Show HN: SSL Decoder – An open-source alternative for the SSL Labs server test

My weekend project.<p>* Tries to give all the information you need instead of a rating.<p>* Open source, so you can self host it.<p>* Does the entire certificate chain.<p>* Allows to paste a CRL&#x2F;Cert<p>* Validates the certificate, chain, CRL and OCSP (of every cert in the chain)<p>* Has easy copy-pastable PEM versions of certs<p>* Ciphersuite enumeration as an option.<p>* Fast.

These services always dock me for including RC4 ciphers. I understand that these are bad because RC4 is broken or near broken; I shouldn&#x27;t be using it.<p>However, I&#x27;m simply using load balancering sevices provided by AWS and Rackspace; my understanding is that (since they perform SSL termination) it is their software on the load balancer that chooses the ciphers, and as far as I know, I cannot change this. Are they misconfigured? (why?) Is there any way to work around it short of doing the load balancing myself?

Thanks, looks great!<p>I&#x27;d like to see a check for SSLv2. For instance this site supports sslv2 and it should be flagged: download.biscom.com.<p><a href="https://www.ssllabs.com/ssltest/analyze.html?d=download.biscom.com" rel="nofollow">https:&#x2F;&#x2F;www.ssllabs.com&#x2F;ssltest&#x2F;analyze.html?d=download.bisc...</a>

I&#x27;ve tweaked my Apache configuration but don&#x27;t seem to be able to trigger a rescan--the cipher list doesn&#x27;t appear to change. I guess it&#x27;s cached for a little while, but the UI doesn&#x27;t make that clear.<p>Also, it&#x27;s flagging the following ciphers:<p><pre><code> ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA </code></pre> These are triple-DES though, rather than just single DES. Is that considered weak these days?

Feature&#x2F;bug: It doesn&#x27;t seem to attempt to explicitly negotiate older protocols. For instance, I&#x27;m dealing with a site that still has SSLv2 and export ciphers enabled if a client requests it. (Like, if I run openssl s_client -ssl2.) SSLlabs detects this, but tls.so doesn&#x27;t.

I started to build a similar thing, for the command line, last year but did not get as far.<p><a href="https://github.com/jamescun/ssltest" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jamescun&#x2F;ssltest</a>

Few notes:<p>- Does not enumerate ChaCha20<p>- Doesn&#x27;t detect BoringSSL - try running it on certly.io

Nice.<p>Friendly suggestion: Show a prominent summary at the top of the report of any areas of concern.

I really like the nice big horizontal check marks for the &quot;health&quot; of each aspect of the certificates. Thank you for releasing this.

Why are certificate serials highlighted in red?

Thank you for putting this all together and making it open source. By the way, will you be releasing an API? I think this API would be really valuable.

Funny, looked up Gmail and they are still allowing SSL3

Nice work. This will help a lot of people who audit sites.. and its great to have an open alternative to the closed source ssllabs tester.

&quot;PHP must allow shell_exec and remote fopen.&quot;<p>ouch.

Nice work. How do you determine the destination SSL library?

Thanks. Just needed something like this last week.

Seriously, nice work!