TLS Configuration Auditor
Audit SSL/TLS configuration for security vulnerabilities. Get graded A-F with specific recommendations.
What It Audits
- Protocol Versions: TLS 1.3, 1.2 (secure) vs TLS 1.0, SSL 3.0 (insecure)
- Cipher Suites: Which encryption algorithms are enabled
- Certificate Chain: Validity + intermediate cert presence
- Known Vulnerabilities: POODLE, BEAST, Heartbleed, CRIME
- HSTS: HTTP Strict Transport Security header
- OCSP Stapling: Certificate revocation checking
Quick Audit
- Go to TLS Configuration Auditor
- Enter hostname (e.g., example.com)
- Click "Audit" — scan takes 30-60 seconds
- Review security grade (A+ to F)
- Follow recommendations to improve score
Grading Criteria
| Grade | Requirements |
|---|---|
| A+ | TLS 1.3 + modern ciphers + HSTS preload |
| A | TLS 1.2+ only + no weak ciphers |
| B | TLS 1.2+ but some weak ciphers enabled |
| C | TLS 1.0/1.1 enabled (deprecated) |
| F | SSL 3.0 enabled or certificate invalid |
Common Issues & Fixes
1. TLS 1.0/1.1 Enabled
Risk: Deprecated protocols with known vulnerabilities.
Fix (Nginx):
ssl_protocols TLSv1.2 TLSv1.3;
# Remove: SSLv3 TLSv1 TLSv1.12. Weak Cipher Suites
Bad Examples: RC4, 3DES, export ciphers, NULL ciphers
Recommended Cipher List (Nginx):
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;3. Missing HSTS
Impact: Users can be downgraded to HTTP.
Fix:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;4. Certificate Chain Incomplete
Symptom: Works in browsers but fails in Java/Android apps.
Cause: Missing intermediate certificate.
Fix: Concat leaf + intermediate + root into one file:
cat certificate.crt intermediate.crt root.crt > fullchain.pem
ssl_certificate /path/to/fullchain.pem;Vulnerability Checks
Tool scans for:
- POODLE: SSL 3.0 fallback attack
- BEAST: TLS 1.0 CBC cipher vulnerability
- Heartbleed: OpenSSL memory disclosure (CVE-2014-0160)
- CRIME: TLS compression attack
- FREAK: Export cipher downgrade
- Logjam: Diffie-Hellman weakness
Best Practices
- ✅ Enable TLS 1.2 and 1.3 only
- ✅ Disable all SSL versions (SSLv2, SSLv3)
- ✅ Use ECDHE cipher suites (forward secrecy)
- ✅ Enable HSTS with long max-age + includeSubDomains
- ✅ Implement OCSP Stapling
- ✅ Use 2048-bit RSA or 256-bit EC keys minimum
- ❌ Don't enable RC4, 3DES, or MD5-based ciphers
- ❌ Don't support TLS 1.0/1.1 (deprecated 2020)
- ❌ Don't forget intermediate certificates in chain
Advanced: Perfect Forward Secrecy
What is it? Even if private key is compromised later, past sessions can't be decrypted.
How to enable? Use ECDHE ciphers (Elliptic Curve Diffie-Hellman Ephemeral).
Check: Audit report shows "Forward Secrecy: Yes" when properly configured.
Testing After Changes
- Update server TLS config
- Re-run audit (may take 5-10 min for config to reload)
- Verify grade improved
- Test with various browsers (Chrome, Firefox, Safari)
- Test with older clients (Android 4.x, IE11) if you need to support them