S E C U R I T Y

Loading

Details
Stay Up To Date
Parent Checks

  • SSL Vulnerabilities

Need Membership

No

Need Proof Of Ownership

No

Estimate Time (Second)

10

SSL/TLS Supported Cipher Detail

Check your SSL/TLS configuration for supported ciphers. Do not use weak ciphers. Also learning supported SSL cipher and making cross check with supported ones by security devices can be very important.

What SSL/TLS Supported Ciphers

Using SSL (Secure Sockets Layer) / TLS (Transport Layer Security) add another layer to protocol for encryption. You can use SSL/TLS with HTTP, SMTP or FTP. When SSL / TLS is used, an 'S' is usually appended to the end of the protocol such as HTTPS and FTPS. When using SSL / TLS, client and server must agree about some encryption stuff and cipher is one of them.

There are lots of ciphers with different name in different standards. Check this if you want.


What Does Supported SSL Matters?

What Does Supported SSL Matters? Because of three things:

  1. If you use weak cipher, your encrypted communication can be decrypted by attackers.
  2. Using some ciphers can cause other vulnerabilities
  3. Generally, security devices like IPS or WAF does not support all ciphers. Their supported ciphers can be different from the main server. If security devices are not configured correctly, attacker can use cipher which is supported by server but not supported by security devices to bypass security controls.
You can use these ciphers (taken from here):
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256


How Can You Learn Supported SSL/TLS Ciphers?

You can use our free and online SSL/TLS Supported Cipher tool. To do this, you can start by typing your domain name or IP address in the form on top of the page without any http or https and start scanning.

Or you can use sslscan

If you are using a linux disto, use your package manager to install sslscan For example, to install ubuntu type 'sudo apt-get install sslscan'

Sslscan simple but powerful tool to gather information about TLS/SSL certification including supported ciphers suites on the server side. Sample usage is like this:

sslscan securityforeveryone.com
Version: 2.0.0-beta1-9-g2bebcbf-static
OpenSSL 1.1.1h-dev  xx XXX xxxx

Connected to 2606:4700:3031::681b:89d0

Testing SSL server securityforeveryone.com on port 443 using SNI name securityforeveryone.com

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   enabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Preferred TLSv1.2  256 bits  ECDHE-ECDSA-CHACHA20-POLY1305 Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA        Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA256     Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-SHA        Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-AES256-SHA384     Curve 25519 DHE 253

  Server Key Exchange Group(s):
TLSv1.3  128 bits  secp256r1 (NIST P-256)
TLSv1.3  192 bits  secp384r1 (NIST P-384)
TLSv1.3  260 bits  secp521r1 (NIST P-521)
TLSv1.3  128 bits  x25519
TLSv1.2  128 bits  secp256r1 (NIST P-256)
TLSv1.2  192 bits  secp384r1 (NIST P-384)
TLSv1.2  260 bits  secp521r1 (NIST P-521)
TLSv1.2  128 bits  x25519

  Server Signature Algorithm(s):
TLSv1.3  Server accepts all signature algorithms.

  SSL Certificate:
Signature Algorithm: ecdsa-with-SHA256
ECC Curve Name:      prime256v1
ECC Key Strength:    128

Subject:  *
Altnames: DNS:*.securityforeveryone.com, DNS:securityforeveryone.com, DNS:sni.cloudflaressl.com
Issuer:   CloudFlare Inc ECC CA-2

Not valid before: Mar 24 00:00:00 2020 GMT
Not valid after:  Oct  9 12:00:00 2020 GMT
            

Some Advice for Common Problems

You should declare supported SSL/TLS ciphers generally in the your service configuration. For example if you use apache2 with HTTPs change add strong cipher to end of the line starting with SSLCipherSuite You can use these ciphers (taken from here):
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256