SSL/TLS Certificate Strength: How to Evaluate and Ensure Your Website's Security

SSL certificate's strength can be determined in several ways. In this post, I'll go through some of the ways of determining a certificate's strength.
Scan using Nmap script
Before we begin, we need to make sure that Nmap is installed on your system. You can install nmap by using the following command in your Linux-based operating system's terminal.sudo apt install nmapThe terminal will prompt you for confirmation while executing this command. You can confirm by pressing 'Y.' After installing nmap, you may verify its success by entering "nmap" into your terminal. If there are no errors, nmap has been successfully installed.
Use the following command to execute the script to check ciphers' strength
nmap --script ssl-cert,ssl-enum-ciphers -p 443 demo.testfire.netcode-boxAfter executing the script, you will get a list of all the supported ciphers and their strength. For example, on executing the same command on demo.testfire.net, we got the following output.
nmap --script ssl-cert,ssl-enum-ciphers -p 443 demo.testfire.net
Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-25 09:46 UTC
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 83.33% done; ETC: 09:46 (0:00:06 remaining)
Nmap scan report for demo.testfire.net (65.61.137.117)
Host is up (0.028s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A
Using SSL Labs
SSL Labs is one of the most widely used tools for evaluating the security of TLS certificates. Scanning with SSL labs is a simple and straightforward process. If you wish to test the certificate of demo.testfire.net, for example, you can do the following steps: -- Go to https://www.ssllabs.com/ssltest/
- Enter the URL of the website as Hostname.
- Enjoy!

After finishing the test, you will receive the following result.

Using Burp Suite
To run an SSL scan using the burp suite, first, install the "SSL scanner" extension from the BApp store. You may do that from the burp suite's extender tab.
After installing the extension, you will see an additional tab in the burp suite, as seen in the image above. Change to that tab and input the host as the target to begin the scan.

That concludes this post. Please leave your thoughts and questions in the comments area.
Join the conversation