SSL/TLS Check for Clients/Server
The A-SIT SSL/TLS tool tests the security properties of Web browsers and Web Servers.
The A-SIT SSL/TLS tool consists of two parts. The “Browser test” is capable of reviewing and evaluating the SSL/TLS capabilities of web browsers, while the “Server test” performs investigative actions on web servers. A classification is performed on the tested components, indicating whether the tested components are qualified for use in security-critical environments.
Status
The SSL tool is available as download (see the end of this page) as well as online version at http://demoapps.a-sit.at/ssl-tool/.
Documents
Associated with the SSL tool, A-SIT has elaborated a strategy paper, regarding SSL/TLS communication security (for online E-Government procedures – see download section below). The paper also gives recommendations about transfer formats, suited for the exchange of certificates.
Instructions
- General
This tool enables the testing of servers and browsers and categorizes the result into according security classes. - Requirements
The SSL tool has the following prerequisites:- Java Runtime Environment (or SDK) Version >= 1.7
- Apache Tomcat >= 7 (optional)
The Tomcat container is only required if the tool is used as servlet. It can also be used as standalone application. In order to invoke the test programs, a SSL-capable web browser (in current version) is required.
- Execution
- Execution as standalone program:
- using UNIX:
- Client SSL tool: ./startup-client.sh
- Server SSL tool: ./startup-server.sh
- using Windows:
- Client SSL tool: ./startup-client.bat
- Server SSL tool: ./startup-server.bat
Before executing, the JAVA_HOME variable needs to be set. If it is already configured, this step can be omitted.
- using UNIX:
- Execution as servlet:
Prior to the first start, the servlet (ssl-tool.war) needs to be copied to the webapps folder of Tomcat. The servlets are automatically initialized when Tomcat starts.
- Execution as standalone program:
- Working with the tool
- Client SSL tool:
The capabilities of a Internet browser can be tested by opening the following URL (with the browser to be tested):- https://localhost:4443 (standalone installation) bzw.
- http://localhost:8080/ssl-tool/sslclientinfo (Tomcat installation)
If the SSL tool is not running on the same machine, localhost needs to be replaced with the IP address of the machine. After a short amount of time the tool reports which SSL versions, cipher suites, ciphers and key exchange algorithm are supported. If available, the tool also shows client certificates.
- Server SSL tool:
The capabilities of a Internet server can be tested by using the server check:- https://localhost:4443/ (standalone installation) bzw.
- http://localhost:8080/ssl-tool/ (Tomcat installation)
If the SSL tool is not running on the same machine, localhost needs to be replaced with the IP address of the corresponding machine. The site allows to enter the address of the to be tested server. After entering the name of the server and starting the test, the tool reports which SSL versions, cipher suites, ciphers and key exchange algorithm are supported. Additionally, the tool shows the available server certificate and the certificate chain.
- Client SSL tool:
Links
- A-SIT SSL/TLS service
- Post on SSL/TLS recommendations for the public sector