Exercise 28: Testing SSL/TLS Configurations

Objective

Analyze SSL/TLS configurations for weaknesses and recommend improvements to enhance security.

Scenario

As a security analyst, you’re responsible for ensuring that web servers in your organization use secure SSL/TLS configurations. Weak ciphers, expired certificates, and outdated protocols like SSLv2/SSLv3 can make servers vulnerable to attacks. In this exercise, you’ll use tools like sslscan and testssl.sh to assess a server’s SSL/TLS setup, identify weaknesses, and recommend fixes.

⚠️ Important: Perform this exercise in a legal and controlled environment. Unauthorized scanning of external servers is illegal and unethical.

Lab Instructions

Step 1: Install SSL/TLS Testing Tools

a. Install sslscan

sudo apt update
sudo apt install sslscan -y

b. Install testssl.sh

sudo apt install git -y
git clone https://github.com/drwetter/testssl.sh.git
cd testssl.sh
chmod +x testssl.sh

Step 2: Scan a Web Server for SSL/TLS Vulnerabilities

a. Using sslscan

Scan the target server (e.g., example.com):

sslscan example.com

• Look for:
  • Supported SSL/TLS versions
  • Weak or deprecated ciphers (e.g., RC4, DES)
  • Null or anonymous ciphers
  • Self-signed or expired certificates

b. Using testssl.sh

Perform a detailed SSL/TLS assessment:

./testssl.sh example.com

• Look for:
  • Protocol support (SSLv2/SSLv3, TLS 1.0/1.1)
  • Certificate validity and chain issues
  • Cipher strength and vulnerabilities (e.g., BEAST, POODLE, Heartbleed)

Step 3: Analyze Findings

Example Findings:

• Weak Protocols Enabled: SSLv2, SSLv3, TLS 1.0
• Weak Ciphers: RC4, DES, 3DES
• Expired Certificate: Certificate expired on 2024-01-01
• Missing HSTS Header: No HTTP Strict Transport Security header

Step 4: Recommend Fixes

Disable Outdated Protocols:

Edit the server’s SSL configuration (e.g., for Apache):

sudo nano /etc/apache2/mods-available/ssl.conf

Add/modify:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4 
SSLHonorCipherOrder on

Restart Apache:

sudo systemctl restart apache2

Renew Expired Certificates:

Generate a new certificate or renew via a Certificate Authority (CA).

Install the renewed certificate.

Enable Strong Ciphers:

Prioritize strong ciphers like AES-GCM and ChaCha20-Poly1305.

Implement HSTS:

Add to the web server configuration: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Step 5: Re-Test the Server

• Run sslscan and testssl.sh again: sslscan example.com ./testssl.sh example.com
• Expected Results:
  • No weak protocols (SSLv2/SSLv3/TLS 1.0/1.1) are enabled.
  • Only strong ciphers are accepted.
  • Valid and trusted certificate in use.
  • HSTS header properly configured.

Solution & Explanation

Why SSL/TLS Security Matters

• Weak Protocols and Ciphers expose servers to attacks like BEAST, POODLE, and Heartbleed.
• Expired Certificates can cause trust issues and make man-in-the-middle attacks easier.
• HSTS prevents protocol downgrade attacks by forcing browsers to use HTTPS.

Recommended Best Practices

1. Disable Insecure Protocols: Avoid using SSLv2, SSLv3, TLS 1.0, and TLS 1.1.
2. Use Strong Ciphers: Prefer AES-GCM, ChaCha20-Poly1305, and ECDHE key exchanges.
3. Renew Certificates Promptly: Set up monitoring for certificate expiry.
4. Implement HSTS: Forces HTTPS communication, preventing downgrade attacks.
5. Regularly Test Configurations: Use tools like sslscan and testssl.sh to stay secure.

Testing & Verification

• Confirm that weak protocols and ciphers are disabled.
• Validate that the certificate is valid and trusted.
• Ensure HSTS is properly enforced.

Check SSL Configuration (Apache Example):

sudo apachectl -S
sudo apachectl configtest

Review Logs:

sudo tail -f /var/log/apache2/error.log

Additional Script (Optional)

Automate SSL hardening for Apache:

#!/bin/bash
# SSL/TLS Hardening Script for Apache
sudo apt update
sudo apt install apache2 -y
sudo a2enmod ssl headers

# Configure SSL
sudo bash -c 'cat <<EOF >> /etc/apache2/mods-available/ssl.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
SSLHonorCipherOrder on
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
EOF'

# Restart Apache
sudo systemctl restart apache2

echo "SSL/TLS hardening applied."

Run the script:

chmod +x ssl_hardening.sh
sudo ./ssl_hardening.sh

Conclusion

In this exercise, you used sslscan and testssl.sh to identify SSL/TLS configuration weaknesses. You then implemented security improvements by disabling outdated protocols, enabling strong ciphers, and enforcing HSTS. Regular SSL/TLS assessments are essential to maintaining secure and trustworthy web services.