How to check the health of an SSL certificate

22 March 2021

An SSL certificate enables secure communication between a web browser and server. Not all SSL certificates are equal though. The strength of a certificate depends on many factors, including the TLS protocol and cipher suite used.

There are plenty of tools that can be used to get detailed information about an SSL certificate. In this article I’ll use the Qualys SSL Labs checker. The website gives you a detailed overview of your certificate, including a score. This article isn’t a detailed overview of the SSL Labs test. If you’re interested in how the checker works then you can find more information in the Server Rating Guide. In this article I’ll focus on protocols and cipher support.

TLS protocols

The TLS protocol is used, among others, to secure the communication between a web browser and a website. TLS encrypts data; makes sure that the browser and server are who they claim to be and verifies that data hasn’t been tampered with. In short, TLS makes it possible to securely log into your website or buy something online.

For websites, TLS is used via the HTTPS protocol. If your website has an SSL certificate then it can be accessed via HTTPS (rather than HTTP). Provided that the SSL certificate is valid the communication channel is automatically secured using TLS.

Strictly speaking, SSL certificates are TLS certificates. SSL was the first protocol used to encrypt online communication channels. It has long since been superseded by the TLS protocol but the name “SSL certificate” has stuck.

Protocol versions

The Configuration section in the SSL Labs check shows what protocols the server supports. Just like software, protocols evolve over time. The ancient SSL protocols (SSL 2.0 and SSL 3.0) and TLS versions 1.0 and 1.1 have been deprecated. They contain known security vulnerabilities and should no longer be used. As at March 2021 the supported versions are TLS 1.2 and 1.3.

It’s worth noting that disabling support for deprecated TLS versions can result in issues for end users. Someone using outdated and unmaintained software that lacks support for current TLS standards won’t be able to communicate with a server. This rarely happens with websites, as most web browsers update themselves – even if the browser runs on an operating system that’s no longer maintained. The issue is more common with email and FTP. People who use an outdated email or FTP client may find that the server refuses to talk to the client.

For your server set-up this means that you have to consider whether or not to disable TLS 1.0 and 1.1. Obviously, it’s recommended to do so. Not supporting insecure TLS versions is a feature rather than a bug. However, you do need to consider the impact this might have on your users.

Protocol support

As said, TLS 1.0 and 1.1 are not secure. If your server supports the protocols then your maximum score in the SSL Labs test will be a B (the highest possible score is A+). You can change what TLS versions are support in WHM via Service Configuration » Apache Configuration » Global Configuration. The following string disables old TLS versions:

all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

You can also check the value via Apache’s configuration file:

# grep SSLProtocol /etc/apache2/conf/httpd.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Cipher suites

The secure connection between a web browser and server is done via a handshake. Put simply, the server and client decide what TLS protocol version to use and the client verifies the server’s identity via its public encryption key. They also decide what cipher suite to use.

Ciphers are important. It’s the encryption algorithm used to secure data. There are lots of different ciphers and, like TLS protocols, some of them are no longer secure. If your SSL certificate doesn’t get an A-rating after disabling TLS 1.0 and 1.1 then it may be that your server supports weak ciphers.

The SSL Labs checks the cipher suites the server supports for different TLS versions, and it highlights ciphers that are weak. You may want to remove such ciphers. Before you do so, have a look at the Handshake Simulation section on the page. The section shows what TLS protocol and cipher suite different devices used during the handshake. If there are clients that used a weak cipher suite then you’ll want to look into that before disabling the cipher.

Like the TLS protocols, supported ciphers can be defined via WHM » Service Configuration » Apache Configuration » Global Configuration. We recommend having a chat with us before you do so – it’s important to get the supported cipher suites right.