Home Threat intelligence API Threat intelligence analysis Docs Pricing Blog Contact us

SSL Configuration Analysis API

API Documentation

Check a host's SSL connection and analyze it for common configuration issues

For a given domain name, establish and test SSL connection to the host and analyze how it is configured - to detect common configuration issues potentially leading to vulnerabilities.

HTTPS Host Test 1 Test 2 Test 3 Domain

Input parameters

  • Domain name: target domain name to be analyzed

The data returned

A collection of test results including:

  • Valid from - Check date and time from which the certificate is valid. Compare the Not valid before field with the current date and time.
  • Valid to - Check date and time until which the certificate is valid. Compare the Not valid after field with the current date and time.
  • CRL check - Request the CRL (Certificate revocation list) provided by the certificate's issuer and check if the SSL certificate is present there.
  • OCSP check - OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to CRL (Certificate Revocation Lists), addressing specific problems associated with using CRLs in a PKI (Public Key Infrastructure).
  • Hostname validation - Check if the target domain name is referenced in the SSL certificate's Common Name or Subject Alternative Names fields.
  • Self-signed certificate - Check if the certificate is issued by the target website itself and wasn't verified by a trusted Certificate Authority. While self-signed SSL certificates still encrypt connection, most web browsers display a security alert. Malware or vulnerable hosts often use self-signed certificates. Unlike most CA-issued certificates, self-signed certificates are free.
  • Supported protocols - Check if the host supports deprecated or vulnerable SSL protocols.
  • Supported cipher suites - Check if the host supports suboptimal cipher suites.
  • SSL compression - Check SSL connection compression methods enabled by the host.
  • HTTP Public Key Pinning Extension - Check if HPKP headers are set in the host's response.
  • Force HTTPS connections - Check if the host returns HSTS header.
  • Heartbeat extension - Check if the heartbeat extension is enabled on the host: RFC 6520.
  • Heartbleed vulnerability check - Check if the host's OpenSSL version installed is fixed against the Heartbleed Bug. It is a severe vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing information which under normal conditions is protected by SSL/TLS encryption.
  • TLS_FALLBACK_SCSV supported - Check if TLS_FALLBACK_SCSV is supported by the host - to protect against POODLE attacks.
  • TLSA DNS record configuration - Check if the TLSA record is correctly configured for the domain name.
  • Debian blacklist check - Check if the certificate's public key is present in the Debian blacklist.
  • OCSP stapling enabled - Check if OCSP Stapling is enabled, analyze its response to check the SSL certificate's validity.

Sample output

        
{
  "hasWarnings": true,
  "testResults": {
    "validFrom": {
      "status": "OK",
      "details": [
        "Valid from 2017-10-17 00:00:00"
      ]
    },
    "validTo": {
      "status": "OK",
      "details": [
        "Valid until 2020-10-16 23:59:59"
      ]
    },
    "crlCheck": {
      "status": "OK",
      "details": [
        "CRL URL: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl",
        " - Status: ok",
        " - Last update: Dec 14 12:00:41 2017 GMT",
        " - Next update: Dec 18 12:00:41 2017 GMT"
      ]
    },
    "ocspCheck": {
      "status": "OK",
      "details": [
        "OCSP URI: ocsp.godaddy.com",
        "Status: good",
        "Last update: 12 September 2017",
        "Next update: 15 September 2017"
      ]
    },
    "hostnameValidation": {
      "status": "OK",
      "details": [
        "Wildcard certificate"
      ]
    },
    "selfSignedCertificate": {
      "status": "OK",
      "details": [
        "CA-signed certificate."
      ]
    },
    "supportedProtocols": {
      "status": "OK",
      "details": [
        "Your server supports protocols: ",
        "SSLv3 - not supported",
        "TLSv1.0 - supported",
        "TLSv1.1 - supported",
        "TLSv1.2 - supported",
        "SSLv2 - not supported"
      ]
    },
    "supportedCipherSuites": {
      "status": "OK",
      "details": [
        "No suboptimal cipher suites found."
      ]
    },
    "sslCompression": {
      "status": "OK",
      "details": [
        "Disabled."
      ]
    },
    "httpPublicKeyPinningExtension": {
      "status": "Warning",
      "details": [
        "Headers not set"
      ]
    },
    "forceHTTPSConnections": {
      "status": "Warning",
      "details": [
        "No"
      ]
    },
    "heartbeatExtension": {
      "status": "OK",
      "details": [
        "Enabled"
      ]
    },
    "heartbleedVulnerabilityCheck": {
      "status": "OK",
      "details": [
        "OK"
      ]
    },
    "tlsFallbackScsvSupported": {
      "status": "OK",
      "details": [
        "Yes"
      ]
    },
    "tlsaDnsRecordConfiguration": {
      "status": "Warning",
      "details": [
        "Not configured."
      ]
    },
    "debianBlacklistCheck": {
      "status": "OK",
      "details": [
        "OK"
      ]
    },
    "ocspStaplingEnabled": {
      "status": "Warning",
      "details": [
        "No"
      ]
    }
  }
}
    

After Sign-up you automatically get a free subscription plan limited to 100 credits. It allows making 100 requests to this API.

Get FREE trial
Have questions?
support@threatintelligenceplatform.com
We will get back to you within a day.
Threat Intelligence Platform, LLC

California
USA

Contact us