A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application. This could also be useful if you're trying to reverse engineer the API a mobile app uses.

ACME Server implementation (http-01 challenge). Builtin CA to sign/revoke certificates (can be replaced with an external CA), CA rollover is supported. Notification Mails (account created, certificate will expire soon, certificate is expired) with customizable templates. Web UI (certificate log) with customizable templates.

Tested with Certbot, Traefik, Caddy, uacme, and acme.sh.

The Dockerfile is remarkably understandable, which should make it easy to run it normally.

An interactive list of ciphersuite configurations that can be searched, sorted, and queried. The link bookmarked is a best practice set, from strongest to least trustworthy cryptosystems.

CryptoLyzer is a fast and flexible server cryptographic settings analyzer library for Python with an easy-to-use command line interface with both human- and machine-readable output. It works with multiple cryptographic protocols (SSL/TLS, opportunistic TLS, SSH) and analyzes additional security mechanisms (web security related HTTP response header fields, JA3 tag).

Current version: Version 1.X, 2018-12-21

This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.

The focus of this guide is merely to give current best practices for configuring complex cipher suites and related parameters in a copy & paste-able manner. The guide tries to stay as concise as is possible for such a complex topic as cryptography. Naturally, it can not be complete. There are many excellent guides (II & SYM, 2012) and best practice documents available when it comes to cryptography. However none of them focuses specifically on what an average system administrator needs for hardening his or her systems' crypto settings.

testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. Clear human-readable and machine-readable outputs. No installation needed, uses only bash. Test any SSL/TLS enabled service on any port.

The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below. The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools. Changes are reviewed and merged by the OpSec team, and broadcasted to the various Operational teams.

A simple zero-config tool to make locally trusted development certificates with any names you'd like. Does this by adding (and managing) a local CA on your laptop which you can issue arbitrary certs for (including localhost).

Secure your email server with STARTTLS Everywhere! Your email service can be insecure in numerous different ways. The service below performs a quick check of your email server's security configuration, including whether STARTTLS is supported, and whether it may qualify for the STARTTLS Policy List.

A system for allowing the reboot of servers with encrypted hard drives when you arent physically present to type in the passphrases. It relies upon strictly timed encrypted network communications with trusted systems and the use of PGP to decrypt some of the keying material.

How to harden SSL support on your web server to mitigate attacks like BREACH, BEAST, and Lucky 13. Updated regularly.

Plug an XMPP server or client into this site and it'll audit certain aspects of its COMSEC posture, such as key sizes, whether or not crypto is enabled, and what crypto protocols it supports. If you're paranoid about instant messaging, you may wish to start by using this site.

mbed TLS (formerly PolarSSL) is an SSL implementation written from scratch designed for use in embedded applications and systems. The API was designed to make sense (unlike some other implementations I could mention) and the source code is written with readability in mind. Written in C as portably as possible. Modules are designed to be as loosely coupled as is feasible. opensource by default, but they do ask you to purchase commercial licenses if appropriate. Has a not-insignificant list of commercial and government users.

A tutorial on how to harden SSL and TLS in Nginx. Includes changing and increasing the size of Diffie-Hellman parameters for better security.