Threat intelligence API docs
SSL Configuration Analysis API
For a given domain name, establish and test SSL connection to the host and analyze how it is configured - to detect common configuration issues potentially leading to vulnerabilities.
GEThttps://api.threatintelligenceplatform.com/v1/sslConfiguration?domainName=threatintelligenceplatform.com&apiKey=YOUR_API_KEY
Input parameters
|
Parameter
|
Type
|
What it means
|
|---|---|---|
| domainName (required) | string | The target domain name. |
| apiKey (required) | string | Get your personal API KEY on My subscriptions page. |
The data returned
|
Field
|
Type
|
What it means
|
|---|---|---|
| hasWarnings | boolean | If true - there are some warnings for the target host. |
| testResults | array | A list of tests with details. |
Test result object fields
|
Field
|
Type
|
What it means
|
|---|---|---|
| status | boolean |
The analysis status: INFO - the test contains only formatted data without any assertions. SUCCESS - all the assertions are succeed. WARNING - non-critical issues were found during the analysis. FAILED - critical errors were found during the analysis. SKIPPED - not enough data for test execution, or no reason to run the test. |
| details | array | Test's additional information. |
Tests available
|
Field
|
What it means
|
|---|---|
| validFrom | Check date and time from which the certificate is valid. Compare the Not valid before field with the current date and time. |
| validTo | Check date and time until which the certificate is valid. Compare the Not valid after field with the current date and time. |
| crlCheck | Request the CRL (Certificate revocation list) provided by the certificate's issuer and check if the SSL certificate is present there. |
| ocspCheck | OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to CRL (Certificate Revocation Lists), addressing specific problems associated with using CRLs in a PKI (Public Key Infrastructure). |
| hostnameValidation | Check if the target domain name is referenced in the SSL certificate's Common Name or Subject Alternative Names fields. |
| selfSignedCertificate | Check if the certificate is issued by the target website itself and wasn't verified by a trusted Certificate Authority. While self-signed SSL certificates still encrypt connection, most web browsers display a security alert. Malware or vulnerable hosts often use self-signed certificates. Unlike most CA-issued certificates, self-signed certificates are free. |
| supportedProtocols | Check if the host supports deprecated or vulnerable SSL protocols. |
| supportedCipherSuites | Check if the host supports suboptimal cipher suites. |
| sslCompression | Check SSL connection compression methods enabled by the host. |
| httpPublicKeyPinningExtension | Check if HPKP headers are set in the host's response. |
| forceHTTPSConnections | Check if the host returns HSTS header. |
| heartbeatExtension | Check if the heartbeat extension is enabled on the host: RFC 6520. |
| heartbleedVulnerabilityCheck | Check if the host's OpenSSL version installed is fixed against the Heartbleed Bug. It is a severe vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing information which under normal conditions is protected by SSL/TLS encryption. |
| tlsFallbackScsvSupported | Check if TLS_FALLBACK_SCSV is supported by the host - to protect against POODLE attacks. |
| tlsaDnsRecordConfiguration | Check if the TLSA record is correctly configured for the domain name. |
| debianBlacklistCheck | Check if the certificate's public key is present in the Debian blacklist. |
| ocspStaplingEnabled | Check if OCSP Stapling is enabled, analyze its response to check the SSL certificate's validity. |
Sample output
{
"hasWarnings":true,
"testResults":{
"validFrom":{
"status":"OK",
"details":[
"Valid from 2017-10-17 00:00:00"
]
},
"validTo":{
"status":"OK",
"details":[
"Valid until 2020-10-16 23:59:59"
]
},
"crlCheck":{
"status":"OK",
"details":[
"CRL URL: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl",
" - Status: ok",
" - Last update: May 3 07:44:20 2018 GMT\n",
" - Next update: May 7 07:44:20 2018 GMT\n"
]
},
"hostnameValidation":{
"status":"OK",
"details":[
"Wildcard certificate"
]
},
"selfSignedCertificate":{
"status":"OK",
"details":[
"CA-signed certificate."
]
},
"supportedProtocols":{
"status":"OK",
"details":[
"Your server supports protocols: ",
"SSLv3 - not supported",
"TLSv1.0 - supported",
"TLSv1.1 - supported",
"TLSv1.2 - supported",
"SSLv2 - not supported"
]
},
"supportedCipherSuites":{
"status":"OK",
"details":[
"No suboptimal cipher suites found."
]
},
"sslCompression":{
"status":"OK",
"details":[
"Disabled."
]
},
"httpPublicKeyPinningExtension":{
"status":"Warning",
"details":[
"Headers not set"
]
},
"forceHTTPSConnections":{
"status":"Warning",
"details":[
"No"
]
},
"heartbeatExtension":{
"status":"OK",
"details":[
"Enabled"
]
},
"heartbleedVulnerabilityCheck":{
"status":"OK",
"details":[
"OK"
]
},
"tlsFallbackScsvSupported":{
"status":"OK",
"details":[
"Yes"
]
},
"tlsaDnsRecordConfiguration":{
"status":"Warning",
"details":[
"Not configured."
]
},
"debianBlacklistCheck":{
"status":"OK",
"details":[
"OK"
]
},
"ocspStaplingEnabled":{
"status":"Warning",
"details":[
"No"
]
}
}
}Have questions?
support@threatintelligenceplatform.com
We will get back to you within a day.
Threat Intelligence Platform, LLC
California
USA
