Primary Use Case

This tool is used by DevOps and security teams to automatically audit SSL/TLS configurations of public or internal endpoints during CI/CD processes. It helps ensure that endpoints comply with organizational or industry security standards by identifying weak or deprecated cipher suites and failing builds or releases when non-compliance is detected.

Key Features

Integration as an Azure DevOps build or release pipeline extension

Automated scanning of SSL/TLS settings on specified endpoints

Detection of non-compliant SSL 2.0/3.0 and TLS 1.0/1.1 cipher suites

Identification of weak TLS 1.2 cipher suites based on current security standards

Option to fail build or release pipelines on non-compliance

Support for scanning using internal or external DNS servers to accommodate split-view DNS

Automatic publishing of vulnerability results to Azure DevOps test results tab

Leverages SSLyze API for SSL/TLS analysis

Insights & Recommendations

TlsTestGate relies on the SSLyze API for scanning and currently considers SSL 2.0/3.0 and TLS 1.0/1.1 cipher suites as non-compliant, along with certain weak TLS 1.2 ciphers; users should keep the list of valid ciphers updated as security standards evolve. The tool supports split-view DNS scenarios by allowing specification of DNS servers, which is important for accurate internal vs external endpoint testing. Fixing issues may require changes not only on web servers but also on load balancers or reverse proxies depending on network topology.

Installation

Create and activate a Python virtual environment: python3 -m venv foo && cd foo && source bin/activate
Clone the repository: git clone https://github.com/metlife/tlstestgate.git
Navigate into the cloned directory: cd tlstestgate
Install Python dependencies: pip install -r requirements.txt
Download and install Node.js from https://nodejs.org/en/download/
Install TypeScript compiler globally: npm install -g typescript
Install TFS Cross Platform Command Line Interface (tfx-cli) as per Microsoft documentation

Usage

steps: - task: JoeGatt.TlsTestGate.custom-build-release-task.TlsTestGate@1 displayName: 'github.com SSL/TLS Test Gate' inputs: baseURL: github.com port: 443 dnsserver: 8.8.8.8 failBuild: true

YAML snippet to add TlsTestGate as a task in an Azure DevOps pipeline that scans github.com on port 443 using Google DNS and fails the build if non-compliant SSL/TLS settings are found.

Smart Usage Notes

Integrate TlsTestGate into CI/CD pipelines to enforce SSL/TLS compliance early in development, reducing production vulnerabilities.Combine TlsTestGate results with vulnerability management dashboards for centralized risk tracking and remediation prioritization.Use the tool to simulate attacker reconnaissance phases by identifying weak SSL/TLS configurations that could be exploited.Leverage automated fail-build options to prevent deployment of non-compliant endpoints, strengthening security posture.Expand scanning scope by integrating with internal DNS servers to detect split-view DNS discrepancies and internal exposure.

OpenSec Atlas

TlsTestGate

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like