SSL Configuration Testing

Any security analysis (manual or automatic) is always starting against checking SSL configuration strength. There are five protocols in the SSL/TLS family: SSL v2, SSL v3, TLS v1.0, TLS v1.1, and TLS v1.2:

SSL v2 is insecure, obsolete and must not be used. See the DROWN attack on this protocol.

is insecure, obsolete and must not be used. See the DROWN attack on this protocol. SSL v3 is insecure and obsolete tool. See the POODLE attack.

is insecure and obsolete tool. See the POODLE attack. TLS v1.0 is also a legacy protocol that shouldn’t be used, but it’s typically still necessary in practice. Its major weakness (BEAST) has been mitigated in modern browsers.

is also a legacy protocol that shouldn’t be used, but it’s typically still necessary in practice. Its major weakness (BEAST) has been mitigated in modern browsers. TLS v1.1 and TLS v1.2 are both without known security issues, but only v1.2 provides modern cryptographic algorithms.

SSL 2.0, SSL 3.0 and TLS 1.0 are not supported in PCI DSS 3.1 security standards.

SSL Configuration Analysis

Just use SSLLabs Test Tool to check the level of you configuration.

A+ and A level of SSL Configuration is good. F is the worst level. Read recommendations that the SSL Tool will produce.

Example of Dhound SSL Test

Below is another example how to quickly check SSL Configuration strength using nmap tool:

nmap --script ssl-enum-ciphers -p 443 dhound.io

Strong Ciphers

Low level of SSL Configuration is connected with using legacy weak encryption algoritms in mostly cases.

The following resource https://cipherli.st/ provides information how to configure strong SSL algoritms on Apache, nginx, HAProxy, etc.

Nginx Configuration

The following resource https://cipherli.st/ provides nginx configuration for strong SSL Configuration.

Below is an example of Dhound nginx web servers configuration that raised SSL configuration from B level to A+ and increased protection of a web site (for example, against Clickjacking attacks):

/etc/nginx/nginx.conf http {

...

##

# SSL Settings

##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers "HIGH:!RC4:!aNULL:!MD5:!kEDH";

ssl_ecdh_curve secp384r1;

ssl_session_cache shared:SSL:10m;

ssl_session_tickets off;

ssl_stapling on;

ssl_stapling_verify on;

...

} /etc/nginx/sites-enabled/<configfile> server {

...

listen 443;

...

ssl on;

ssl_certificate /etc/ssl/<SSL Certificate>.crt;

ssl_certificate_key /etc/ssl/private/<SSL Private key>.key;

add_header Strict-Transport-Security "max-age=63072000; preload"; # force browser to use HTTP always for this resource

add_header X-Frame-Options DENY; # protect against Clickjacking attack

add_header X-Content-Type-Options nosniff;

...

}

Windows Configuration

Windows Server 2016 and higher already has SSL configuration that satisfies current security regulations (for example, SSL v2 and SSL v3 are disabled).

In earlier versions of Windows Servers (2008, 2012) SSL v3 is still enabled, i.e. you manually need to disable legacy protocols. Please, see Microsoft recommendations: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

We are usually using the IIS Crypto tool that provides GUI to disable weak ciphers and legacy protocols. It allows us to avoid dangerous manual work with windows registry.

Using SSLLabs Test Tool tips and functionality of this tool allows quickly secure SSL/TLS in Windows.

Real example of Windows Server 2012 R2 SSL Configuration

Author: Denis Koloshko CEO at https://dhound.io/