Expired Certificates

A simple use for Cryptonice is to check for expiring or expired certificates. This can either be accomplished by using default parameters or specifically (and only) scanning for the website certificate.

Using Cryptonice to check for expired certificates at expired.badssl.com:

cryptonice expired.badssl.com --scans tls --tls_parameters certificate_info


Hostname:                         expired.badssl.com

Common Name:                      *.badssl.com
Public Key Algorithm:             RSA
Public Key Size:                  2048
Signature Algorithm:              sha256

Certificate is trusted:           False (Mozilla not trusted)
Hostname Validation:              OK - Certificate matches server hostname
Extended Validation:              False
Certificate is in date:           False
Days until expiry:                -1923
Valid From:                       2015-04-09 00:00:00
Valid Until:                      2015-04-12 23:59:59

OCSP Response:                    Unsuccessful
Must Staple Extension:            False

Subject Alternative Names:

CRITICAL - Cert Expiry Certificate has expired!

Scans complete
Total run time: 0:00:19.095761

Outputting data to ./expired.badssl.com.json

We can see from the output, above, that the certificate for expired.badssl.com has expired 1923 days ago and that the certificate is also, therefore, not trusted by the Mozilla root store.

Weak Protocols and Ciphers

Legacy protocols are either deliberately made available in order to accept connections from old browsers or, all too often, they are forgotten about and not removed despite known vulnerabilities.

Cryptonice will detect which ciphersuites are available over which protocol and display warnings should legacy ciphers be found.

Using Cryptonice to check for weak protocols and ciphers on rc4-md5.badssl.com:

cryptonice f5.com --scans tls


Hostname:                         rc4-md5.badssl.com

Selected Cipher Suite:            RC4-MD5
Selected TLS Version:             TLS_1_1

Supported protocols:
TLS 1.2:                          Yes
TLS 1.1:                          Yes
TLS 1.0:                          Yes

HIGH - TLSv1.0 Major browsers are disabling TLS 1.0 imminently. Carefully monitor if clients still use this protocol.
HIGH - RC4 The RC4 symmetric cipher is considered weak and should not be used
HIGH - MD5 The MD5 message authentication code is considered weak and should not be used
HIGH - TLSv1.1 Major browsers are disabling this TLS 1.1 immenently. Carefully monitor if clients still use this protocol.

Scans complete
Total run time: 0:00:26.915821