About SSL/TLS security



Tiempo de lectura ~ 2 minutos

When we transmit sensitive data through the network, we want to feel secure doing it. For that, we use HTTPS traffic, which is HTTP protocol secured via an SSL/TLS. It checks confidentiality and authentication, this last one is done through digital certificates. Let’s explore how to test vulnerabilities surrounding HTTP protocol transmission. What are we going to use?


As explained in the official site, openssl is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It’s usually included in linux systems, but -in debian based systems- can be installed using sudo apt install openssl.


nmap is a security scanner used to discover hosts and services on a computer network. In debian you can install it using sudo apt install nmap. This is a widely used tool for security, so if you don’t have it and you are into cybersec, it’s a must-install.

Okay let’s do this. What are we going to look for when testing SSL/TLS security? First of all we are going to check if there are weak ciphers or protocols. As explained in OWASP wiki about this topic, anonymous Diffie-Hellmann is a good example of authentication vulnerability, or SSLv2 protocol. With nmap we can scan a host using, for example nmap [target]; a ping only scan usign nmap -sn [target]; TCP SYN ping using nmap -PS [target]. We are foing to use -sV wich is the standard service scan.

nmap -sV www.example.com

We can use other custom options such as -PN, --top-ports and others. Anyway, with this last command we are able to identify the SSL service. Now we can check the certificate information, weak ciphers and SSLv2 each port. We are checking 443,465,993,995 in the example, but this should be customized in each case.

nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.example.com

Finally, openssl is used for testing manually SSL/TLS trying to initiate a renegotiation by client connecting to server with openssl.

openssl s_client -connect www.example.com:443

I created a simple gist for automating all of this using default configuration and customized host. It saves the output in three different files for analysis. Here’s the code:


NC='\033[0m' # No Color

#based in OWASP wiki

if [[ -z "$1" || -z "$2" ]]; then
   echo "./tls.sh host directory"


    mkdir $2
    cd $2

    echo -e "${BLUE}Checking for Client-initiated Renegotiation and Secure Renegotiation via openssl...${NC}"
    openssl s_client -connect $1:443  > negotiations

    if grep -q 'Secure Renegotiation IS NOT supported' "negotiations"; then
      echo -e "${RED}Secure Renegotiation IS NOT supported.${NC}"
      echo -e "${BLUE}Certificate validity ensured.${NC}"

    echo -e "${BLUE}Checking for Certificate information, Weak Ciphers and SSLv2 via nmap...${NC}"
    nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 $1 > ciphernmap

    if grep -q SSLv2 "ciphernmap"; then
      echo -e "${RED}Weak protocol found (SSLv2).${NC}"
      echo -e "${BLUE}No weak protocol found.${NC}"

    echo -e "${BLUE}SSL service recognition via nmap...${NC}"
    nmap -sV --reason -PN -n --top-ports 100 $1 > nmapsslservice

    echo -e "${BLUE}Done.${NC}"

    echo -e "${RED}Don't forget to manually check the files created in case of doubt. Check OWASP wiki for more information.${NC}"


For more information please heck the amazing wiki of OWASP.

Also written in: https://dev.to/terceranexus6/about-ssltls-security-48fj