SSL/TLS Scan & Removal Guide

TL;DR

This guide shows you how to find and get rid of old, insecure SSL/TLS versions on your servers. We’ll use tools like OpenSSL, Nmap, and configuration checks to make sure everything is up-to-date and secure.

Scanning for Outdated SSL/TLS Versions

1. Understand the Risks: Older SSL/TLS versions (like SSLv3, TLS 1.0, TLS 1.1) have known weaknesses that attackers can exploit.
2. OpenSSL Command Line Scan: Use OpenSSL to check which protocols a server supports.

   openssl s_client -connect yourdomain.com:443

   Look for lines like “Protocol : TLSv1.2” or lower. Anything below TLS 1.2 is considered weak.

3. Nmap Script Scan: Nmap with the ssl-enum-ciphers script can quickly identify supported protocols and cipher suites.

   nmap --script ssl-enum-ciphers -p 443 yourdomain.com

   This will give you a detailed report of what’s enabled.

4. Online SSL/TLS Checkers: Use websites like SSL Labs (https://www.ssllabs.com/ssltest/) for a comprehensive analysis. These tools provide detailed reports and recommendations.

Eliminating Outdated SSL/TLS Versions

1. Apache Configuration: Edit your Apache configuration file (usually httpd.conf or apache2.conf).
   • Disable SSLv3 and TLS 1.0/1.1:

     SSLProtocol -all +TLSv1.2 +TLSv1.3

   • Restart Apache after making changes:

     sudo systemctl restart apache2

2. Nginx Configuration: Edit your Nginx configuration file (usually nginx.conf).
   • Disable SSLv3 and TLS 1.0/1.1:

     ssl_protocols TLSv1.2 TLSv1.3;

   • Restart Nginx after making changes:

     sudo systemctl restart nginx

3. Check Cipher Suites: Ensure you’re using strong cipher suites.
   • In Apache, use the SSLCipherSuite directive to specify allowed ciphers.
   • In Nginx, use the ssl_ciphers directive. Refer to Mozilla’s SSL Configuration Generator for recommended settings (https://ssl-config-generator.mozilla.org/).
4. Update OpenSSL: Make sure your OpenSSL version is up to date.

   sudo apt update && sudo apt upgrade openssl

   (This command is for Debian/Ubuntu systems. Use the appropriate package manager for your OS.)

5. Restart Services: After any configuration changes, always restart your web server and any related services to apply them.

Verification

1. Re-run Scans: Repeat the OpenSSL and Nmap scans from Step 2 to confirm that outdated protocols are disabled.
2. Use SSL Labs: Re-check with SSL Labs to verify your configuration is secure.