SSL Labs is the effficient way to find which SSL protocols are enabled on your webserver.
Enter your website url and click on submit
https://www.ssllabs.com/ssltest/
It generated ssl scan report for your web application. You can check tls protocol enable/disable list.
If you want to scan tls protocol version on your local, Run following commands for different versions of tls.
tls 1 and tls 1.1 are vulnerable versions.
openssl s_client -connect app.localhost:443 -tls1
openssl s_client -connect app.localhost:443 -tls1_1
openssl s_client -connect app.localhost:443 -tls1_2
openssl s_client -connect app.localhost:443 -tls1_3
If tls 1 or tls 1.1 is enabled for your webserver but you are not getting results on command line, you need to make configuration changes in your openssl.cnf file.
Take backup of your /etc/ssl/openssl.cnf
sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bkup
Add this to the beginning of your config file /etc/ssl/openssl.cnf
openssl_conf = default_conf
And then this to the end:
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1
Now export path
export OPENSSL_CONF=/etc/ssl/openssl.cnf
Now check again
openssl s_client -connect app.localhost:443 -tls1
openssl s_client -connect app.localhost:443 -tls1_1
Now it should show enabled tls protocols on command line
You can disable these protocols in your webserver config.
No comments:
Post a Comment