Audit TLS/SSL configuration for security weaknesses. Check protocol versions (TLS 1.2/1.3 only), cipher suite strength, certificate chain validity, HSTS deployment, key sizes, and compliance with Mozilla, NIST, and PCI-DSS guidelines.
Use when: "check TLS config", "SSL audit", "is our TLS secure", "cipher suite review", "certificate check", "security headers audit", "PCI compliance scan", or before security assessments.
audit — Full TLS Audit# Get certificate details
echo | openssl s_client -connect $HOST:443 -servername $HOST 2>/dev/null | openssl x509 -noout \
-subject -issuer -dates -fingerprint -ext subjectAltName 2>&1
# Check full chain
echo | openssl s_client -connect $HOST:443 -servername $HOST -showcerts 2>/dev/null | \
awk '/BEGIN CERT/,/END CERT/{print}' | \
openssl x509 -noout -subject -issuer -dates 2>&1
# Days until expiry
echo | openssl s_client -connect $HOST:443 -servername $HOST 2>/dev/null | \
openssl x509 -noout -enddate 2>&1 | \
python3 -c "
import sys, datetime
line = sys.stdin.read().strip()
date_str = line.split('=')[1]
expiry = datetime.datetime.strptime(date_str, '%b %d %H:%M:%S %Y %Z')
days = (expiry - datetime.datetime.utcnow()).days
status = '🔴 CRITICAL' if days < 7 else '🟡 WARNING' if days < 30 else '🟢 OK'
print(f'{status}: Certificate expires in {days} days ({expiry.date()})')
"
# Test each TLS version
for proto in ssl3 tls1 tls1_1 tls1_2 tls1_3; do
result=$(echo | openssl s_client -connect $HOST:443 -$proto 2>&1)
if echo "$result" | grep -q "CONNECTED"; then
echo "$proto: ENABLED"
else
echo "$proto: DISABLED"
fi
done
Expected results:
# List supported ciphers
nmap --script ssl-enum-ciphers -p 443 $HOST 2>/dev/null || \
openssl s_client -connect $HOST:443 -cipher 'ALL' 2>&1 | grep "Cipher is"
# Check for weak ciphers
for cipher in RC4 DES 3DES NULL EXPORT ANON MD5; do
result=$(echo | openssl s_client -connect $HOST:443 -cipher "$cipher" 2>&1)
if echo "$result" | grep -q "CONNECTED"; then
echo "🔴 WEAK CIPHER SUPPORTED: $cipher"
fi
done
Flag as weak:
curl -sI "https://$HOST" | grep -iE "^(strict-transport|x-frame|x-content|content-security|referrer|permissions|x-xss)" 2>&1
Check for:
Strict-Transport-Security (HSTS) — should be present, max-age ≥ 31536000includeSubDomains — recommendedpreload — recommended for public sitesecho | openssl s_client -connect $HOST:443 2>/dev/null | openssl x509 -noout -text | \
grep -E "Public-Key:|Signature Algorithm:" 2>&1
# TLS Configuration Audit — $HOST
## Overall Grade: A / B / C / D / F
## Certificate
- Subject: *.example.com
- Issuer: Let's Encrypt R3
- Valid: 2026-01-15 to 2026-04-15
- Expiry: 🟢 47 days remaining
- Key: ECDSA P-256 ✅
- Signature: SHA-256 ✅
- Chain: Complete ✅
## Protocol Support
| Protocol | Status | Compliance |
|----------|--------|------------|
| TLS 1.3 | ✅ Enabled | Required (modern) |
| TLS 1.2 | ✅ Enabled | Required (intermediate) |
| TLS 1.1 | ✅ Disabled | PCI-DSS compliant |
| TLS 1.0 | ✅ Disabled | PCI-DSS compliant |
| SSLv3 | ✅ Disabled | POODLE-safe |
## Cipher Suites
- Strong ciphers only: ✅
- Forward secrecy (ECDHE/DHE): ✅
- No weak ciphers: ✅
## Security Headers
- HSTS: ✅ max-age=31536000; includeSubDomains; preload
- X-Frame-Options: ⚠️ Missing
- CSP: ❌ Not configured
## Recommendations
1. Add Content-Security-Policy header
2. Add X-Frame-Options: DENY
3. Consider ECDSA certificate for better performance
compare — Compare Against Mozilla PresetsCheck configuration against Mozilla's three recommended profiles:
monitor — Set Up Certificate Expiry AlertsGenerate a monitoring script or CI job that checks certificate expiry daily and alerts at 30/14/7/1 day thresholds.
共 1 个版本