipher is weak.

Testing for SSL/TLS flaws
Photo by Towfiqu barbhuiya / Unsplash

Testing your SSL/TLS configurations can be confusing. Here we are going to try and unconfuse things. To do that, we find the best tool for reviewing SSL/TLS protocols and ciphers is TestSSL. However, you could also use this web application to do it: ssllabs

TestSSL is very easy to use, you simply execute the following command with the hostname (Domain) you're testing: testssl google.com

TestSSL will firstly show you any SSL/TLS protocols that are enabled on the server. These protocols are what you have setup to enable the encryption mechanisms to function.

Enabled SSL/TLS protocols

At present, all SSL protocols, TLS 1.0 and TLS 1.1 should not be enabled as they are deemed weak due to inherent flaws. It should be noted that in some cases, TLS 1.1 may be enabled to support legacy systems. But if this is not a worry for you, then disable TLS1.1 and use TLS1.2 or better yet, use TLS1.3.

The next list TestSSL shows you, is the enabled cipher sets per SSL/TLS protocol. Ciphers are the entities that determine how the data in transit is encrypted. Some configurations are weak and you will need to review each cipher for any weakness:

Testssl Ciphers Output

Ciphers can be weak because they use various components that have known flaws. For example, any cipher that uses 3DES as the encryption algorithm (shown above) is weak due to known timing attack against the algorithm and leads to data decryption. There are many reasons a cipher may be vulnerable, the best way to check is using ciphersuite.info

An example weak 3DES cipher can be viewed via the URL below:

https://ciphersuite.info/cs/TLS_RSA_WITH_3DES_EDE_CBC_SHA/

This page shows all the reasons why this cipher should not be used:

Weak cipher information.

This website also presents the current recommended ciphers that should be enabled:

Recommended ciphers.

To conclude this quick and easy blog, use TestSSL in uniform with ciphersuite.info to check your encryption settings. For an even easier solution, use ssllabs but be mindful that this uses 3rd party servers and you may not wish for them to scan your infrastructure.