Instantly check your site's security grade at https://www.ssllabs.com/ssltest/analyze.html (you can also append the domain name like so: ?d=equality-tech.com)
== Let's Encrypt = Checking Ciphers ===We used You can use nmap to run certificates from StartSSL because they offer free one-year certificatesport scan a host (Do NOT do this on hosts you don't control... Howeverit's like poking a hornets nest, today we upgraded to using you'LetsEncryptre not sure what' and our certificates are both more secure and easier s going to managehappen next but it could be bad). Use this particular invocation to show the SSL ciphers in use on your host. Instead of a "B" grade, we now have "A" grade security.[[File:AGrade.png|left|500px]] [[File:BGradeThe description below is from <code>/usr/share/nmap/scripts/ssl-enum-ciphers.png|right|500px]]nse</code>)
'''Certbot''' ([https:This script repeatedly initiates SSL//githubTLS connections, each time trying a newcipher or compressor while recording whether a host accepts or rejects it.com/certbot/certbot code]) Theend result is a fully-featured, extensible client for list of all the Let's Encrypt CA (or any other CA ciphers and compressors that speaks the ACME protocol) that can automate the tasks of obtaining certificates and configuring webservers to use them. This client runs on Unix-based operating systems. It '''requies''' root access and is '''beta''' softwarea server accepts.
Until May 2016Each cipher is shown with a strength rating: one of <code>strong</code>, Certbot was named simply <code>letsencryptweak</code> , or <code>letsencrypt-autounknown strength</code>, depending on install method. Instructions on The output linebeginning with <code>Least strength</code> shows the Internet, and some pieces strength of the softwareweakest cipher offered. If you are auditing for weak ciphers, may still refer you wouldwant to this older namelook more closely at any port where <code>Least strength</code>is not <code>strong</code>. The cipher strength database is in the file<code>nselib/data/ssl-ciphers</code>, or you can use a different filethrough the script argument<code>ssl-enum-ciphers.rankedcipherlist</code>.
[https:SSLv3//certbotTLSv1 requires more effort to determine which ciphers and compressionmethods a server supports than SSLv2. A client lists the ciphers and compressorsthat it is capable of supporting, and the server will respond with a singlecipher and compressor chosen, or a rejection notice. This script is intrusive since it must initiate many connections to a server,and therefore is quite noisy.eff <source lang="bash">nmap --script +ssl-enum-ciphers example.orgcom</#pip-apache source> Using [[Certbot website] at EFF.org (the Electronic Frontier Foundation)], you can manage your certificates.
== Resources ==
# [[wp:Transport Layer Security|Transport Layer Security]]
# https://letsencrypt.org/getinvolved/ Get Involved with Lets Encrypt
## https://letsencrypt.org/getting-started/ Getting Started
## https://github.com/letsencrypt/letsencrypt Code on GitHub
## https://letsencrypt.readthedocs.org/en/latest/ Docs
# https://wiki.mozilla.org/Security/Server_Side_TLS
# https://security.stackexchange.com/
# [https://httpd.apache.org/docs/2.4/ssl/ Apache docs]
# [https://help.ubuntu.com/lts/serverguide/certificates-and-security.html Ubuntu Server Guide - Certificates and Security]
# [https://tls.ulfheim.net/ TLS illustrated]
[[Category:Security]]
[[Category:System Administration]]