SSL/TLS Certificate Strength: How to Evaluate and Ensure Your Website's Security





SSL certificate's strength can be determined in several ways. In this post, I'll go through some of the ways of determining a certificate's strength.

Scan using Nmap script

Before we begin, we need to make sure that Nmap is installed on your system. You can install nmap by using the following command in your Linux-based operating system's terminal.
sudo apt install nmap
The terminal will prompt you for confirmation while executing this command. You can confirm by pressing 'Y.' After installing nmap, you may verify its success by entering "nmap" into your terminal. If there are no errors, nmap has been successfully installed.

If you're running Windows, nmap might not be available. Consider using zenmap, the graphical user interface version of the same. Zenmap can be downloaded from the nmap's website.

Use the following command to execute the script to check ciphers' strength
nmap --script ssl-cert,ssl-enum-ciphers -p 443 demo.testfire.netcode-box
After executing the script, you will get a list of all the supported ciphers and their strength. For example, on executing the same command on demo.testfire.net, we got the following output.
nmap --script ssl-cert,ssl-enum-ciphers -p 443 demo.testfire.net
Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-25 09:46 UTC
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 83.33% done; ETC: 09:46 (0:00:06 remaining)
Nmap scan report for demo.testfire.net (65.61.137.117)
Host is up (0.028s latency).


PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A

Using SSL Labs

SSL Labs is one of the most widely used tools for evaluating the security of TLS certificates. Scanning with SSL labs is a simple and straightforward process. If you wish to test the certificate of demo.testfire.net, for example, you can do the following steps: -

  1. Go to https://www.ssllabs.com/ssltest/
  2. Enter the URL of the website as Hostname.
  3. Enjoy!



After finishing the test, you will receive the following result.





Using Burp Suite

To run an SSL scan using the burp suite, first, install the "SSL scanner" extension from the BApp store. You may do that from the burp suite's extender tab.






After installing the extension, you will see an additional tab in the burp suite, as seen in the image above. Change to that tab and input the host as the target to begin the scan.





Please note that this extension does not support TLS1.3 and was last updated in 2018. As a result, the scan findings may not be accurate.

That concludes this post. Please leave your thoughts and questions in the comments area.
I am a Software Engineer/ Penetration Tester, with specialization in web applications and APIs. I love reading cyber security articles to keep me up to date. I also know python, C# and few other popular languages. linkedin