Threat intelligence API Docs Pricing Solutions Resources Contact us

SSL Configuration Analysis API

API Documentation

Analyze a SSL certificate in depth through API calls

Establish a Secure Sockets Layer (SSL) connection to a domain name to test its connection to the identified host. Analyze how it is configured and find weak spots to address for better protection.

HTTPS Host Test 1 Test 2 Test 3 Domain

Input parameters

  • Domain name - Domain name to test

Data returned

A collection of test results, including:

  • SSL certificate configured - verify if the host has an SSL certificate.
  • Valid from - Know the exact date and time the certificate was deemed valid; a comparison with the Not valid before date also reveals the current validity period.
  • Valid to - Identify the date and time when the certificate will expire; a check against the Not valid after date shows how much longer the certificate can remain in use.
  • Certificate Revocation List (CRL) check - Check the CRL from the certificate issuer to see if the SSL certificate appears there
  • Online Certificate Status Protocol (OCSP) check - Should a CRL validation fonail, an OCSP check reveals the revocation status of an X.509 digital certificate supported by RFC 6960
  • Hostname validation - Ensure that the correct domain name is indicated as the SSL certificate’s Common Name or one of the Subject Alternative Names.
  • Self-signed certificate - Verify if the certificate was issued by the domain owner himself and not by a trusted certificate authority (CA) (Note that while self-signed SSL certificates still use encryption, most browsers may consider them security alerts since many malware or vulnerable hosts often use self-signed certificates.)
  • Supported protocols - Validate if the host supports vulnerable or deprecated SSL protocols.
  • Supported cipher suites - Determine if the host allows the use of suboptimal cipher suites.
  • SSL compression - Verify the SSL connection compression methods that the host allows.
  • HyperText Transfer Protocol (HTTP) Public Key Pinning (HPKP) extension - Reckon if HPKP headers are set in the host's response.
  • Force HTTP Secure (HTTPS) connections - Verify if the host returns an HTTP Strict-Transport-Security (HSTS) header.
  • Heartbleed vulnerability check - Ensure that the host’s installed OpenSSL version is protected against the Heartbleed Bug, a critical vulnerability that lets attackers steal data not secured by SSL/Transport Layer System (TLS) encryption.
  • TLS_FALLBACK_SCSV supported - Know if the host supports TLS_FALLBACK_SCSV as a security measure against POODLE attacks.
  • TLS Authentication (TLSA) Domain Name System (DNS) record configuration - Scrutinize the host’s TLSA record configuration.
  • Debian blacklist check - Consult the Debian blacklist for the presence of the certificate’s public key.
  • OCSP stapling check - Verify if the host has OCSP stapling enabled as an additional SSL certificate verification step.

Sample output

        
{
  "hasWarnings": true,
  "testResults": {
    "validFrom": {
      "status": "OK",
      "details": [
        "Valid from 2017-10-17 00:00:00"
      ]
    },
    "validTo": {
      "status": "OK",
      "details": [
        "Valid until 2020-10-16 23:59:59"
      ]
    },
    "crlCheck": {
      "status": "OK",
      "details": [
        "CRL URL: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl",
        " - Status: ok",
        " - Last update: Dec 14 12:00:41 2017 GMT",
        " - Next update: Dec 18 12:00:41 2017 GMT"
      ]
    },
    "ocspCheck": {
      "status": "OK",
      "details": [
        "OCSP URI: ocsp.godaddy.com",
        "Status: good",
        "Last update: 12 September 2017",
        "Next update: 15 September 2017"
      ]
    },
    "hostnameValidation": {
      "status": "OK",
      "details": [
        "Wildcard certificate"
      ]
    },
    "selfSignedCertificate": {
      "status": "OK",
      "details": [
        "CA-signed certificate."
      ]
    },
    "supportedProtocols": {
      "status": "OK",
      "details": [
        "Your server supports protocols: ",
        "SSLv3 - not supported",
        "TLSv1.0 - supported",
        "TLSv1.1 - supported",
        "TLSv1.2 - supported",
        "SSLv2 - not supported"
      ]
    },
    "supportedCipherSuites": {
      "status": "OK",
      "details": [
        "No suboptimal cipher suites found."
      ]
    },
    "sslCompression": {
      "status": "OK",
      "details": [
        "Disabled."
      ]
    },
    "httpPublicKeyPinningExtension": {
      "status": "Warning",
      "details": [
        "Headers not set"
      ]
    },
    "forceHTTPSConnections": {
      "status": "Warning",
      "details": [
        "No"
      ]
    },
    "heartbleedVulnerabilityCheck": {
      "status": "OK",
      "details": [
        "OK"
      ]
    },
    "tlsFallbackScsvSupported": {
      "status": "OK",
      "details": [
        "Yes"
      ]
    },
    "tlsaDnsRecordConfiguration": {
      "status": "Warning",
      "details": [
        "Not configured."
      ]
    },
    "debianBlacklistCheck": {
      "status": "OK",
      "details": [
        "OK"
      ]
    },
    "ocspStaplingEnabled": {
      "status": "Warning",
      "details": [
        "No"
      ]
    }
  }
}
    

Analyze SSL certificates to identify potential bugs that leave a network open to attacks. Signing up gives you free 100 credits for immediate use.

Start your free trial
Have questions?

We work hard to improve our services for you. As part of that, we welcome your feedback, questions and suggestions. Please let us know your thoughts and feelings, and any way in which you think we can improve our product.

For a quick response, please select the request type that best suits your needs.

Or shoot us an email to

Threat Intelligence Platform uses cookies to provide you with the best user experience on our website. They also help us understand how our site is being used. Find out more here. By continuing to use our site you consent to the use of cookies.