Threat intelligence API Docs Pricing Resources Contact us

Threat intelligence API docs

SSL Configuration Analysis API

For a given domain name, establish and test SSL connection to the host and analyze how it is configured - to detect common configuration issues potentially leading to vulnerabilities.

GEThttps://api.threatintelligenceplatform.com/v1/sslConfiguration?domainName=threatintelligenceplatform.com&apiKey=YOUR_API_KEY

Input parameters


Parameter
Type
What it means
domainName (required) string The target domain name.
apiKey (required) string Get your personal API KEY on My subscriptions page.

The data returned


Field
Type
What it means
hasWarnings boolean If true - there are some warnings for the target host.
testResults array A list of tests with details.

Test result object fields


Field
Type
What it means
status boolean

The analysis status:

INFO - the test contains only formatted data without any assertions.

SUCCESS - all the assertions are succeed.

WARNING - non-critical issues were found during the analysis.

FAILED - critical errors were found during the analysis.

SKIPPED - not enough data for test execution, or no reason to run the test.

details array Test's additional information.

Tests available


Field
What it means
validFrom Check date and time from which the certificate is valid. Compare the Not valid before field with the current date and time.
validTo Check date and time until which the certificate is valid. Compare the Not valid after field with the current date and time.
crlCheck Request the CRL (Certificate revocation list) provided by the certificate's issuer and check if the SSL certificate is present there.
ocspCheck OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to CRL (Certificate Revocation Lists), addressing specific problems associated with using CRLs in a PKI (Public Key Infrastructure).
hostnameValidation Check if the target domain name is referenced in the SSL certificate's Common Name or Subject Alternative Names fields.
selfSignedCertificate Check if the certificate is issued by the target website itself and wasn't verified by a trusted Certificate Authority. While self-signed SSL certificates still encrypt connection, most web browsers display a security alert. Malware or vulnerable hosts often use self-signed certificates. Unlike most CA-issued certificates, self-signed certificates are free.
supportedProtocols Check if the host supports deprecated or vulnerable SSL protocols.
supportedCipherSuites Check if the host supports suboptimal cipher suites.
sslCompression Check SSL connection compression methods enabled by the host.
httpPublicKeyPinningExtension Check if HPKP headers are set in the host's response.
forceHTTPSConnections Check if the host returns HSTS header.
heartbeatExtension Check if the heartbeat extension is enabled on the host: RFC 6520.
heartbleedVulnerabilityCheck Check if the host's OpenSSL version installed is fixed against the Heartbleed Bug. It is a severe vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing information which under normal conditions is protected by SSL/TLS encryption.
tlsFallbackScsvSupported Check if TLS_FALLBACK_SCSV is supported by the host - to protect against POODLE attacks.
tlsaDnsRecordConfiguration Check if the TLSA record is correctly configured for the domain name.
debianBlacklistCheck Check if the certificate's public key is present in the Debian blacklist.
ocspStaplingEnabled Check if OCSP Stapling is enabled, analyze its response to check the SSL certificate's validity.

Sample output


{
  "hasWarnings":true,
  "testResults":{
    "validFrom":{
      "status":"OK",
      "details":[
        "Valid from 2017-10-17 00:00:00"
      ]
    },
    "validTo":{
      "status":"OK",
      "details":[
        "Valid until 2020-10-16 23:59:59"
      ]
    },
    "crlCheck":{
      "status":"OK",
      "details":[
        "CRL URL: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl",
        " - Status: ok",
        " - Last update: May  3 07:44:20 2018 GMT\n",
        " - Next update: May  7 07:44:20 2018 GMT\n"
      ]
    },
    "hostnameValidation":{
      "status":"OK",
      "details":[
        "Wildcard certificate"
      ]
    },
    "selfSignedCertificate":{
      "status":"OK",
      "details":[
        "CA-signed certificate."
      ]
    },
    "supportedProtocols":{
      "status":"OK",
      "details":[
        "Your server supports protocols: ",
        "SSLv3 - not supported",
        "TLSv1.0 - supported",
        "TLSv1.1 - supported",
        "TLSv1.2 - supported",
        "SSLv2 - not supported"
      ]
    },
    "supportedCipherSuites":{
      "status":"OK",
      "details":[
        "No suboptimal cipher suites found."
      ]
    },
    "sslCompression":{
      "status":"OK",
      "details":[
        "Disabled."
      ]
    },
    "httpPublicKeyPinningExtension":{
      "status":"Warning",
      "details":[
        "Headers not set"
      ]
    },
    "forceHTTPSConnections":{
      "status":"Warning",
      "details":[
        "No"
      ]
    },
    "heartbeatExtension":{
      "status":"OK",
      "details":[
        "Enabled"
      ]
    },
    "heartbleedVulnerabilityCheck":{
      "status":"OK",
      "details":[
        "OK"
      ]
    },
    "tlsFallbackScsvSupported":{
      "status":"OK",
      "details":[
        "Yes"
      ]
    },
    "tlsaDnsRecordConfiguration":{
      "status":"Warning",
      "details":[
        "Not configured."
      ]
    },
    "debianBlacklistCheck":{
      "status":"OK",
      "details":[
        "OK"
      ]
    },
    "ocspStaplingEnabled":{
      "status":"Warning",
      "details":[
        "No"
      ]
    }
  }
}

Have questions?
support@threatintelligenceplatform.com
We will get back to you within a day.
Threat Intelligence Platform, LLC

California
USA

Contact us