With our SSL Check you can test the SSL configuration on all important default ports of your server within (usually) one second.
The SSL Check does not replace an extensive Cipher/handshake analysis such as from Qualys SSL Labs, but provides an overview of the certificates on all standard ports (HTTPS / POP3 / IMAP / SMTP / LiveConfig). Coming soon, the SSL Check will also indicate whether any errors are present (ie. self-signed certificates, unsafe signature algorithms etc.). In addition, SSL Check tests whether DNSSEC is correctly set up for the queried domain.
- query IPv4 and IPv6 addresses (A/AAAA records) of a domain
- check DNSSEC status
- display certificate name (Common Name) and alternative names (Subject Alternative Names)
- display the validity period
- display SHA1 and SHA256 fingerprints
- display SHA256 fingerprints of certificate and public key for use with TLSA records (DANE)
- display signature algorithm used by issuer
- display temporary key received during default handshake (only forward secrecy ciphers).
A check for weak temporary keys (eg. well-known DH512/DH1024 parameters) currently doesn't take place, this requires separate SSL handshakes.
The following functions are planned and should be available soon:
- display and validation of the certificate chain
- display more details of the server certificate (key type and key size)
- try handshakes with unsafe ciphers/protocols (SSLv3, DH512, etc.) with according warnings
Technology & Security
The SSL Check simply builds a normal TCP connection to the service, performs an SSL handshake, and then closes the connection immediately. So it does not happen more nor less than during a normal HTTPS retrieval by a browser or a SMTPS mail delivery through an e-mail program. Because SSL Check currently runs only one handshake per service, there's no „bombing“ by SSL requests. The SSL Check works completely passive, theres only that data displayed which the server sends during the SSL handshake.
The test is only run from the IP addresses 220.127.116.11 (IPv4) and 2a01:4f8:bb:c00::2:23 (IPv6) (rDNA „sslcheck.liveconfig.com“). If you open sslcheck.liveconfig.com in the browser, you will be redirected to the SSL Check website.
- If a domain has multiple IP addresses, only the first three of each IPv4 or IPv6 addresses are checked.
- The test can only be run with domain names, not IP addresses.
- Special character / IDNs (IDNs) are not supported. Eventually enter them in Punycode notation (xn--…)
We collect only the domain name to be tested and (implicitly) the IP address of the browser. The test data is cached for 5 minutes on our servers and then deleted automatically. The number of calls is only counted for statistical purposes. No data will be used, evaluated or forwarded.
Feedback & Suggestions
For feedback, suggestions and possibly error reports you can reach us by mail to firstname.lastname@example.org and in our forum.
The SSL Check is constantly being extended and improved. In the future we'll document changes in a changelog.