

Quick online tool to check SSL configurations - michiel3
https://www.ssllabs.com/ssldb/analyze.html?d=https://news.ycombinator.com

======
pud
Neat tool. If anyone wants to see what a broken SSL certificate looks like,
here's one of my expired ones (I really gotta renew it one of these days...)

[https://www.ssllabs.com/ssldb/analyze.html?d=https://secure....](https://www.ssllabs.com/ssldb/analyze.html?d=https://secure.tweetname.com)

~~~
there
Shameless plug: my free site <http://domainical.org/> will build an auto-
updating calendar of domain and SSL certificate expirations that you can
subscribe to in iCal, Google Calendar, etc. (assuming you just forgot to renew
that cert)

------
nodata
Also <https://www.wormly.com/test_ssl>

~~~
darklajid
Same problem for me: SNI seems to be broken, it always falls back to my
default cert.

------
jerhewet
Nice blogpost regarding BEAST on IIS servers:

[http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-
th...](http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-
browser-exploit-against-ssl-tls.aspx)

------
darklajid
While I liked the opportunity to tweak my configuration:

A tool that doesn't support SNI (at least it complains about getting the wrong
certificate for one of my domains, something that doesn't happen in any
browser I tested) is - restricted.

~~~
ivanr
[Note: I am the author of the tool.]

Yes, it's somewhat restricted without SNI support. I wrote the tool back in
2009 when having SNI was not very useful (because there was virtually no
support for it). Sadly, the situation has not improved much since. Had you
tested with Internet Explorer running on Windows XP (which is what a huge
chunk of the Internet population still runs), you will have found that SNI
simply does not work there. That fact alone rules out SNI for web sites that
have general audience as target.

Anyhow, a big update is planned for later this year. The Rating Guide, which
determines the score, will be revised, the tool itself will be tweaked to
become more actionable and include more documentation, and a number of very
useful advanced features will be added. I expect we will also start showing
historical information, as well as start tracking all public SSL sites.

Also, in two weeks' time we will be releasing an SSL/TLS Deployment Best
Practices guide to help people configure their web sites correctly.

~~~
mike-cardwell
I just wanted to take an opportunity to thank you for building this brilliant
tool. I have used it many times and recommend it to people all the time. It's
a brilliant way of demonstrating to non-techies that there is an actual
problem with their server configuration.

------
fduran
This is great although I'm not sure I agree with showing a list of "Recent
Worst-Rated" (graded "F", presumed with vulnerabilities), seems like painting
a target on some servers.

------
preinheimer
If you're running apache this line helped me improved my score drastically:

SSLCipherSuite
ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:+EXP:+eNULL

~~~
emmelaich
Why include EXP or eNULL at all?

------
GvS
Thanks, nice tool! It told me that my server is vulnerable to some kind of
BEAST attack. I searched a bit about that and fixed it.

------
alexchamberlain
Well made tool that provides some good information backed by solid evidence.

------
ck2
It refuses to check the quality of shared SSL certs.

