Alfred's New Ramblings

Exploring HTTPS encryption

This is a post on HTTPS encryption long time coming.  I have been patching SSL/TLS vulnerabilities in various systems, so I thought I should put all my notes in one place.

HTTPS encryption uses SSL and later TLS to protect your HTTP traffic.

  • SSLv2 – not used any more.
  • SSLv3 – vulnerable to BEAST attack link
    From Nessus scanner

A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow
information disclosure if an attacker intercepts encrypted traffic
served from an affected system.

TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are
not affected.

  • TLS1.0- vulnerable to BEAST attack
    See above.
  • TLS1.1
  • TLS1.2

cURL is a popular tool to standin as a web browser in scripts.  manpage  Here are some scripts to test HTTPS.

curl -v “”
curl -v –tlsv1 “”
curl -v –tlsv1.2 “”  for cURL 7.34 or later.
curl -v –sslv2 “”
curl -v –sslv3 “”

List of SSL and TLS error codes from cURL mozilla

JavaSE 7 SSL overview link  These are the clients initiating the requests.

You can verify the certificate of a website by hand.  You will need OpenSSL and a CA certificate.  nixCraft


Tagged on: ,

Leave a Reply

Your email address will not be published. Required fields are marked *