cryptonice – Python SSL Cert Checker

Little handy program by Katie Newbold and Dave Warburon of f5labs:

https://www.f5.com/labs/articles/threat-intelligence/cryptonice

    python  -m venv ~/.venv/cryptonice
    source ~/.venv/cryptonice/bin/activate
    pip  install cryptonice
    cryptonice  aardvark.herts.ac.uk

Well it recommends changes, some of the HIGH recommendations need to be implemented eg. disable TLSv1.0 TLSv1.1 – so easy to install and quickly examine a site.

I will come clean and say using this was the nudge I needed to investigate why the F5 loadbalancer didn’t allow TLSv1.3 by default and was still allowing TLSv1.0 and TLSv1.1 despite most browsers now not supporting it due to security issues. This was/is the main reason we are getting a grade “B” on the sslabs test site

RESULTS
-------------------------------------
Hostname:			  aardvark.herts.ac.uk

Selected Cipher Suite:		  ECDHE-RSA-AES256-GCM-SHA384
Selected TLS Version:		  TLS_1_2

Supported protocols:
TLS 1.2:			  Yes


HTTP/2 supported:		  False


CERTIFICATE
Common Name:			  aardvark.herts.ac.uk
Issuer Name:			  QuoVadis Global SSL ICA G3
Public Key Algorithm:		  RSA
Public Key Size:		  2048
Signature Algorithm:		  sha256

Certificate is trusted:		  True (No errors)
Hostname Validation:		  OK - Certificate matches server hostname
Extended Validation:		  False

HTTP to HTTPS redirect:		  False
HTTP Strict Transport Security:	  True (max-age=31536000; includeSubDomains)
None

RECOMMENDATIONS
-------------------------------------
Low - CAA Consider creating DNS CAA records to prevent accidental or malicious certificate issuance.

Scans complete
-------------------------------------
Total run time: 0:00:02.498182