SecurityJanuary 1, 2024ยท 14 min read
SSL/TLS Certificate Analysis: Debug HTTPS Issues and Maximize Security
A practical Fusebox guide to ssl/tls certificate analysis.
SSL/TLS Certificate Analysis: Debug HTTPS Issues and Maximize Security
Published: January 2024
Reading time: 9 minutes
SSL/TLS certificates are the foundation of web security, yet most developers struggle with certificate chains, cipher suites, and renewal issues. Here's how to analyze certificates, debug SSL problems, and configure bulletproof HTTPS.
Why SSL/TLS Analysis Matters
The Cost of SSL Misconfigurations
- 40% of certificates expire without notice
- Mixed content breaks on 25% of HTTPS sites
- Weak ciphers expose 15% of sites to attacks
- Certificate errors cause 5% bounce rate increase
- SEO penalties for non-HTTPS sites
Real-World SSL Failures
GitHub (2013): Certificate expired, service down for hours
LinkedIn (2020): Wildcard cert exposed subdomains
Microsoft Teams (2020): Certificate expiry caused global outage
Spotify (2021): Certificate chain issues blocked access
UK Government (2021): Multiple sites down from expired certs
Quick SSL/TLS Analysis
1. Current Page Certificate Check
// Analyze SSL certificate of current page
(function analyzeSSLCertificate() {
console.log('๐ SSL/TLS Certificate Analysis\n');
// Check if page is HTTPS
if (location.protocol !== 'https:') {
console.log('โ NOT SECURE - This page is not using HTTPS!');
console.log(' Impact: Data can be intercepted, modified, or stolen');
console.log(' SEO: Google penalizes non-HTTPS sites');
return;
}
console.log('โ
HTTPS Active\n');
// Analyze what we can from JavaScript
const securityInfo = {
protocol: location.protocol,
hostname: location.hostname,
port: location.port || '443',
href: location.href
};
console.log('๐ Connection Info:');
console.log(` Protocol: ${securityInfo.protocol}`);
console.log(` Hostname: ${securityInfo.hostname}`);
console.log(` Port: ${securityInfo.port}`);
// Check for mixed content
console.log('\n๐ Mixed Content Check:');
const resources = {
scripts: document.querySelectorAll('script[src^="http:"]'),
stylesheets: document.querySelectorAll('link[href^="http:"]'),
images: document.querySelectorAll('img[src^="http:"]'),
iframes: document.querySelectorAll('iframe[src^="http:"]'),
forms: document.querySelectorAll('form[action^="http:"]')
};
let mixedContent = false;
Object.entries(resources).forEach(([type, elements]) => {
if (elements.length > 0) {
mixedContent = true;
console.log(` โ ๏ธ ${type}: ${elements.length} insecure resource(s)`);
if (elements.length <= 3) {
elements.forEach(el => {
const url = el.src || el.href || el.action;
console.log(` - ${url}`);
});
}
}
});
if (!mixedContent) {
console.log(' โ
No mixed content detected');
} else {
console.log('\n Impact: Browsers block or warn about mixed content');
console.log(' Fix: Use protocol-relative URLs (//example.com) or HTTPS');
}
// Certificate transparency check
console.log('\n๐ Certificate Transparency:');
console.log(' Checking if certificate is in CT logs...');
// Check Public Key Pinning
console.log('\n๐ Security Features:');
const hasHSTS = document.querySelector('meta[http-equiv="Strict-Transport-Security"]');
console.log(` HSTS: ${hasHSTS ? 'โ
Enabled' : 'โ ๏ธ Not detected (check response headers)'}`);
// Performance impact
console.log('\nโก TLS Performance:');
if (performance.timing) {
const sslTime = performance.timing.connectEnd - performance.timing.connectStart;
const sslHandshake = performance.timing.secureConnectionStart ?
performance.timing.connectEnd - performance.timing.secureConnectionStart : 0;
console.log(` Total connection time: ${sslTime}ms`);
if (sslHandshake > 0) {
console.log(` TLS handshake time: ${sslHandshake}ms`);
if (sslHandshake > 100) {
console.log(' โ ๏ธ Slow handshake - consider TLS session resumption');
}
}
}
})();
2. Certificate Details Analyzer
// Analyze certificate details and chain
async function analyzeCertificateDetails() {
console.log('\n๐ Certificate Details Analysis\n');
// Since we can't access cert details directly from browser JS,
// we'll show what to look for and how to check
console.log('๐ Certificate Components to Verify:\n');
const certChecklist = {
'Subject': {
check: 'Matches your domain name',
common_issues: ['Wrong domain', 'Missing www subdomain'],
example: 'CN=example.com'
},
'Issuer': {
check: 'Trusted Certificate Authority',
common_issues: ['Self-signed', 'Unknown CA'],
example: 'Let\'s Encrypt, DigiCert, Sectigo'
},
'Validity Period': {
check: 'Not expired, not too far in future',
common_issues: ['Expired cert', 'Not yet valid'],
example: 'Valid from: 2024-01-01, Valid to: 2024-12-31'
},
'Key Algorithm': {
check: 'RSA 2048+ or ECDSA P-256+',
common_issues: ['Weak key (RSA 1024)', 'Deprecated algorithm'],
example: 'RSA 2048 bits or ECDSA P-256'
},
'Signature Algorithm': {
check: 'SHA-256 or better',
common_issues: ['SHA-1 (deprecated)', 'MD5 (insecure)'],
example: 'SHA256withRSA'
},
'Subject Alternative Names': {
check: 'Includes all your domains',
common_issues: ['Missing subdomains', 'Wrong domains'],
example: 'DNS:example.com, DNS:www.example.com'
}
};
Object.entries(certChecklist).forEach(([component, details]) => {
console.log(`๐ ${component}:`);
console.log(` โ Check: ${details.check}`);
console.log(` โ ๏ธ Common issues: ${details.common_issues.join(', ')}`);
console.log(` ๐ Example: ${details.example}\n`);
});
// Certificate chain validation
console.log('๐ Certificate Chain Validation:\n');
console.log('Proper chain order (top to bottom):');
console.log('1. Server Certificate (your domain)');
console.log('2. Intermediate Certificate(s)');
console.log('3. Root Certificate (in browser trust store)');
console.log('\nโ ๏ธ Common chain issues:');
console.log('โข Missing intermediate certificate');
console.log('โข Wrong order (root first)');
console.log('โข Including root certificate (unnecessary)');
console.log('โข Multiple chains (confuses some clients)');
// CLI commands for verification
console.log('\n๐ป Verify Certificate via Command Line:\n');
console.log('# Check certificate details:');
console.log(`openssl s_client -connect ${location.hostname}:443 -servername ${location.hostname} < /dev/null | openssl x509 -text -noout`);
console.log('\n# Check certificate chain:');
console.log(`openssl s_client -connect ${location.hostname}:443 -servername ${location.hostname} -showcerts < /dev/null`);
console.log('\n# Check expiration:');
console.log(`echo | openssl s_client -connect ${location.hostname}:443 -servername ${location.hostname} 2>/dev/null | openssl x509 -noout -dates`);
}
analyzeCertificateDetails();
3. TLS Configuration Analyzer
// Analyze TLS configuration and cipher suites
function analyzeTLSConfiguration() {
console.log('\n๐ง TLS Configuration Analysis\n');
// Modern TLS configuration
const tlsVersions = {
'SSL 2.0': { status: 'INSECURE', released: '1995', verdict: 'โ Never use' },
'SSL 3.0': { status: 'INSECURE', released: '1996', verdict: 'โ Disabled since 2014' },
'TLS 1.0': { status: 'DEPRECATED', released: '1999', verdict: 'โ Phase out by 2024' },
'TLS 1.1': { status: 'DEPRECATED', released: '2006', verdict: 'โ Phase out by 2024' },
'TLS 1.2': { status: 'SECURE', released: '2008', verdict: 'โ
Minimum recommended' },
'TLS 1.3': { status: 'RECOMMENDED', released: '2018', verdict: 'โ
Best performance & security' }
};
console.log('๐ TLS Version Support:\n');
Object.entries(tlsVersions).forEach(([version, details]) => {
console.log(`${version}: ${details.verdict}`);
console.log(` Status: ${details.status}`);
console.log(` Released: ${details.released}\n`);
});
// Cipher suite analysis
console.log('๐ Cipher Suite Configuration:\n');
const cipherCategories = {
'Recommended Cipher Suites': [
'TLS_AES_128_GCM_SHA256 (TLS 1.3)',
'TLS_AES_256_GCM_SHA384 (TLS 1.3)',
'TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)',
'ECDHE-ECDSA-AES128-GCM-SHA256 (TLS 1.2)',
'ECDHE-RSA-AES128-GCM-SHA256 (TLS 1.2)',
'ECDHE-ECDSA-AES256-GCM-SHA384 (TLS 1.2)',
'ECDHE-RSA-AES256-GCM-SHA384 (TLS 1.2)'
],
'Acceptable (Compatibility)': [
'ECDHE-ECDSA-AES128-SHA256',
'ECDHE-RSA-AES128-SHA256',
'ECDHE-ECDSA-AES256-SHA384',
'ECDHE-RSA-AES256-SHA384'
],
'Avoid (Weak/Deprecated)': [
'RC4 (broken)',
'DES/3DES (weak)',
'MD5 signatures (collision attacks)',
'SHA1 signatures (deprecated)',
'Export ciphers (intentionally weak)',
'Anonymous ciphers (no authentication)',
'NULL ciphers (no encryption)'
]
};
Object.entries(cipherCategories).forEach(([category, ciphers]) => {
console.log(`${category}:`);
ciphers.forEach(cipher => {
const icon = category.includes('Recommended') ? 'โ
' :
category.includes('Acceptable') ? '๐ก' : 'โ';
console.log(` ${icon} ${cipher}`);
});
console.log('');
});
// Perfect Forward Secrecy
console.log('๐ Perfect Forward Secrecy (PFS):\n');
console.log('โ
Enabled by ECDHE and DHE cipher suites');
console.log(' Benefit: Past communications secure even if key compromised');
console.log(' Check: Ensure all ciphers use ECDHE or DHE key exchange\n');
// OCSP Stapling
console.log('๐ OCSP Stapling:\n');
console.log('Purpose: Faster certificate validation');
console.log('Benefit: Reduces latency, improves privacy');
console.log('Check: Look for "OCSP Response" in certificate details');
}
analyzeTLSConfiguration();
Certificate Chain Analysis
1. Certificate Chain Validator
// Validate certificate chain issues
function validateCertificateChain() {
console.log('\n๐ Certificate Chain Validation Guide\n');
// Common chain problems and solutions
const chainProblems = {
'Incomplete Chain': {
symptoms: [
'Works in browsers but not in APIs/curl',
'Mobile devices show certificate errors',
'Some users can access, others cannot'
],
cause: 'Missing intermediate certificate(s)',
solution: 'Include all intermediate certificates in correct order',
test: 'openssl s_client -connect example.com:443 -showcerts'
},
'Wrong Order': {
symptoms: [
'Certificate validation failures',
'Slow TLS handshakes',
'Intermittent connection errors'
],
cause: 'Certificates in wrong order (root โ intermediate โ server)',
solution: 'Order: Server cert โ Intermediate(s) โ (No root)',
test: 'SSL Labs test will show "Chain issues: Incorrect order"'
},
'Self-Signed Certificate': {
symptoms: [
'Browser shows "Not Secure" warning',
'NET::ERR_CERT_AUTHORITY_INVALID',
'Users must manually accept certificate'
],
cause: 'Certificate not signed by trusted CA',
solution: 'Get certificate from trusted CA (Let\'s Encrypt is free)',
test: 'Browser will explicitly warn about self-signed cert'
},
'Expired Intermediate': {
symptoms: [
'Works in some browsers, fails in others',
'API calls fail with cert errors',
'Mobile apps cannot connect'
],
cause: 'Intermediate certificate expired (server cert still valid)',
solution: 'Update intermediate certificate from CA',
test: 'Check each cert in chain for expiration'
}
};
console.log('Common Chain Problems:\n');
Object.entries(chainProblems).forEach(([problem, details]) => {
console.log(`โ ${problem}`);
console.log(' Symptoms:');
details.symptoms.forEach(symptom => {
console.log(` โข ${symptom}`);
});
console.log(` Cause: ${details.cause}`);
console.log(` Solution: ${details.solution}`);
console.log(` Test: ${details.test}\n`);
});
// Chain debugging commands
console.log('๐ Chain Debugging Commands:\n');
const debugCommands = {
'View full chain': `echo | openssl s_client -connect ${location.hostname}:443 -servername ${location.hostname} -showcerts 2>/dev/null`,
'Extract each certificate': 'Save each cert between BEGIN/END to separate files',
'Verify chain manually': 'openssl verify -CAfile intermediate.crt server.crt',
'Check chain in browser': 'Click padlock โ Connection Secure โ More Information',
'Test with curl': `curl -v https://${location.hostname}`,
'Online validator': 'https://www.ssllabs.com/ssltest/'
};
Object.entries(debugCommands).forEach(([action, command]) => {
console.log(`${action}:`);
console.log(` ${command}\n`);
});
}
validateCertificateChain();
2. Certificate Expiration Monitor
// Monitor certificate expiration
function monitorCertificateExpiration() {
console.log('\nโฐ Certificate Expiration Monitoring\n');
// Certificate lifecycle
const lifecycle = {
'90 days before': {
action: 'Start renewal process',
automated: 'Certbot/ACME clients auto-renew',
manual: 'Generate CSR, submit to CA'
},
'60 days before': {
action: 'Verify renewal is scheduled',
automated: 'Check cron jobs/systemd timers',
manual: 'Ensure approval process started'
},
'30 days before': {
action: 'Test certificate in staging',
automated: 'Dry-run renewal test',
manual: 'Install cert on test server'
},
'14 days before': {
action: 'Final verification',
automated: 'Alert if not renewed',
manual: 'Schedule deployment'
},
'7 days before': {
action: 'Emergency renewal',
automated: 'Force renewal if needed',
manual: 'Expedite if delayed'
},
'Expiration': {
action: 'Site goes down',
automated: 'Automatic renewal failed',
manual: 'Certificate error for all users'
}
};
console.log('๐
Certificate Renewal Timeline:\n');
Object.entries(lifecycle).forEach(([timing, actions]) => {
const icon = timing.includes('Expiration') ? '๐ด' :
timing.includes('7 days') ? 'โ ๏ธ' : '๐';
console.log(`${icon} ${timing}:`);
console.log(` Action: ${actions.action}`);
console.log(` Automated: ${actions.automated}`);
console.log(` Manual: ${actions.manual}\n`);
});
// Monitoring setup
console.log('๐ Setting Up Expiration Monitoring:\n');
console.log('1. Command-line monitoring:');
console.log(' # Check expiration date');
console.log(` echo | openssl s_client -connect ${location.hostname}:443 -servername ${location.hostname} 2>/dev/null | openssl x509 -noout -dates`);
console.log('\n # Days until expiration');
console.log(` echo | openssl s_client -connect ${location.hostname}:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2 | xargs -I {} date -d {} +%s | xargs -I {} expr {} - $(date +%s) | xargs -I {} expr {} / 86400`);
console.log('\n2. Automated monitoring tools:');
console.log(' โข Certbot: Built-in renewal with --renew-hook');
console.log(' โข SSL Cert Check: github.com/Matty9191/ssl-cert-check');
console.log(' โข Nagios/Zabbix: SSL certificate plugins');
console.log(' โข Cloud providers: AWS Certificate Manager, etc.');
console.log('\n3. Certificate transparency monitoring:');
console.log(' โข crt.sh: Shows all certificates issued');
console.log(' โข Facebook CT Monitor: developers.facebook.com/tools/ct');
console.log(' โข Google Certificate Transparency');
}
monitorCertificateExpiration();
SSL/TLS Security Best Practices
1. Modern TLS Configuration
// Generate secure TLS configuration
function generateSecureTLSConfig() {
console.log('\n๐ก๏ธ Modern TLS Configuration Generator\n');
const configs = {
'Nginx': `
# Modern TLS configuration for Nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Enable OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security headers
add_header Strict-Transport-Security "max-age=63072000" always;
# Session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# DH parameters (generate with: openssl dhparam -out dhparam.pem 2048)
ssl_dhparam /etc/nginx/dhparam.pem;`,
'Apache': `
# Modern TLS configuration for Apache
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
# Enable OCSP stapling
SSLUseStapling on
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# Security headers
Header always set Strict-Transport-Security "max-age=63072000"
# Session resumption
SSLSessionCache "shmcb:logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300`,
'HAProxy': `
# Modern TLS configuration for HAProxy
global
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
frontend https
bind *:443 ssl crt /etc/ssl/certs/site.pem alpn h2,http/1.1
http-response set-header Strict-Transport-Security "max-age=63072000"`,
'Node.js': `
// Modern TLS configuration for Node.js
const https = require('https');
const fs = require('fs');
const options = {
key: fs.readFileSync('private-key.pem'),
cert: fs.readFileSync('certificate.pem'),
// Modern TLS versions only
secureProtocol: 'TLSv1_2_method',
// Secure cipher suites
ciphers: [
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'DHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-SHA256',
'DHE-RSA-AES128-SHA256'
].join(':'),
// Reject insecure protocols
honorCipherOrder: true,
secureOptions:
require('constants').SSL_OP_NO_SSLv2 |
require('constants').SSL_OP_NO_SSLv3 |
require('constants').SSL_OP_NO_TLSv1 |
require('constants').SSL_OP_NO_TLSv1_1
};
https.createServer(options, app).listen(443);`
};
Object.entries(configs).forEach(([platform, config]) => {
console.log(`๐ฆ ${platform} Configuration:`);
console.log('โ'.repeat(50));
console.log(config);
console.log('\n');
});
console.log('๐ก Configuration Tips:');
console.log('โข Test configuration with SSL Labs');
console.log('โข Enable HTTP/2 for performance');
console.log('โข Use CAA records to restrict CAs');
console.log('โข Monitor for weak cipher usage');
console.log('โข Implement Certificate Transparency');
}
generateSecureTLSConfig();
2. SSL/TLS Troubleshooting Guide
// Troubleshoot common SSL/TLS issues
function troubleshootSSLIssues() {
console.log('\n๐ง SSL/TLS Troubleshooting Guide\n');
const issues = {
'ERR_CERT_COMMON_NAME_INVALID': {
meaning: 'Certificate doesn\'t match domain',
causes: [
'Accessing via IP instead of domain',
'Wrong domain in certificate',
'Missing Subject Alternative Names',
'Wildcard cert doesn\'t cover subdomain'
],
solutions: [
'Access site via correct domain',
'Regenerate cert with correct domain',
'Add all domains to SAN field',
'Get wildcard cert (*.example.com)'
]
},
'ERR_CERT_DATE_INVALID': {
meaning: 'Certificate expired or not yet valid',
causes: [
'Certificate has expired',
'System clock is wrong',
'Certificate not yet valid (future dated)'
],
solutions: [
'Renew certificate immediately',
'Check and fix system time',
'Wait for valid from date'
]
},
'ERR_CERT_AUTHORITY_INVALID': {
meaning: 'Certificate not trusted',
causes: [
'Self-signed certificate',
'Private/internal CA',
'Missing intermediate certificate',
'CA not in trust store'
],
solutions: [
'Get cert from public CA',
'Add CA to trust store',
'Include intermediate cert',
'Use Let\'s Encrypt (free)'
]
},
'ERR_SSL_PROTOCOL_ERROR': {
meaning: 'TLS handshake failed',
causes: [
'TLS version mismatch',
'No common cipher suites',
'Corrupted certificate',
'Firewall blocking TLS'
],
solutions: [
'Enable TLS 1.2 and 1.3',
'Configure modern ciphers',
'Reinstall certificate',
'Check firewall rules'
]
},
'Mixed Content Blocked': {
meaning: 'HTTP resources on HTTPS page',
causes: [
'Hard-coded HTTP URLs',
'HTTP API endpoints',
'External HTTP resources',
'Websocket ws:// instead of wss://'
],
solutions: [
'Use protocol-relative URLs',
'Update all resources to HTTPS',
'Proxy HTTP resources',
'Use wss:// for WebSockets'
]
}
};
Object.entries(issues).forEach(([error, details]) => {
console.log(`โ ${error}`);
console.log(` Meaning: ${details.meaning}\n`);
console.log(' Common Causes:');
details.causes.forEach(cause => {
console.log(` โข ${cause}`);
});
console.log('\n Solutions:');
details.solutions.forEach((solution, index) => {
console.log(` ${index + 1}. ${solution}`);
});
console.log('\n' + 'โ'.repeat(50) + '\n');
});
// Debug commands
console.log('๐ Debug Commands:\n');
console.log('# Test TLS connection:');
console.log('openssl s_client -connect example.com:443 -servername example.com');
console.log('\n# Check supported TLS versions:');
console.log('nmap --script ssl-enum-ciphers -p 443 example.com');
console.log('\n# Verify certificate:');
console.log('openssl verify -CAfile ca.crt certificate.crt');
console.log('\n# Test specific TLS version:');
console.log('openssl s_client -connect example.com:443 -tls1_2');
}
troubleshootSSLIssues();
Complete SSL/TLS Audit
Comprehensive SSL/TLS Security Audit
// Run complete SSL/TLS audit
async function completeSSLAudit() {
console.log('๐ COMPLETE SSL/TLS SECURITY AUDIT');
console.log('โ'.repeat(50));
console.log(`Domain: ${location.hostname}`);
console.log(`Date: ${new Date().toLocaleDateString()}\n`);
const audit = {
score: 0,
issues: [],
warnings: [],
recommendations: []
};
// Phase 1: Basic HTTPS Check
console.log('๐ PHASE 1: BASIC HTTPS CHECK');
console.log('โ'.repeat(40));
if (location.protocol === 'https:') {
console.log('โ
HTTPS enabled');
audit.score += 20;
} else {
console.log('โ NOT using HTTPS!');
audit.issues.push('Site not using HTTPS');
audit.recommendations.push('Enable HTTPS immediately');
}
// Phase 2: Mixed Content Analysis
console.log('\n๐ PHASE 2: MIXED CONTENT ANALYSIS');
console.log('โ'.repeat(40));
const mixedContent = {
scripts: document.querySelectorAll('script[src^="http:"]').length,
styles: document.querySelectorAll('link[href^="http:"]').length,
images: document.querySelectorAll('img[src^="http:"]').length,
iframes: document.querySelectorAll('iframe[src^="http:"]').length
};
const totalMixed = Object.values(mixedContent).reduce((a, b) => a + b, 0);
if (totalMixed === 0) {
console.log('โ
No mixed content');
audit.score += 10;
} else {
console.log(`โ ${totalMixed} mixed content resources found`);
Object.entries(mixedContent).forEach(([type, count]) => {
if (count > 0) {
console.log(` โข ${type}: ${count}`);
audit.issues.push(`Mixed content: ${count} ${type}`);
}
});
}
// Phase 3: Security Headers
console.log('\n๐ก๏ธ PHASE 3: SECURITY HEADERS');
console.log('โ'.repeat(40));
try {
const response = await fetch(location.href, { method: 'HEAD' });
// Check HSTS
const hsts = response.headers.get('strict-transport-security');
if (hsts) {
console.log('โ
HSTS enabled:', hsts);
audit.score += 10;
// Check HSTS preload eligibility
if (hsts.includes('max-age=')) {
const maxAge = parseInt(hsts.match(/max-age=(\d+)/)[1]);
if (maxAge < 31536000) {
audit.warnings.push('HSTS max-age less than 1 year');
}
}
} else {
console.log('โ HSTS not enabled');
audit.issues.push('Missing HSTS header');
}
// Check security headers related to SSL/TLS
const headers = {
'content-security-policy': 'CSP with upgrade-insecure-requests',
'x-content-type-options': 'Prevent MIME sniffing'
};
Object.entries(headers).forEach(([header, description]) => {
if (response.headers.get(header)) {
console.log(`โ
${header} present`);
audit.score += 5;
} else {
console.log(`โ ๏ธ ${header} missing (${description})`);
audit.warnings.push(`Missing ${header}`);
}
});
} catch (e) {
console.log('โ ๏ธ Cannot check headers (CORS)');
}
// Phase 4: Certificate Recommendations
console.log('\n๐ PHASE 4: CERTIFICATE ANALYSIS');
console.log('โ'.repeat(40));
console.log('Certificate checks (requires manual verification):');
console.log('โข [ ] Valid certificate from trusted CA');
console.log('โข [ ] Certificate not expired');
console.log('โข [ ] Strong key (RSA 2048+ or ECDSA P-256+)');
console.log('โข [ ] SHA-256 signature or better');
console.log('โข [ ] Includes all subdomains in SAN');
console.log('โข [ ] Complete certificate chain');
console.log('โข [ ] OCSP stapling enabled');
// Phase 5: Configuration
console.log('\nโ๏ธ PHASE 5: TLS CONFIGURATION');
console.log('โ'.repeat(40));
console.log('Recommended configuration:');
console.log('โข [ ] TLS 1.2 minimum, TLS 1.3 preferred');
console.log('โข [ ] Modern cipher suites only');
console.log('โข [ ] Perfect Forward Secrecy');
console.log('โข [ ] Session resumption enabled');
console.log('โข [ ] HTTP/2 enabled');
// Calculate final score
const maxScore = 100;
const percentage = Math.min(100, (audit.score / maxScore) * 100);
console.log('\n๐ AUDIT SUMMARY');
console.log('โ'.repeat(50));
console.log(`Score: ${percentage.toFixed(0)}%`);
console.log(`Critical Issues: ${audit.issues.length}`);
console.log(`Warnings: ${audit.warnings.length}`);
let grade = 'F';
if (percentage >= 90) grade = 'A+';
else if (percentage >= 80) grade = 'A';
else if (percentage >= 70) grade = 'B';
else if (percentage >= 60) grade = 'C';
else if (percentage >= 50) grade = 'D';
console.log(`Grade: ${grade}`);
// Priority actions
if (audit.issues.length > 0) {
console.log('\n๐จ PRIORITY ACTIONS:');
audit.issues.forEach((issue, index) => {
console.log(`${index + 1}. Fix: ${issue}`);
});
}
if (audit.recommendations.length > 0) {
console.log('\n๐ก RECOMMENDATIONS:');
audit.recommendations.forEach((rec, index) => {
console.log(`${index + 1}. ${rec}`);
});
}
// Additional resources
console.log('\n๐ TEST YOUR SSL/TLS:');
console.log('โข SSL Labs: https://www.ssllabs.com/ssltest/');
console.log('โข Security Headers: https://securityheaders.com/');
console.log('โข Hardenize: https://www.hardenize.com/');
return audit;
}
// Run the complete audit
completeSSLAudit();
The Bottom Line
SSL/TLS configuration determines your site's security:
- Certificate errors lose users - They won't click through warnings
- Weak TLS enables attacks - BEAST, CRIME, POODLE still exist
- Mixed content breaks HTTPS - One HTTP resource ruins security
- Expired certs are emergencies - Monitor and automate renewal
- Modern TLS improves speed - TLS 1.3 reduces handshake time
Configure TLS properly. Monitor certificates continuously. Test with multiple tools. Your users' data depends on getting SSL/TLS right.
Analyze SSL/TLS instantly: Fusebox checks certificates, cipher suites, chain validity, and security configuration while you browse. Never miss certificate issues again. $29 one-time purchase.