SSL/TLS Scanning
Fence performs deep SSL/TLS security analysis to identify certificate issues and protocol vulnerabilities.
What We Check
Certificate Validity
- Expiration dates - Alerts sent 30, 14, 7, 3, and 1 day before expiry
- Certificate chain - Validates full chain to trusted root CA
- Common Name (CN) - Ensures certificate matches your domain
- Subject Alternative Names (SANs) - Checks all domains covered
- Certificate revocation - OCSP and CRL checks
- Self-signed certificates - Flags untrusted certificates
Certificate Quality
- Issuer validation - Ensures certificate from trusted CA
- Extended Validation (EV) - Detects EV certificates (green address bar)
- Wildcard certificates - Identifies wildcard certs (*.example.com)
- Certificate Transparency - Checks CT log compliance
- Public key strength - Validates RSA ≥2048 bits, ECC ≥256 bits
- Signature algorithm - Flags weak algorithms (MD5, SHA-1)
Protocol Configuration
- Supported protocols - TLS 1.2 and TLS 1.3 required
- Deprecated protocols - Flags SSLv2, SSLv3, TLS 1.0, TLS 1.1
- Cipher suites - Identifies weak ciphers (RC4, DES, 3DES, export ciphers)
- Perfect Forward Secrecy (PFS) - Checks for ECDHE/DHE ciphers
- HSTS header - Strict-Transport-Security enforcement
Known Vulnerabilities
- Heartbleed (CVE-2014-0160) - OpenSSL buffer over-read
- POODLE (CVE-2014-3566) - SSLv3 padding oracle attack
- BEAST (CVE-2011-3389) - TLS 1.0 CBC weakness
- CRIME (CVE-2012-4929) - TLS compression attack
- FREAK (CVE-2015-0204) - Export cipher downgrade
- Logjam (CVE-2015-4000) - Diffie-Hellman weakness
- DROWN (CVE-2016-0800) - SSLv2 cross-protocol attack
- ROBOT - RSA decryption oracle vulnerability
Severity Levels
Fence assigns severity ratings to SSL/TLS issues:
| Severity | Examples | Business Impact |
|---|---|---|
| Critical | Expired certificate, Heartbleed, private key leaked | Immediate browser warnings, MITM attacks possible |
| High | SSLv3 enabled, weak ciphers (RC4), missing HSTS | Vulnerable to downgrade attacks, compliance failures |
| Medium | TLS 1.0/1.1 enabled, self-signed cert, SHA-1 signature | Modern browsers show warnings, PCI DSS non-compliance |
| Low | Certificate expires in 30-90 days, missing CT logs | Plan for renewal, best practice improvements |
| Info | EV certificate detected, wildcard cert in use | Informational only, no action required |
Certificate Grades
Fence assigns letter grades (A+ through F) based on SSL Labs methodology:
A+ Grade
- TLS 1.3 supported
- Strong cipher suites only (AES-GCM, ChaCha20-Poly1305)
- Perfect Forward Secrecy enabled
- HSTS with long max-age (≥6 months)
- No known vulnerabilities
A Grade
- TLS 1.2+ only
- No weak ciphers
- PFS enabled
- Valid certificate
B Grade
- TLS 1.0/1.1 still enabled (deprecated but functional)
- Weak ciphers available but not preferred
- Missing HSTS
C Grade
- SSLv3 enabled
- RC4 ciphers supported
- Missing PFS
F Grade (Failing)
- Expired certificate
- Self-signed certificate
- Heartbleed vulnerable
- SSLv2 enabled
- Private key leaked
Remediation Examples
Weak Ciphers Detected
Problem: Server accepts RC4, DES, or 3DES ciphers
Fix for Nginx:
# /etc/nginx/nginx.conf or /etc/nginx/sites-available/your-site
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_prefer_server_ciphers off;
# Test configuration
sudo nginx -t
# Reload Nginx
sudo systemctl reload nginx
Fix for Apache:
# /etc/apache2/sites-available/your-site-ssl.conf
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
# Test configuration
sudo apachectl configtest
# Reload Apache
sudo systemctl reload apache2
Expired Certificate
Problem: Certificate has expired
Solution: Renew certificate immediately
Let's Encrypt (Certbot):
# Renew all certificates
sudo certbot renew
# Renew specific domain
sudo certbot certonly --nginx -d example.com -d www.example.com
# Auto-renewal (cron job)
sudo crontab -e
# Add: 0 12 * * * /usr/bin/certbot renew --quiet
Manual Certificate:
1. Purchase new certificate from CA (DigiCert, Sectigo, etc.)
2. Generate CSR: openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
3. Submit CSR to CA and complete validation
4. Download certificate files
5. Install on web server
6. Reload web server
Missing HSTS Header
Problem: Strict-Transport-Security header not set
Fix for Nginx:
# /etc/nginx/sites-available/your-site
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# HSTS (max-age=31536000 = 1 year)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Other SSL configuration...
}
# Reload
sudo systemctl reload nginx
Fix for Cloudflare:
1. Log in to Cloudflare dashboard
2. Select your domain
3. Go to SSL/TLS → Edge Certificates
4. Enable HSTS
5. Set Max Age: 12 months (31536000 seconds)
6. Enable Include subdomains
7. Enable Preload
Heartbleed Vulnerability
Problem: OpenSSL version vulnerable to Heartbleed (CVE-2014-0160)
Solution: Update OpenSSL immediately
Ubuntu/Debian:
# Update package list
sudo apt update
# Upgrade OpenSSL
sudo apt install --only-upgrade openssl libssl1.1
# Check version (must be 1.0.1g or higher)
openssl version
# Restart services
sudo systemctl restart nginx apache2
After patching:
1. Revoke old certificate
2. Generate new private key
3. Request new certificate
4. Install new certificate
5. Update all systems using old keys/certs
Monitoring & Alerts
Alert Triggers
Fence sends alerts when:
- Certificate expires in 30, 14, 7, 3, or 1 days
- Certificate becomes invalid (expired, revoked)
- Grade drops below threshold (e.g., A → B)
- New vulnerability discovered (Heartbleed-class issue)
- TLS configuration weakened (protocols/ciphers changed)
Notification Channels
Configure alerts via:
- Email (default)
- Slack
- Discord
- Microsoft Teams
- Telegram
- WhatsApp (via Twilio)
- Webhooks (PagerDuty, Opsgenie, etc.)
Best Practices
Certificate Management
- Use Let's Encrypt - Free, automated, 90-day certificates
- Enable auto-renewal - Set up cron jobs or use Certbot hooks
- Monitor expiration - Use Fence or certificate transparency logs
- Use wildcard certificates -
*.example.comcovers all subdomains - Keep private keys secure - Restrict file permissions (chmod 600)
Protocol Configuration
- TLS 1.2+ only - Disable SSLv2, SSLv3, TLS 1.0, TLS 1.1
- Strong ciphers - Use AEAD ciphers (AES-GCM, ChaCha20-Poly1305)
- Enable PFS - Use ECDHE/DHE key exchange
- Implement HSTS - Set max-age to 1 year minimum
- HTTP/2 - Enables modern TLS features
Compliance Requirements
| Standard | TLS Requirements |
|---|---|
| PCI DSS 4.0 | TLS 1.2+ only, strong ciphers, PFS required |
| HIPAA | TLS 1.2+ for transmitting ePHI |
| NIST 800-52 | TLS 1.2+ with FIPS 140-2 validated crypto |
| GDPR | TLS 1.2+ for data in transit encryption |
| FedRAMP | TLS 1.2+ with specific cipher suites |
Testing Tools
Verify your SSL/TLS configuration:
# Test with SSLyze (what Fence uses)
pip install sslyze
sslyze --regular example.com
# Test with testssl.sh
git clone https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh example.com
# Test with OpenSSL
openssl s_client -connect example.com:443 -tls1_2
Online tools:
- SSL Labs - https://www.ssllabs.com/ssltest/
- ImmuniWeb - https://www.immuniweb.com/ssl/
- Hardenize - https://www.hardenize.com/