SSL Penetration Test Checklist
This tool does a good job: https://testssl.sh/
SSL Checklist for Pentesters - the Manual Cheatsheet
This table accompanies the presentation referenced here. It lists various SSL/TLS checks that can be performed manually with OpenSSL or a browser. Sometimes the column "insecure result" doesn't actually refer to an insecure configuration (for example, it may be a nice-to-have) but this should be clear from the context of the issue or the comments.
| Issue | Manual check | Insecure result | Secure result | Comments |
|---|---|---|---|---|
| SSLv2 | openssl s_client -ssl2 -connect host:port | It connects! | It doesn't connect! | OpenSSL <1.0.0 |
| SSLv3 | openssl s_client -ssl3 -connect host:port | It connects! | It doesn't connect! | Disable to prevent POODLE attack - and it's generally old and creaky anyway - but doing so will stop default instances of IE6 connecting |
| TLS > v1.0 | openssl s_client -tls1_1 -connect host:port | It doesn't connect! | It connects! | OpenSSL >1.0.0 Not insecure if missing but see presentation |
| Secure renegotiationsupported | openssl s_client -connect host:port | OpenSSL output reports "Secure Renegotiation IS NOT supported" | OpenSSL output reports "Secure Renegotiation IS supported" | OpenSSL >0.9.8l (BackTrack 5 R3 had a patched v0.9.8k that worked) If it's not supported but client-initiated renegotiation is disabled then it's not an issue |
| Client-initiated securerenegotiation enabled | openssl s_client -connect host:port | Renegotation succeeds at R HTTP response returned | Renegotiation fails at R | OpenSSL >0.9.8l Add -crlf if HTTP response not returnedDoS attack |
| Client-initiated insecurerenegotiation | openssl s_client -connect host:port | Renegotation succeeds at R HTTP response returned | Renegotiation fails at R | OpenSSL <0.9.8l (BackTrack 5 R3 had a patched v0.9.8k that worked) Add -crlf if HTTP response not returnedCVE-2009-3555 and DoS |
| Public key size <= 1024-bit | openssl s_client -connect host:port | OpenSSL output reports "Server public key is " <=1024 " bit" | OpenSSL output reports "Server public key is " >1024 " bit" | |
| Invalid certificate chain | Use browser (not through proxy) | Certificate error | No certificate error | Is your browser checking for revocation (up the entire chain)? - see presentation |
| Certificate expired | Use browser (not through proxy) | Certificate error | No certificate error | Is your date/time correct? |
| Certificate with imminent expiry | Use browser (not through proxy) Examine certificate field expiry date | Less than a month to go | More than a month to go | Obviously not insecure (yet): just for client's information |
| EV certificate | Use browser (not through proxy) Examine address bar | Address bar not green | Address bar green | Exactly where the address bar is green depends on the browser Not insecure if missing |
| Certificate signed using MD5 or SHA-1 | Use browser (not through proxy) Examine certificate's signature [hash] algorithm field | MD5 or SHA-1 | One of the SHA-2 family | |
| Certificate revocation mechanisms | Use browser (not through proxy) Examine certificate CRL and AIA fields | Field missing | Both fields populated | If AIA field missing, browser may not check CRL |
| Certificate revoked including upstream chain | Use Internet Explorer (not through proxy) with registry change:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED | Certificate error | No certificate error with no warning about inability to check revocation | Opera apparently also does OCSP with CRL fallback for whole chain |
| OCSP Stapling | openssl s_client -status -tlsextdebug -connect site:port | Cert status: revoked or unknown (invalid test) | Cert status: good | RFC2560: good means "the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval" |
| Certificate subject | Use browser (not through proxy) Examine certificate subject and subject alternative names fields | Mismatch between subject and hostname Wildcard certificate | Certificate valid for target hostname (with or without www prefix) No wildcard | |
| Invalid certificate when Server Name Indication (SNI) missing | Compare certificate returned from openssl s_client -connect site:port with and without -servername option | Invalid certificate returned without -servername option | Valid certificate returned without -servername option | -ssl3 should show same result as test without -servername |
| Weak cipher suites | openssl s_client -cipher NULL,EXPORT,LOW,3DES -connect site:port | Connection succeeds with <128-bit or Triple DES cipher | Connection fails | If successful, this will only prove that one of possibly many such ciphers is supported: tools are more comprehensive Use just EXPORT to check for exposure to FREAK |
| Anonymous cipher suites | openssl s_client -cipher aNULL -connect site:port | Connection succeeds | Connection fails | If successful, this will only prove that one of possibly many such ciphers is supported: tools are more comprehensive |
| Server preference | openssl s_client [-ssl2|-ssl3|tls1|tls1_1|tls1_2] -cipher Change the order of CIPHERS to change client preference e.g. DEFAULT:+RC4 will make RC4 ciphers in the default set the leastpreferred | A preferred cipher will be selected irrespective of client's preference | For valid CIPHERS values refer to man ciphers or here or hereDifferent cipher suites may be supported per protocol Only insecure if preferred cipher is weak Cipher suite order recommendations from Mozilla I wrote a post on this topic here. | |
| Forward Secrecy | openssl s_client -cipher EDH,EECDH -connect site:port | Unsupported Supported but not preferred | Supported and preferred | OpenSSL >=1.0.0 (later versions will tend to support more ephemeral ciphers) |
| RC4 | openssl s_client -cipher RC4 -connect site:port | Connection succeeds | Connection fails | If successful, this will only prove that one of possibly many such ciphers is supported: tools are more comprehensive Also check server preference |
| CRIME | openssl s_client -connect site:port | OpenSSL output "Compression:" line is not "NONE", e.g. "zlib compression" | OpenSSL output "Compression: NONE" | Ensure the OpenSSL version in use supports compression: check Client Hello in Wireshark for a list of Compression Methods |
| CRIME (SPDY) | openssl s_client -nextprotoneg NULL -connect site:portExamine OpenSSL output "Protocols advertised by server" | Protocol list includes SPDY version <4 | No "Protocols advertised by server" or line does not include SPDY version <4 | SPDY version 4 said to address the problem but not yet released |
| Heartbeat enabled | openssl s_client -tlsextdebug -connect site:port | OpenSSL reports "TLS server extension heartbeat" | Heartbeat disabled | OpenSSL >=1.0.1 |
| Heartbleed | Tools only | Be wary of buggy tools that report false negatives [thanks to @anantshri] Some tools are more aggressive than others If tool relies on OpenSSL then 1.0.1-1.0.1f | ||
| Change Cipher Spec (CCS) flaw | Tools only | If tool relies on OpenSSL then <1.0.1h, <1.0.0m, <0.9.8za | ||
| POODLE | For SSL, check for SSLv3 (above) For TLS, refer to this posting | |||
| TLS_FALLBACK_SCSV support | openssl s_client -ssl3 -fallback_scsv -connect site:port-ssl3 specifically with POODLE in mind but it's bigger than that | It connects | It fails with "inappropriate fallback" alert | OpenSSL >=1.0.1j See my other posts for more info. |
Source: http://www.exploresecurity.com/wp-content/uploads/custom/SSL_manual_cheatsheet.html