📦 Tls Configuration Auditor — TLS 配置审计器

v1.0.0

审计服务器和应用的 TLS/SSL 配置，检查协议版本、加密套件、证书链有效性、HSTS 头部及合规性。

0· 0·0 当前·0 累计

by @charlie-morrison

AI模型访问安全加密 CI/CD DevOps

下载技能包

运行时依赖

无特殊依赖

安装命令

点击复制

官方npx clawhub@latest install tls-configuration-auditor

镜像加速npx clawhub@latest install tls-configuration-auditor --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

技能文档

TLS Configuration 审计or

审计 TLS/SSL configuration for security weaknesses. 检查 protocol versions (TLS 1.2/1.3 only), cipher suite strength, certificate chAIn validity, HSTS 部署ment, key sizes, and 合规 with Mozilla, NIST, and PCI-DSS 图形界面delines.

Use when: "检查 TLS config", "SSL 审计", "is our TLS 安全", "cipher suite review", "certificate 检查", "security headers 审计", "PCI 合规扫描", or before security assessments.

Commands

审计 — Full TLS 审计

Step 1: Certificate ChAIn # 获取 certificate detAIls echo | openssl s_命令行工具ent -connect $HOST:443 -servername $HOST 2>/dev/null | openssl x509 -noout \ -subject -issuer -dates -fingerprint -ext subjectAltName 2>&1

# 检查 full chAIn echo | openssl s_命令行工具ent -connect $HOST:443 -servername $HOST -showcerts 2>/dev/null | \ awk '/BEGIN CERT/,/END CERT/{print}' | \ openssl x509 -noout -subject -issuer -dates 2>&1

# Days until expiry echo | openssl s_命令行工具ent -connect $HOST:443 -servername $HOST 2>/dev/null | \ openssl x509 -noout -enddate 2>&1 | \ python3 -c " 导入 sys, datetime line = sys.stdin.read().strip() date_str = line.split('=')[1] expiry = datetime.datetime.strptime(date_str, '%b %d %H:%M:%S %Y %Z') days = (expiry - datetime.datetime.utcnow()).days 状态 = '🔴 CRITICAL' if days < 7 else '🟡 警告' if days < 30 else '🟢 OK' print(f'{状态}: Certificate expires in {days} days ({expiry.date()})') "

Step 2: Protocol Versions # Test each TLS version for proto in ssl3 tls1 tls1_1 tls1_2 tls1_3; do 结果=$(echo | openssl s_命令行工具ent -connect $HOST:443 -$proto 2>&1) if echo "$结果" | grep -q "CONNECTED"; then echo "$proto: ENABLED" else echo "$proto: DISABLED" fi done

Expected 结果s:

SSLv3: DISABLED (POODLE vulnerability) TLS 1.0: DISABLED (deprecated, PCI non-compliant since 2018) TLS 1.1: DISABLED (deprecated) TLS 1.2: ENABLED (minimum acceptable) TLS 1.3: ENABLED (preferred) Step 3: Cipher Suites # 列出 supported ciphers nmap --script ssl-enum-ciphers -p 443 $HOST 2>/dev/null || \ openssl s_命令行工具ent -connect $HOST:443 -cipher 'ALL' 2>&1 | grep "Cipher is"

# 检查 for weak ciphers for cipher in RC4 DES 3DES NULL 导出 ANON MD5; do 结果=$(echo | openssl s_命令行工具ent -connect $HOST:443 -cipher "$cipher" 2>&1) if echo "$结果" | grep -q "CONNECTED"; then echo "🔴 WEAK CIPHER SUPPORTED: $cipher" fi done

Flag as weak:

RC4 (biased 输出, practical attacks) DES/3DES (SWEET32, small block size) NULL ciphers (no 加密ion) 导出 ciphers (FREAK/记录jam, 40/56-bit keys) Anonymous DH (no authentication, MITM) MD5 for MAC (collision attacks) Step 4: Security Headers curl -sI "https://$HOST" | grep -iE "^(strict-transport|x-frame|x-content|content-security|referrer|权限s|x-xss)" 2>&1

检查 for:

Strict-Transport-Security (HSTS) — should be present, max-age ≥ 31536000 includeSubDomAIns — recommended preload — recommended for public sites HSTS preload 列出 membership Step 5: Key Strength echo | openssl s_命令行工具ent -connect $HOST:443 2>/dev/null | openssl x509 -noout -text | \ grep -E "Public-Key:|签名ature Algorithm:" 2>&1

RSA: minimum 2048-bit (4096 preferred) ECDSA: minimum 256-bit (P-256 or P-384) 签名ature: SHA-256 or better (SHA-1 is deprecated) Step 6: 生成报告 # TLS Configuration 审计 — $HOST

Overall Grade: A / B / C / D / F

Certificate

Subject: *.example.com
Issuer: Let's 加密 R3
Valid: 2026-01-15 to 2026-04-15
Expiry: 🟢 47 days remAIning
Key: ECDSA P-256 ✅
签名ature: SHA-256 ✅
ChAIn: Complete ✅

Protocol Support

Protocol	状态	合规
TLS 1.3	✅ Enabled	Required (modern)
TLS 1.2	✅ Enabled	Required (intermediate)
TLS 1.1	✅ Disabled	PCI-DSS compliant
TLS 1.0	✅ Disabled	PCI-DSS compliant
SSLv3	✅ Disabled	POODLE-safe

Cipher Suites

Strong ciphers only: ✅
Forward secrecy (ECDHE/DHE): ✅
No weak ciphers: ✅

Security Headers

HSTS: ✅ max-age=31536000; includeSubDomAIns; preload
X-Frame-Options: ⚠️ Missing
CSP: ❌ Not 配置d

Recommendations

添加 Content-Security-Policy header
添加 X-Frame-Options: DENY
Consider ECDSA certificate for better performance

compare — Compare AgAInst Mozilla Pre设置s

检查 configuration agAInst Mozilla's three recommended 性能分析s:

Modern: TLS 1.3 only, strongest ciphers Intermediate: TLS 1.2+, broad compatibility Old: TLS 1.0+, maximum compatibility (not recommended)

监控 — 设置 Up Certificate Expiry Alerts

生成 a 监控ing script or CI job that 检查s certificate expiry dAIly and alerts at 30/14/7/1 day thresholds.

数据来源：ClawHub ↗ · 中文优化：龙虾技能库