There are plenty of online tools for SSL certificate, Testing SSL/TLS vulnerabilities, but when it comes to testing intranet-based URL, VIP, IP, then they won’t be helpful. To troubleshoot intranet resources, you need a standalone software/tools which you can install in your network and perform a necessary test. There could be various scenarios, like:
Having issues during SSL certificate implementation with webserverWant to ensure latest/particular cipher, protocol is being usedPost-implementation, wish to verify the configurationSecurity risk found in a penetration test result
The following tools will be handy to troubleshoot such issues.
DeepViolet
DeepViolet is a java based SSL/TLS scanning tool available in binary, or you can compile with source code. If you are looking for an alternative of SSL Labs to be used on an internal network, then DeepViolet would be a good pick. It scans for the following.
Weak cipher exposedWeak signing algorithmCertification revocation statusCertificate expiry statusVisualize trust-chain, a self-signed root
SSL Diagnos
Quickly evaluate the SSL strength of your web site. SSL Diagnos extract SSL protocol, cipher suites, heartbleed, BEAST. Not just HTTPS, but you can test SSL strength for SMTP, SIP, POP3, and FTPS.
SSLyze
SSLyze is a Python library and command-line tool which connects to SSL endpoint and performs a scan to identify any SSL/TLS miss-configuration. Scan through SSLyze is fast as a test is distributed through multiple processes. If you are a developer or you would like to integrate with your existing application, then you have an option to write the result in XML or JSON format. SSLyze is also available in Kali Linux. If you are new to Kali then check out how to install Kali Linux on VMWare Fusion.
OpenSSL
Don’t underestimate OpenSSL, one of the powerful standalone tools available for Windows or Linux to perform various SSL related tasks like verification, CSR generation, certification conversion, etc.
SSL Labs Scan
Love Qualys SSL Labs? You are not alone; I love it too. If you are looking for a command-line tool for SSL Labs for automated or bulk testing, then SSL Labs Scan would be useful.
SSL Scan
SSL Scan is compatible with Windows, Linux, and MAC. SSL Scan quickly helps to identify the following metrics.
Highlight SSLv2/SSLv3/CBC/3DES/RC4/ ciphersReport weak (<40bit), null/anonymous ciphersVerify TLS compression, heartbleed vulnerabilityand much more…
If you are working on cipher related issues, then an SSL scan would be a helpful tool to fast-track the troubleshooting.
Geekflare TLS Scanner API
Another nifty solution for webmasters can be the Geekflare TLS Scanner API. This is a robust method to check the TLS protocol, CN, SAN, and other certificate details in a split second. And you can try this risk-free with a no-cost subscription for up to 3000 requests per month. However, the base premium tier adds a greater request rate and 10K API calls for just $5 a month.
TestSSL
As the name indicates, TestSSL is a command-line tool compatible with Linux or OS. It tests all the essential metrics and gives status, whether good or bad. Ex: As you can see, it covers a large number of vulnerabilities, cipher preferences, protocols, etc. TestSSL.sh is also available in a docker image. If you need to do a remote scan using testssl.sh then you can try Geekflare TLS Scanner.
TLS Scan
You can either build TLS-Scan from source or download binary for Linux/OSX. It extracts certificate information from the server and prints the following metrics in JSON format.
Hostname verification checksTLS compression checksCipher and TLS version enumeration checksSession reuse checks
It supports TLS, SMTP, STARTTLS, and MySQL protocols. You may also integrate the resulting output in a logs analyzer like Splunk, ELK.
Cipher Scan
A quick tool to analyze what the HTTPS website supports all ciphers. Cipher Scan also has an option to show output in JSON format. It’s wrapper and internally using OpenSSL command.
SSL Audit
SSL audit is an open-source tool to verify the certificate and support the protocol, ciphers, and grade based on SSL Labs. I hope the above, open-source tools help you to integrate the continuous scanning with your existing log analyzer and ease the troubleshooting.
