Each SSL configuration present on the website is not the same. Everybody now wants HTTPS configuration. Nobody wants their website to have an HTTP configuration. Hence, the installation of SSL certificates on the websites is tremendously increasing. Also, due to the increasing number of websites, there is a huge demand to check and quantify the padlock in the browser. There are enormous methods available to check the SSL certificate, but testing via an online tool will give you more insights.
Let’s have a quick look at some of the SSL Testing methods, so stick with me around.
1. SSL Shopper
If you are looking for very fast results, maybe around 4 seconds, then SSL Shopper is the best choice for you. SSL Shopper reports items normally of the user’s interest and the relevant ones to share with your client. Best of all, it is unequivocally easy to use. You simply need to enter the open hostname of your server in the specified case and click on the Check SSL button. As the tool would not accept it, try not to insert your internal hostnames. It will give you the knowledge of SSL authentication to understand SSL testament in a superior manner.
Some of the listings are as follows:
- The website’s IP address
- The type of the server
- Verifies if the chain is correctly installed
- Who has installed the certificate?
- The duration of the expiration of the certificate
- Certificate’s serial number and the algorithm used.
One thing to watch out for with this test is that they do cache data, often for a few days. You check the top for the SSL results if a new uncached check needs to be requested, which is a choice they have.
2. GoDaddy SSL Certificate Checker
GoDaddy SSL Certificate Checker is almost similar to SSL Shopper but is a bit slow as compared to SSL Shopper. It offers a cleaner and simple to read the report. It also provides uncached results and a bonus while troubleshooting an issue.
3. Qualys SSL Lab
If you are looking for a more detailed result, Qualys SSL Lab is the best choice for you. It provides a simple rating ranging from A+ through F score(A+ if HSTS is enabled). Some of the additional details of your interest are:
- An Extended Validation certificate
- IF OCSP Stapling is used
- If the certificate is revoked or not
- Which are the browsers that trust this SSL configuration.
- Which of the protocols are enabled and disabled.
Cipher suites that are already enabled are shown in green for best practice. But you need to take care when considering the results that are in orange and are labeled as “weak”. It is ideal for disabling these ciphers, but it is not practical to do so as there would be many older and insecure browsers will be affected. It is a good choice to rely on what would be considered PCI compliant to know where the line should be drawn.
A comprehensive list of browsers is available and whether this SSL configuration is going to work for them. This is accompanied by a very detailed list of known vulnerabilities affecting SSL and the status of your site in relation to these.
To better explain these studies, Qualys also provides some excellent documents and guides. It takes a little bit longer to run a test, usually about one or two minutes, and can also be served from the cache.
Immuniweb includes all the details of other testers along with a simple score. It also includes the details of your website’s SSL configuration and states whether it is PCI compliant. Not only this, but they also provide a unique link for that report, and hence it becomes easy to compare your results with the previous reports.
One thing that aggravates me is that they flag and highlight in orange the excellent Cipher CHACHA20. The only reason it is not accepted by NIST guidelines is they have not got around to testing it, but it is commonly used.
OpenSSL, defined as the SSL multitool, is installed differently in each operating system/environment and can require some knowledge to sort what may or may not be important. Some examples include a simple test, such as this one, which demonstrates the expiry date:
echo | OpenSSL s_client -server name www.domain.com -connect www.domain.com:443 2>/dev/null | OpenSSL x509 -noout -dates
This will provide the issuer of the certificate:
echo | openssl s_client -servername domain.com -connect domain.com:443 2>/dev/null | openssl x509 -noout -issuer
This will provide the Subject names, expiry date, and issuer of the certificate:
echo | openssl s_client -servername domain.com -connect domain.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
For the testing purposes, these are perfect as we can set a different goal (a hosting server IP address can be the second instance of domain.com) and circumvent the WAF by testing the certificate on the hosting server, which is not easily seen by the public internet. And conversely, by pointing OpenSSL to the WAF IP to confirm that the certificates are in place on the WAF, we can check a certificate on the WAF when it is disabled or not yet enabled.
SSLyze is an open-source script that provides as much information and as good a report as any of the online testers. It advises in simple easy-to-read language that can be pulled into a report. Once installed using one of the many methods suggested, it’s very easy to run and simply allows for the addition of tests for multiple domains.
docker run --rm -it nablac0d3/sslyze --regular sucuri.net:443 google.com
It can easily be set up to run on a Linux server. For an organization or corporation that needs to track multiple assets and includes more thorough reporting, it’s the ideal solution.
7. Sucuri Monitoring Service
The Sucuri monitoring service is very different in that it tracks the SSL status proactively, sending an error email. Generally, we do not have much information, but the warnings are very clear. Also, SSL health, as well as server uptime and any presence on any blacklists, are tracked. Finally, it searches for malware on the web.
Wormly allows you to check on 65 metrics and also provides a status of each. Isn’t it amazing? You can access Lapse of expiration status, Trust chain data, Encryption subtleties, Error messages.
9. SSL Checker
The SSL Checker helps you to easily identify if a chain certificate is correctly applied. It is a good idea to proactively verify to ensure that the chain certificate is not broken after SSL certificate implementation. It is another great tool for testing the security of your site. It will check to ensure that your SSL testament is properly enforced and will conduct indicative tests to check if browsers/programs trust it.
Simply enter the IP address or domain names to run the tool and also inform you when your site certificate is due to expire when the tests are run.
HowsMySSL scans the browser and provides you with the status like supported protocol version, compression, whether it is cipher supported or not, etc. If you want to test the client, you can access the HowsMySSL from a browser.
This SSL analyzer further analyses your site’s internal components and takes a full report of your server details to understand what you need to do, if possible, to improve your secondary passage code. If you want to boost the security status of your site in your clients’ psyches, this is an important tool to have.
There is no one form of SSL research that’s better than another. Some have fast and reasonably thorough tests, PCI enforcement facts, large batch testing, and proactive reporting.
I hope this article has helped you to understand the various SSL Testing methods. Choose the best testing method that fits your need and post your valuable comments in the comment section.