SSL Certificate Scan Terms
AIA Issuer Path URL- A field in the SSL Certificate that provides the client (browser) with the address where a copy of the Certificate Authority’s certificate can be downloaded. AIA is short for Authority Information Access.
AIA OCSP URL- (Authority Information Access Online Certificate Status Protocol Uniform Resource Locator) – A field in the SSL Certificate that provides the client (browser) with the address to the OCSP (Online Certificate Status Protocol) so that the client can check the certificate revocation status.
Algorithm- A field in the SSL Certificate that identifies the type of public key that is being used (RSA or ECC).
Basic Constraints- A field in the SSL Certificate that identifies if the certificate can be used to sign other certificates or to verify certificate signatures (Certificate Authority = false or Certificate Authority = true).
Certificate Revocation List (CRL)- This list contains certificates (serial numbers for certificates) that have been revoked and should no longer be trusted.
Common Name- A field in the SSL Certificate that identifies the fully qualified domain name (FQDN) or name that you want to use to access the website and its corresponding SSL Certificate.
CRL Distribution Point- A field in the SSL Certificate that provides the client (browser) with the address to the CRL so that the client can download the CRL and check the certificate revocation status.
DigiCert Certificate Agent/Registered Agent/Scan Agent- The agent scans your certificates and endpoints and relays that information back to the Certificate Inspector to analyze. The agent also allows you to install/renew/replace SSL Certificates from within Certificate Inspector.
ECC (Elliptical Curve Cryptology)- A type of public key cryptology that is based on elliptical curves. The key size determines the SSL Certificate’s encryption strength.
Extended Key Usage- A field in the SSL Certificate that further defines what the SSL Certificate can be used for.
Extensions- Used to define the function of the SSL Certificate.
Key Usage- A field in the SSL Certificate that defines what the SSL Certificate can be used for (i.e. digital signature, key encipherment).
Online Certificate Status Protocol (OCSP)- This internet protocol is used to check the revocation status of the SSL Certificate as an alternative to CRL (Certificate Revocation List).
Organization Name- A field in the SSL Certificate that identifies the legally registered name of your organization/company.
Publicly Trusted- A Certificate Authority (CA) whose is trusted by the major browsers issued the SSL Certificate.
Revocation Status- We have checked with the issuing Certificate Authority (CA) via OCSP and/or CRL, and discovered the status of the certificate: Active (certificate can still be trusted), Revoked (certificate is no longer trusted), or unknown (cannot verify certificate trustworthiness).
RSA (Rivest-Shamir-Adleman)- A type of public key cryptology that is based on prime numbers and how difficult it is to factor them. The key size determines the SSL Certificate’s encryption strength.
SANs (Subject Alternative Names)- A field in the SSL Certificate that acts as an extension of the common name and allows you to associate more than one common name with the SSL Certificate.
Self-signed- An SSL Certificate signed with its own private key/when the identity that the certificate certifies is the same as the identity that signs the certificate.
Serial Number- Number used to identify the SSL Certificate.
Signing Algorithm- A field in the SSL Certificate that identifies the algorithm that was used to sign the SSL Certificate.
Size- A field in the SSL Certificate that identifies the key size that was used to generate the key for the certificate and determines the certificate’s encryption strength.
SSL Certificate Endpoint/SSL Endpoint/SSL Termination Endpoint- The SSL/SSL Certificate/SSL Termination Endpoint is the IP/Port combination that the SSL Certificate is targeted to protect.
Thumbprint- A hash of the entire certificate that can be used to identify the certificate. The thumbprint is not contained inside the certificate.
Validation Type- A field in the SSL Certificate that identifies the type of validation that was used to validate the SSL Certificate (Organizational, Domain, or Extended Validation).
Validity- A field in the SSL Certificate that identifies the date range for which the SSL Certificate is valid (i.e. 5/19/12 2:35 PM – 7/21/14 11:04 PM), certificate creation and expiration date.
SSL Endpoint Scan Terms
Cipher Support- A cipher is a method for encrypting or decrypting a message. The cipher consists of well-defined steps that can be followed to encrypt or decrypt said message. This section displays information about your server’s cipher support that includes the following information:
- Preferred Order
- If it has forward secrecy
HTTP Response- After a server receives a request message, it responds with an HTTP response message that includes the following information:
- HTTP Version
- Status Code
Misc Support- This section of the SSL Endpoint scan displays the following information about your server:
This field is used to let you know if your server supports TLS compression. The Transport Layer Security (TLS) protocol contains a feature that allows you to compress the data passed between the server and the Web browser. TLS data compression is susceptible to the CRIME exploit.
This field is used to let you know if your server supports TLS heartbeats. If you are running TLS over User Datagram Protocol (UDP), you can use heartbeats to ensure that long running sessions do not timeout.
This field is used to let you know who can send heartbeats. If your server’s heartbeat mode is “peer allowed to send”, then the client and your server can send heartbeats. If your server’s heartbeat mode is “peer not allowed to send”, then only your server can send heartbeats.
Next Protocol Negotiation
This field lets you know if your server supports Next Protocol Negotiation (NPN) that is used by SPDY, a networking protocol for transporting web content that was developed by Google. NPN lets the server negotiate the use of SPDY and negotiate SPDY versions.
This field is used to let you know if your server supports OCSP (Online Certificate Status Protocol) stapling. In the beginning of OCSP, a browser requested an OCSP response from the Certificate Authority (CA) to check the revocation status of an SSL Certificate. To improve speed and reduce the load on the CAs who are required to respond to every client request in real-time, an OCSP stapling model evolved where the website receives the OCSP response directly from the CA. The website then sends the response to the browser. Because the OCSP response is good for hours or days, the website can cache the OCSP response from the CA and use it repeatedly during that period.
This field is used to let you know if your server supports session tickets to resume a session. The TLS server may have a mechanism in place that enables it to capture the encrypted session-state information into a ticket and forward that ticket to the client. The client then stores the encrypted session ticket, which it can then use to resume the session.
SSL V2 Upgrade
This field is used to let you know if your server supports the upgrade from SSL 2.0 to a more modern security protocol. This allows clients to use SSL 2.0 in the initial handshake to request a newer protocol version. Servers with SSL 2.0 upgrade can recognize the upgrade request and respond with an updated protocol. The server can understand the upgrade request that was sent in SSL 2.0 even if the server doesn’t support the SSL 2.0 protocol.
Protocol Support- Since the beginning of SSL, several versions have been released: SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. This section of the SSL Endpoint scan displays which versions of the SSL Protocol your server supports.
TLS 1.2 (Transport Layer Security 1.2)
Based on TLS 1.1, version 1.2 includes:
Replaced the MD5-SHA-1 combination with SHA-256 in the pseudorandom function (PRF), and provided the option to use PRFs that are cipher suite specified.
Replaced the MD5-SHA-1 combination with SHA-256 in the finished message, and provided the option to hash algorithms that are cipher suite specified.
Replaced the MD5-SHA-1 combination with a single hash that is negotiated during the initial handshake in the digitally signed element; defaults to SHA-1.
Enhanced both the client’s (browser’s) and the server’s ability to stipulate the acceptable hash and signature algorithms.
Expanded support for authentication encryption ciphers.
Included additional TLS Extension definitions and Advance Encryption Standard cipher suites.
TLS 1.1 (Transport Layer Security 1.1)
Update to TLS 1.0. Version 1.1 includes:
Additional protection versus Cipher Blocking Chaining (CBC) attacks.
Support for Internet Assigned Numbers Authority (IANA) registration parameters.
TLS 1.0 (Transport Layer Security 1.0)
Serves as an upgraded version of SSL 3.0. Unfortunately, it allows for a TLS implementation, which can downgrade the connection to an SSL 3.0 connection.
SSL 3.0 (Secure Socket Layer 3.0)
SSL 3.0 was released after security flaws were found in SSL 2.0. However, it has a weak key derivation process because it relies on the MD5 hash function for half of the master key that is established. In 2014, the POODLE (Padding Oracle On Downgrading Legacy Encryption) vulnerability was discovered in the SSL 3.0 protocol.
SSL 2.0 (Secure Socket Layer 2.0)
Although the SSL 2.0 protocol was disavowed in 1996 due to known security flaws, some servers are still using it. Servers still using the SSL 2.0 protocol should disable it.
Protocol Tolerances- The SSL protocol used for a secured connection is based upon the newest supported version of the SSL/TLS protocol that both the client and server support. This section of the SSL Endpoint scan displays information about the upgrade path of the server to new versions of the SSL protocol. If at some point the test fails, then you know that your server would not be able to phase in this higher version of the SSL protocol without breaking your existing implementations. The codes for the protocol versions are as follows:
Renegotiation Support- Renegotiation occurs when a new handshake negotiation is started between your server and a client (browser) within an existing SSL/TLS connection. This section of the SSL Endpoint scan displays information about your server’s renegotiation support that includes the following information:
- Secure Renegotiation
- Secure Renegotiation Strict
- Client-Side Secure Renegotiation
- Client-Side Insecure Renegotiation