Monitoring of SSL Health using the Qualys SSL Labs API

Since the public release of the Qualys SSL Labs API, it’s opened up an excellent data source that could potentially enable someone to continuously assess all of their internet-facing websites (a very useful tool for any IT Security team).

Firstly, fixing security settings for external websites in a large company can be tricky. You need to find the right people, then reach them, then get everything planned, scheduled and tested. If you have multiple sites, there’s also a good chance that each site has a completely different set of people involved.

Secondly, I’ve worked with a few different vulnerability and ASV scanning solutions – they all push out the right data (though they all seem to have horribly out-of-date root CA stores), but they mostly don’t give you a format that isn’t very conducive to sharing – I’ve had many people ask (“what exactly does this SSL vulnerability in this report mean?”).

This means that instead of quickly throwing a very simple-to-understand “green is good, red is bad” report, I first need to sit down, translate all the results and then write it up again. This is okay for an ad-hoc review, but not something I want to be constantly manually churning out. I’m a strong advocate of continuous scanning (whether it be for vulnerabilities or SSL server configs) – so I decided to see what I could do in my spare time. With that landscape in my mind, I ended up looking to achieve two things:

  1. Create a high-level dashboard showing the state of SSL security across a group of websites.
  2. Assess each website’s SSL config against a configurable “best-practice” configuration standard.

This isn’t ready and I’ve only worked on this infrequently lately – but I’d thought I’d write it up so it doesn’t get lost. It’s just screenshots for now – the code is ugly/uncommented and the detailed assessment is nowhere near finished. There’s also a requirement of anyone using the API to include links back to Qualys SSL Labs, so I’ll need to do that before any sort of code release. My UI skills are a bit lacking – but I think it looks nice enough for now (thanks Chart.JS). The program creating all of this is a C# application that talks to the Qualys API, builds an internal database holding all the scan results, and then runs the data through a reporting module which spits out some HTML pages.

For this post, I loaded the subdomains of badssl.com – it’s a site that has a number of subdomains with different SSL configurations (good & bad) to show how SSL clients react to different situations. The following subdomains were loaded into my program:

badssl.com
expired.badssl.com
wrong.host.badssl.com
self-signed.badssl.com
sha1-2017.badssl.com
sha1-2016.badssl.com
mixed.badssl.com
rc4.badssl.com
cbc.badssl.com
sha256.badssl.com
hsts.badssl.com
preloaded-hsts.badssl.com
subdomain.preloaded-hsts.badssl.com
dh480.badssl.com
dh512.badssl.com
dh1024.badssl.com
dh2048.badssl.com
rsa8192.badssl.com
dh-small-subgroup.badssl.com
dh-composite.badssl.com
incomplete-chain.badssl.com
very.badssl.com
rc4-md5.badssl.com
http.badssl.com

A draft of the front page – I’ve got a functioning chart (following the whole “green is good, red is bad” principle) as well as a draft “plain-English” explanation of how people should react to the grades.
Executive Summary

A summary table on the front-page. Each of the sites is a clickable link that goes into the “detailed assessment” page for that site.
s2

The detailed assessment page. Only really looking at cipher configurations at the moment – but the plan is to implement something for certificate trust & vulnerability security as well. This shows you the currently utilised cipher list on the left (as well as what order each cipher is in the best-practice list loaded into the tool.) – The right hand side shows the best practice list in its proper order.
s3

The remediation section – essentially trying to boil this down into a set of simple steps to follow – I haven’t thought too deeply into how to set this out – especially the last “re-order everything” line.
Cipher Remediation

2 thoughts on “Monitoring of SSL Health using the Qualys SSL Labs API”

Leave a Reply

Your email address will not be published. Required fields are marked *