Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Sep 2, 2010

SSL/TLS configuration, figure it out!

There are several ways to figure out  the SSL/TLS configuration of a webserver. If you're dealing with an Internet facing server, the quickest solution is to use a webpage like www.ssllabs.com or www.serversniff.net (Webserver -> SSL Info). SSLLabs will give a "management friendly" presentation of a server's SSL/TLS configuration, underlining that you need not be all l33t H4x0r to uncover a lax security config.

Another option is to use a standalone tool, such as ssldigger — or Mozilla Firefox! SSL ciphers can easily be enabled and disabled through the Firefox advanced configuration. Simply enter "about:config" in the address bar to access all Firefox configuration options. To filter the options for SSL/TLS, input "security" in the filter bar.
Firefox SSL/TLS configuration

All supported SSL/TLS cipher suites are listed and can be enabled or disabled at will.

SSL/TLS negotiates a cipher suite based on the list of supported cipher suites on the client and server. I.e. the client sends a list of supported cipher suites, and the server selects its preferred suite. If no common suite is found, the setup of the connection fails.

To figure out which encryption method has been selected for a particular site, check out "Security" under "Tools" -> "Page info". You can also double click on the padlock, or the green name in the address bar, while visiting a site using HTTPS.
Easy, huh? :)

No comments:

Post a Comment

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts