SSL/TLS Checklist for Pentesters

I gave a presentation at BSides MCR 2014 on the subject of SSL and TLS checks from a pentesting viewpoint. The idea was to focus on the pitfalls of testing, why the tools may let you down and how to check for issues manually (as much as possible), often using OpenSSL.

The slides can be found here and here.

Cheatsheet

UPDATE 7th September 2014: I’ve now written a table that pulls together the manual checks discussed in the presentation – plus a few more (which will appear in any future presentations). Since tables are a pain in WordPress and I don’t want to risk a plugin at this time of night, you can find a (lazy) HTML table here.

For updates on content and future presentations follow me.

5 thoughts on “SSL/TLS Checklist for Pentesters

    1. Jerome Post author

      Ha ha – made worse by the curse of copy and paste! Corrected now, cheers.
      PS – a couple of tweaks to follow soon

      Reply
    1. Jerome Post author

      Thanks, Phil. The first was working – you just had to scroll down to find the presentation, but I’ve now updated it with a direct link. The second was broken, and that’s now updated. Things have moved on a bit since then but hopefully there’s some core material you’ll find useful.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>