Having generated certificates, we must now learn how to audit them. In this lab, you will use professional tools to identify weak ciphers, deprecated protocols, and configuration errors on a live server.
testssl.sh is a free command-line tool that checks a server for a vast array of TLS vulnerabilities, including Heartbleed, POODLE, and weak cipher suites.
๐ก Pay close attention to the colors. Green [+] means secure, Yellow [!] means warning, and Red [-] means critical vulnerability.
A server might support TLS 1.3 but still allow 'Export-grade' ciphers from the 90s. We must identify if the server prefers 'Strong' (AEAD) ciphers over 'Weak' (CBC) ciphers.
# Checking for specific weak ciphers using nmap
nmap --script ssl-enum-ciphers -p 443 target.com| Cipher Type | Vulnerability | Status | Recommendation |
|---|---|---|---|
| CBC Mode | Lucky13 / POODLE | Deprecated | Use GCM |
| RSA Key Exchange | No Forward Secrecy | Weak | Use ECDHE |
| DES / RC4 | Factored in minutes | Broken | Disable |
| AES-GCM | High Performance/Secure | Modern | Prefer |
For public-facing servers, SSL Labs provides a comprehensive web-based audit. It tests the server from multiple global locations to ensure consistency.
A 'Grade B' is often caused by the lack of HSTS (HTTP Strict Transport Security). This is a critical miss for any production site.
Verify exercises to earn โ 180 XP and unlock next lab level.