Third-party-Tools to check your configuration - Discussion


#1

Managing Letsencrypt certificates - sometimes it’s difficult. So there is a closed topic with some annotations.

Third party Tools to check your configuration

If a link is broken or if you have ideas - send a PM or use this topic.


Hint to letsdebug.net in error message
#2

https://observatory.mozilla.org/ is usefull too (For the TLS scanner mainly)

https://dnssec-analyzer.verisignlabs.com for DNSSEC

https://tools.keycdn.com/ipv6-ping to test the IPv6 connectivity from different locations

maybe off topic : https://hstspreload.org/


Third-party-Tools to check your configuration
#3

https://tools.keycdn.com/curl Online curl tool
https://www.mxtoolbox.com/ Check if a record is available from all authoritative NS server.


#4

Thanks. Added both, aggregated. If a site has a lot of tools, the start page or the page with the complete tool list is preferred.

One day later: Created this discussion topic and moved the replies.


#5

https://tools.letsdebug.net/cert-search - compared to crt.sh, it understands the PSL, understands Let’s Encrypt’s rate limits, and de-duplicates poisoned/real certificates. Since crt.sh is no longer significantly delayed since some weeks now I’m not sure there’s a great reason to continue to prefer Google’s aggregator over crt.sh.

Edit: looks like I got IP banned by crt.sh, hold off on this suggestion until I can address it …

Edit 2: we wern’t banned, they rotated their IPv4 address and I had them /etc/hosts'd from a time when their IPv6 was flakey. Whoops.


#6

Thanks - added with the start page.


#7

WeakDH.org
https://weakdh.org/sysadmin.html

Cipher.list
https://cipherli.st/

OWASP: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

OpenSSL and NMAP - not every server is exposed to the web so offline tools should be included as well

SSLYZE - python checker

Censys - CT searching via API https://censys.io/

Keychest - CT proactive alerts https://keychest.net/

My Own Tool which i use for mail protocols (STARTTLS can be tricky to troubleshoot) https://github.com/ahaw021/SSL-MAIL-PROTOCOLS-TESTING


#8

Thanks. Added some links. The main focus are online tools with interactive checks.


#9

Just wanted to add to the list of DNS utilities:
https://www.grc.com/dns/dns.htm
very decent I believe.


Still suffering from #1228 mixed case issue