We have a number of internet-facing web apps. When Chrome and Firefox dropped SSLv3 support a while ago due to Poodle, when Firefox started blocking any sites that had a Diffie-Hellman cipher enabled, and (most recently) when Chrome and Firefox dropped RC4 ciphers, we were unexpectedly hit with production issues. In each case, we only found out about the issues when our end-users started calling.
For the sake of this question, we're only concerned with the connection to the web server. Testing site layout and javascript is outside the scope.
I have written a few probes with PHP and nmap/OpenSSL, ie. to scan for SSLv3 and SHA1 certs. But I can't help but wonder if there's a cleaner and easier way to do this...especially to keep on top of it before we start receiving support calls about it.
A few questions:
Due to resource constraints, hopefully such mailing lists would not be cluttered with "noise".
For example, if Firefox disables SHA1 cert support tomorrow, we shouldn't need to tell this tool about it. Instead, it should just test with the default browser settings of the latest version.
Even if we have to tell the tool what changed, we can probably manage that... But hopefully we won't need to spend hours to add each test case.
Preferably, such a tool would run on-premises so we can test non-production environments and internal web appa. "Bonus points" if it can be fully automated and send an email when it finds an issue.
Thanks!
Probably going against the SO rules here but personally I find SSL Labs testing tool very good and it's kind of become an industry standard for testing your https config.
Plug in your website URL, hit go and a few minutes later you get a report and a grade and also tests against a wealth of common browsers. If you've any warnings or less than an A grade then you'll run into trouble sooner or later. With an A grade you should be fine to test it once a quarter as it's unlikely any issue will be so new and so severe that browser makers ban them so quickly.
There are other tools and that tool only works for public facing websites (testssl.sh is a command line tool which does a similar job for internal sites but without the grading). But SSL Labs is free, simple to use, is kept up to date, and allows you to just concentrate on the issues it flags. Keeping up to date on all security issues and bugs can be very time consuming otherwise - especially for a small company.
There's also an api for it which I guess can be used for auto testing but not played with that as not found the need.
The Feisty Duck security newsletter is a monthly newsletter letting you know about changes in this space: https://www.feistyduck.com/bulletproof-tls-newsletter/. It cuts most of the noise out and is well worth subscribing to. Feisty Duck was set up by the creator of SSLLabs and the newsletter is run by a HTTPS uber geek (no offence intended!) who is aware of all incoming changes. And Vincent Lynch blogs about changes in an easily understandable way at at: https://www.thesslstore.com/blog/
Other useful links worth checking occasionally for issues that might affect your site:
There's plenty of other security mailing lists and forums but they really will take up a lot of your time. Personally I find it interesting but realise most people are probably not the same! :-)