This is a post on HTTPS encryption long time coming. I have been patching SSL/TLS vulnerabilities in various systems, so I thought I should put all my notes in one place.
HTTPS encryption uses SSL and later TLS to protect your HTTP traffic.
- SSLv2 – not used any more.
- SSLv3 – vulnerable to BEAST attack link
From Nessus scanner
A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow
information disclosure if an attacker intercepts encrypted traffic
served from an affected system.TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are
not affected.
- TLS1.0- vulnerable to BEAST attack
See above. - TLS1.1
- TLS1.2
cURL is a popular tool to standin as a web browser in scripts. manpage Here are some scripts to test HTTPS.
curl -v “https://www.myorg.org”
curl -v –tlsv1 “https://www.myorg.org”
curl -v –tlsv1.2 “https://www.myorg.org” for cURL 7.34 or later.
curl -v –sslv2 “https://www.myorg.org”
curl -v –sslv3 “https://www.myorg.org”
List of SSL and TLS error codes from cURL mozilla
JavaSE 7 SSL overview link These are the clients initiating the requests.
You can verify the certificate of a website by hand. You will need OpenSSL and a CA certificate. nixCraft