So you've received a critical risk finding for SSL not available, which means your domain does not have an SSL certificate installed on the server. To resolve this finding, you can generate and supply an up-to-date SSL/TLS certificate on your site.
SSL, which stands for secure sockets layer, and its successor TLS, or transport layer security, are internet protocols for securing traffic between systems with an encryption algorithm. An SSL/TLS certificate provides a verification that your website is secure for use. SSL/TLS is the standard encryption method for internet use, and SSL/TLS certificates are granted by a certificate authority (CA), such as Let's Encrypt.
Why You Need SSL/TLS Certificates
Without an SSL certificate to ensure the TLS communication, all information sent between systems will be in plain text. Plain text communications can be intercepted by man-in-the-middle attacks (MITM), which target user credentials and other sensitive information to be used for malicious activity. Maintaining an SSL/TLS certificate ensures that any information being communicated to your site, such as user credentials or payment information, is encrypted over the Hypertext Transfer Protocol Secure (HTTPS) communication protocol.
To ensure that your users are only transmitting information over a secure method, you can also implement the HTTP Strict Transport Security (HSTS) protocol, which will force all connections to route over HTTPS for a secure communication method. However, if your SSL/TLS certificate is not present or has expired, users will be unable to access your site, so it is important to keep your SSL/TLS certificates installed and updated.
When a certificate expires, it must be renewed from a trusted certificate authority to ensure that your systems are protected by the encryption standard. When your SSL/TLS certificate expires, users and site visitors cannot confirm the validity of your site. Any user-provided input is then at risk. The current maximum validity period for SSL/TLS certificates is 398 days, though some certificate providers have a shorter validity period. We recommend maintaining a record of your certificate's expiry date and ensuring renewal prior to expiration.
Upgrading your SSL/TLS version is likewise important to protect against known vulnerabilities introduced by SSL versions 1, 2, 3 and TLS version 1.0. CVE-2014-3566 identifies SSL 3.0's susceptibility to padding-oracle attacks ("POODLE"), and any protocol downgrade makes TLS 1.0 vulnerable as well.
SSL/TLS certificates help to ensure site traffic is protected, and they are a critical requirement for many regulations.
How SSL Relates to Regulations
SSL/TLS certification is part of the process for protected communication paths and ensuring that information transfer is confidential and complete. Secure information transfer is required by regulations like PCI DSS, FISMA, and FedRAMP. You can also find information about securing information transfer in the NIST SP 800-53 publication.
If your business includes payment card transactions, you can assess your compliance with PCI DSS. PCI's Requirement 4 provides guidelines for encrypted transmission across public networks, which is where your SSL/TLS certification is important.
When assessing adherence to controls documented in NIST SP 800-53, you can evaluate the System and Communications Protection (SC) control family. Relevant controls include SC-8 on Transmission Confidentiality and Integrity and SC-13 on Cryptographic Protection. SC-8(1) is especially relevant for SSL/TLS certification because the control specifies the need to "implement cryptographic mechanisms . . . during transmission" (SC-8(1)). Your SSL/TLS certification and subsequent HTTPS communication align to this control. While the NIST SP 800-53 guidelines apply to businesses who are working with the United States federal government, the security guidelines are beneficial for many businesses.
Now that you understand what the SSL not available risk means for your organization, you can take steps to resolve the risk. Start by generating and installing an SSL/TLS certificate on your server.
How to Generate an SSL/TLS Certificate
The first step to resolving this risk is to ensure you have an updated SSL/TLS certificate from a trusted certificate authority that you have properly configured for your public-facing systems. Each certificate authority and hosting provider have slightly different user experiences but the steps are typically the same:
- Choose a certificate authority and generate a certificate signing request (CSR) using your web server software with any information relevant to the certificate you select. You must have a registered domain name, DNS records set up for your server, and access to whatever method you used for domain control validation.
- Complete all the steps of the domain control validation process related to your choice of certificate.
- Activate the certificate with the certificate authority, note the private key, and install the certificate on your servers. Your hosting provider may provide a guide for installing your SSL certificates.
- Repeat the process for all certificates in your certificate chain as necessary.
- Note the expiration date for your certificate so that you can renew it before it expires. There are many automated services available to manage SSL expiration, including UpGuard BreachSight.
All internet-facing systems must be named on the certificate to prevent mismatch errors. We recommend using a different certificate for your internet-facing server than the certificate for your internal system so that you do not inadvertently leak internal hostnames to public site traffic. When you generate and configure your certificate, ensure that you set a reminder to renew your certificate in advance of expiration. You can also use an automated scanning service to identify if your SSL certificates are misconfigured or otherwise unavailable.
When you generate the certificate signing request, you will create two files:
- The [.rt-script].key[.rt-script] file has a private key that you will install on your web server.
- The [.rt-script].csr[.rt-script] file contains your certificate request, which is also sent to the certificate authority (CA).
After you submit the [.rt-script].csr[.rt-script] file to your CA, the certificate authority will conduct a validation request and any necessary domain control validation tasks for the type of certificate you have requested. Once the CA has confirmed the relevant details, the administrator (you) will receive files for your certificate.
You'll receive the following files:
- A primary certificate in a [.rt-script].crt[.rt-script] file. You'll use this [.rt-script].crt[.rt-script] file to install the certificate on your server, so name it something like [.rt-script]your_domain.com.crt[.rt-script] with the [.rt-script].crt[.rt-script] extension.
- An intermediate certificate in a [.rt-script].pem[.rt-script] file that you will use to create a certificate chain for an additional layer of security. We recommend naming the intermediate certificate something like [.rt-script]intermediate.crt[.rt-script] for clarity. You will need to install at least one intermediate SSL certificate to ensure that you have a certificate chain that enables users to access your site through an encrypted SSL connection.
You will use these files in the next section when you install your SSL/TLS certificates.
How to Install SSL/TLS Certificates
Once you have generated an SSL certificate from a trusted certificate authority, you will need to install it on your server. This section identifies a few common tasks to complete in order to configure your certificates properly.
To install the certificate on your server, ensure that the files are stored somewhere secure on your server that cannot be publicly accessed. All three files should only be accessible by [.rt-script]root[.rt-script]:
- The private key, named something like [.rt-script]your_domain.com.key[.rt-script]
- The SSL certificate, named something like [.rt-script]your_domain.com.crt[.rt-script]
- The intermediate certificate returned by the CA, named something like [.rt-script]intermediate.crt[.rt-script]
With these files on your server, you will next update the server config files manually to ensure that the web server communicates with your new SSL certificates. Apache and Nginx are both commonly used web servers, so you can follow this guidance to update their config files:
- For servers running Nginx, update the server block to listen on port 443 (the port used for HTTPS) and supply the relevant file names for the [.rt-script]server_name[.rt-script] directive. You can also redirect HTTP requests to HTTPS and specify TLS protocols and ciphers.
- For servers running Apache, update your virtual host by switching from port 90 for HTTP to port 443 for HTTPS connections. Supply the relevant information for your server name and certificate paths. Like Nginx, you can redirect HTTP requests to HTTPS.
After modifying any config files, be sure to restart the server by running the [.rt-script]systemctl restart[.rt-script] command, which will load the updated configuration with your SSL/TLS certificate.
Navigate to your website in a browser to test that your site can be accessed through an HTTPS connection. If you are unable to access your site with HTTPS, review your configuration settings to ensure that everything is accurate.
How to Upgrade Software Versions for SSL Compatibility
When you install your SSL certificate, you may need to update software versions so that they are compatible with your SSL library. SSL modules for different softwares ensure that your system can use SSL/TLS encryption and peer authentication.
For SSL dependencies, we recommend that you create a system user with [.rt-script]sudo[.rt-script] privileges to install packages and dependencies or run updates. A [.rt-script]sudo[.rt-script] user ensures that irrevocable changes are not made at the [.rt-script]root[.rt-script] level. You can use the [.rt-script]sudo[.rt-script] user to install updates from the home directory of your server, which should route all the necessary config files in the appropriate paths.
You may need to install an updated tarball for a given piece of software. With Linux distributions, you can use the APT package manager to run [.rt-script]apt install[.rt-script] for specific updates. You can also use APT with Windows Subsystem for Linux (WSL). If you use CentOS Linux, you may want to use [.rt-script]yum[.rt-script] for package management instead. For macOS, we recommend using Homebrew with the [.rt-script]brew install[.rt-script] command.
Most operating systems (including Windows, Ubuntu, and most other Linux distributions) use OpenSSL, which is an open-source software library for SSL/TLS protocols. However, recent versions of macOS are compiled with LibreSSL (a forked version of OpenSSL), which may lead to configuration issues. For example, some Python packages only support OpenSSL.
You can run [.rt-script]openssl version[.rt-script] to determine whether your machine is compiled with LibreSSL or OpenSSL. If your machine is compiled with LibreSSL, you may want to install OpenSSL and follow the symlink commands. Some commonly used libraries for SSL on Linux include [.rt-script]libssl-dev[.rt-script], [.rt-script]libbz2-dev[.rt-script], and [.rt-script]libffi-dev[.rt-script], though we have not confirmed that installing these packages will ensure compatibility across operating systems and environments.
You can use [.rt-script]pip[.rt-script] or [.rt-script]pip3[.rt-script] to install Python 3 packages directly in the command line for your Python environment (whether Anaconda, Miniconda, PyCharm, or another virtual environment). Your version of Python may need other packages as well. Typically, an [.rt-script]SSLError[.rt-script] will include information for the missing package with the [.rt-script]package_name[.rt-script] attribute. Many Python packages can also be accessed on pypi.org. If your Python environment is set up in a Docker image, you may need to install [.rt-script]openssl-devel[.rt-script] or [.rt-script]libressl-dev[.rt-script]. Both packages will also install [.rt-script]libssl[.rt-script] as a dependency. Without an SSL library compiled in your Docker image, you may have issues configuring your SSL certificate.
You can also upgrade your server to ensure you have the latest versions of all necessary software for compatibility with your SSL module.
How to Resolve the SSL Not Available Finding
Start by generating and installing a valid SSL certificate on your server. When your certificate has been configured, you can provide additional protection by making HTTPS mandatory with the requisite redirection and enforcement to prevent any plain text connections. Redirecting from HTTP to HTTPS of the same name will help to secure your system and prevent unauthorized access to your systems.
How UpGuard Can Help
UpGuard BreachSight scans for a variety of SSL risks, including SSL not available and risks related to SSL certificate expiration. If you receive an SSL not available finding, our system identifies which of your domains and IP addresses are missing an SSL/TLS certificate. You can identify which domains or IP addresses are impacted and ensure that you install the necessary certificate.
Current UpGuard users with the BreachSight feature can log in and access their Risk Profile to search for this risk among their assets. You can reach out to our support team to investigate and verify any SSL findings that have been identified for your assets.
If you're not a current UpGuard user and you want to scan your assets with BreachSight, sign up for a trial.