ssl Qualys SSL Labs - SSL Server Tester

[cwade12c]

A tool that I have long admired is Qualys SSL Labs. They have a quick web tool that conducts an analysis of a target's SSL/TLS configuration. Simply give it a target URL and wait for the results.

It lists lots of descriptive information, including:

• Key
• Issuer
• Certificate Transparency
• OSCP Stapling
• Revocation status
• DNS CAA
• Trusted
• Supported Protocols
• Cipher Suites
• Handshake Simulation
• Specific Security Tests
• Forward Secrecy
• 0-RTT
• SNI alerts
• HSTS
• ALPN
• NPN

and more. Some of the security tests it looks at are BEAST, POODLE (SSLv3, TLS), Zombie POODLE, GOLDENDOODLE, OpenSSL 0-Length, Sleeping POODLE, Secure Renegotiation, Downgrade Attack Prevention, RC4, Heartbeat, Heartbleed, Ticketbleed, CVE-2014-0224, CVE-2016-2107, ROBOT.

It's a great tool. The best part to me, is that if there are ways in which you can improve your configuration, it highlights the suggestions and offers you links to configuration guides.

 

Spoiler

 

With this, I will be exploring limiting support for older TLS versions (anything less than TLS 1.2).

Link to website: https://www.ssllabs.com/ssltest

Edit:

Spoiler

I have disabled TLS 1.0 and TLS 1.1.

To do this in apache2, find your appropriate virtual hosts and use the SSLProtocol directive.

In our case:

SSLProtocol +TLSv1.2 +TLSv1.3

 

Edited September 7, 2021 by cwade12c
Applied apache2 configuration change and added the info to the topic