SSL/TLS: Server Certificate Is Not Trusted

medium Severity

Detected By: passive Mode

What is an untrusted SSL/TLS certificate?

SSL/TLS certificates are files that authenticate a website's identity, allowing communication through HTTPS. The issue arises when web browsers do not trust these certificates because the server uses a self-signed certificate, a certificate from an untrusted authority, or a certificate that has expired or is invalid for other reasons. The lack of a trusted certificate makes it challenging for users to verify the authenticity of the server, undermining the security of the SSL/TLS connection.

Why is an untrusted SSL/TLS certificate a security risk?

The risk of an untrusted SSL/TLS certificate lies in the fact that an attacker could easily mount a man-in-the-middle attack. They can intercept SSL communication by presenting the user with a fake SSL certificate, thereby gaining access to sensitive information such as login credentials or private data.

How to configure a trusted SSL certificate?

To address this issue, configure a trusted SSL/TLS certificate for the web server. Obtain the certificate from a reputable Certificate Authority and ensure proper installation. Consult specific guides for configuration:

How to detect an untrusted SSL/TLS certificate?

An untrusted SSL/TLS certificate can be detected through several methods, such as browser warnings, command-line tools, and automated scanning tools.

import ssl
import socket
from datetime import datetime

hostname = ''
port = 443
context = ssl.create_default_context()

with socket.create_connection((hostname, port)) as sock:
  with context.wrap_socket(sock, server_hostname=hostname) as ssock:
    cert = ssock.getpeercert()
    print('Certificate Issuer:', cert.get('issuer'))
    print('Valid From:', cert.get('notBefore'))
    print('Valid To:', cert.get('notAfter'))
    # Check expiration
    expiration_date = datetime.strptime(cert.get('notAfter'), '%b %d %H:%M:%S %Y %Z')
    if expiration_date < datetime.now():
      print('Warning: Certificate has expired!')
    else:
      print('Certificate is valid.')

This Python snippet connects to a server using SSL/TLS, retrieves its certificate, and checks its validity, including expiration status.

openssl s_client -connect :443

This command retrieves the server's SSL/TLS certificate details, including its issuer and expiration date. It can help identify if the certificate is untrusted or misconfigured.

Note: These scripts are for educational purposes only. Always ensure you have permission before scanning or testing websites you don't own or operate.

Severity Level

medium

65%

Vulnissimo scored the severity risk of this vulnerability to 65 out of 100. This means that it requires immediate attention.

Test Your Application for SSL/TLS: Server Certificate Is Not Trusted Now

Vulnissimo tests for SSL/TLS: Server Certificate Is Not Trusted and many more. Sharpen your security posture with our advanced web vulnerability scanner.

Test Your Application

Where can I learn more?

Apache SSL Configuration Guide Nginx SSL Configuration Guide