Ways to test your server for SSL vulnerabilities


Self-testing for SSL vulnerabilities can be performed via several methods. Each of the methods below gives visibility into slightly different facets of the SSL configuration and posture of the server.


For internet-facing SSL Web servers on tcp port 443

1) Qualys' SSL Tester: https://www.ssllabs.com/ssltest/index.html   
Note: Remember to check the "Do not show the results on the boards" box

Results in orange or red should be remediated

2) Mozilla's SSL Observatory: https://observatory.mozilla.org/

Results with a red X should be evaluated for remediation


For internal-only servers or servers on non-standard ports

1) Testssl.sh bash script: https://github.com/drwetter/testssl.sh

Note: This script may require a recent [less than 3 year old] *nix installation to work

Results in orange or red should be remediated

Results in yellow should be evaluated for relevance and security impact


For advanced testing

Please use the Information Security Consulting ticket form: https://service.uoregon.edu/TDClient/Requests/TicketRequests/NewForm?ID=cz%7eg%7ezsiMvc_


Article ID: 70780
Thu 1/24/19 10:21 AM
Fri 1/25/19 8:21 AM