AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
Back To Schedule
Monday, June 23 • 14:00 - 18:00
Training room 7 - TLS/SSL in Practice

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.

This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.


The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.

Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:

  • checking for special SSL settings

  • check multiple servers at a time

  • customizing the results

  • using private SSL-libraries

  • customizing o-saft itself

  • or simple debugging of various SSL connection problems.

The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.

The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way. 

Technical Requirements

The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:

  • openssl (1.0.1e or newer)

  • perl (5.8 or newer), on windows system Strawberry perl is recommended

  • Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)

python (2.7) optional

Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.



All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool. 



Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in... Read More →

Monday June 23, 2014 14:00 - 18:00 BST

Attendees (0)