Why SSL Checker Works Only on Public Domains
SSL Checker is designed to analyze HTTPS configuration on publicly accessible domains. It connects from the internet to your server, checks certificate validity, reviews TLS configuration, and reports security issues. This design prevents it from analyzing localhost or internal servers that aren't accessible from the public internet.
When you try to use SSL Checker on localhost or internal addresses like 192.168.1.100, the tool cannot reach those addresses because they're not routable over the internet.
Understanding the Limitation
Public Domains:
- Accessible from anywhere on the internet
- DNS resolves to a public IP address
- SSL Checker can connect and analyze
Localhost:
- 127.0.0.1 or ::1
- Only accessible locally
- SSL Checker cannot reach from the internet
Internal Servers:
- 192.168.x.x, 10.x.x.x, 172.16.x.x (private IP ranges)
- Only accessible within the private network
- SSL Checker cannot reach from the internet
Testing SSL/TLS on Localhost
For development and testing, localhost SSL configuration is important. Here are alternatives to online SSL checking tools:
OpenSSL Command-Line Testing
# Check certificate information
openssl s_client -connect localhost:8443 -showcerts
# Check certificate expiration
openssl s_client -connect localhost:8443 | grep -A2 "Validity"
# Test specific TLS version
openssl s_client -connect localhost:8443 -tls1_2
# View certificate details
openssl x509 -in /path/to/certificate.crt -text -noout
This shows:
- Certificate validity dates
- Certificate issuer information
- TLS version used
- Cipher suites negotiated
- Certificate chain
Browser Developer Tools
- Open the HTTPS page on localhost
- Click the lock icon (or warning icon) in the address bar
- Click "Certificate" or "Connection"
- View certificate information including:
- Validity period
- Issuer information
- Certificate chain
curl with Verbose Output
# Show all connection and certificate details
curl -v https://localhost:8443
# Show certificate information
curl --cacert /path/to/ca.crt https://localhost:8443
# Ignore certificate validation (test connectivity)
curl -k https://localhost:8443
Output shows:
- TLS version negotiated
- Cipher suite used
- Certificate verification process
- Any errors or warnings
nmap with SSL Service Detection
# Scan local port and identify SSL/TLS information
nmap --script ssl-enum-ciphers localhost
# Detailed SSL certificate analysis
nmap --script ssl-cert localhost
This provides:
- Supported cipher suites
- Certificate information
- TLS version support
Testing Internal Servers on Your Network
For internal servers within your organization:
Direct Connection from Your Machine
# If you're on the internal network
openssl s_client -connect internal-server.local:443 -showcerts
# Show certificate validity
openssl s_client -connect 192.168.1.100:8443 < /dev/null | openssl x509 -text
Through a Bastion Host or VPN
If the internal server isn't directly accessible:
# Connect through SSH tunnel to an internal server
ssh -L 8443:internal-server:443 bastion-host.com
# Then in another terminal
openssl s_client -connect localhost:8443 -showcerts
This creates a local proxy to the internal server, allowing testing.
Using a Network Tool Inside the Network
Run SSL checking tools on a machine within the internal network:
- Nessus with internal scanning capabilities
- Qualys SSL Labs API (for internal scans if licensed)
- Open source tools like testssl.sh on an internal machine
Manual Certificate Validation Checklist
For development and internal testing, manually verify:
Certificate Validity:
- Certificate is not expired
- Certificate validity period includes today's date
- Certificate will be valid long enough for testing/use
Domain Matching:
- Certificate's Common Name (CN) matches the hostname
- If using Subject Alternative Names (SANs), does hostname match?
- Wildcard certificates (*.example.com) match appropriately
Certificate Chain:
- All certificates in the chain are valid
- Intermediate certificates are included
- Root certificate exists in your trust store
Trust:
- If self-signed, accept it for development only
- If CA-signed, verify the CA is trusted
- Check certificate transparency (CT logs) for issued certificates
Self-Signed Certificate Testing on Localhost
Self-signed certificates are common for development:
# Generate self-signed certificate for localhost
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-days 365 -nodes -subj "/CN=localhost"
# Configure your server to use it
# Then test with curl (ignoring self-signed warning)
curl -k https://localhost:8443
Browser will show warnings about self-signed certificates. This is expected and normal for development.
Trusting Self-Signed Certificates Locally
To avoid browser warnings during development:
On macOS:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain cert.pem
On Linux (Ubuntu/Debian):
sudo cp cert.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
On Windows:
certutil -addstore -f "ROOT" cert.pem
After trusting the certificate, browsers won't show warnings.
Using testssl.sh for Comprehensive Local Testing
testssl.sh is an excellent open-source tool for comprehensive SSL/TLS testing:
# Download and run on a local machine
./testssl.sh https://localhost:8443
# Or test an internal server (when on the same network)
./testssl.sh https://internal-server.local:443
Provides:
- Protocol support (TLS versions)
- Cipher suite analysis
- Certificate information
- Known vulnerabilities
- Security recommendations
Docker and Container Testing
If your service runs in Docker:
# Start container with port mapping
docker run -p 8443:443 your-image
# Test from host machine
openssl s_client -connect localhost:8443 -showcerts
# Or from within container
docker exec your-container openssl s_client -connect localhost:443 -showcerts
Automated Testing in CI/CD Pipelines
For development pipelines, integrate SSL testing:
#!/bin/bash
# Test localhost SSL during development build
# Start your HTTPS server
npm run dev &
SERVER_PID=$!
# Wait for server to start
sleep 5
# Test SSL configuration
if openssl s_client -connect localhost:8443 < /dev/null 2>/dev/null | grep -q "Verify return code: 0"; then
echo "SSL test passed"
else
echo "SSL test failed"
kill $SERVER_PID
exit 1
fi
# Continue with other tests...
kill $SERVER_PID
Network-Based Tools for Internal Scanning
For comprehensive internal server testing:
Nessus Professional - Can scan internal servers for SSL vulnerabilities Qualys VMDR - Internal scanning with SSL assessment Acunetix - Web security scanner including SSL/TLS analysis Burp Suite - Can test SSL/TLS of any target you can access
These tools can analyze internal servers when installed within the network.
Why Online Tools Can't Access Internal Servers
Security reasons prevent online tools from accessing internal servers:
- Private IP Ranges - Internal IPs (192.168.x.x, 10.x.x.x) are reserved for private use and not routable on the public internet
- Firewall Protection - Internal servers are protected by firewalls that block external connections
- Isolation - Internal networks are deliberately isolated from the public internet
This is actually a feature, not a limitation—it protects your internal infrastructure.
Best Practices for Testing Internal SSL/TLS
- Use command-line tools - openssl, curl, nmap are available on any machine
- Test regularly - Don't wait until deployment to find SSL issues
- Automate testing - Add SSL checks to your CI/CD pipeline
- Trust self-signed certs locally - Make development easier while not compromising security
- Use local SSL checking tools - testssl.sh, Qualys CLI, etc.
- Document configuration - Keep records of certificates, expiration dates, and cipher configuration
- Validate before deployment - Test SSL configuration in staging before promoting to production
Moving from Testing to Production
When deploying to production:
- Obtain a valid certificate from a trusted Certificate Authority
- Use SSL Checker to verify public-facing configuration
- Enable monitoring - Set up alerts for certificate expiration
- Monitor with automated tools - Use SSL monitoring services to track configuration changes
- Maintain test environments - Keep testing environments separate with their own certificates
Conclusion: Alternative Testing Approaches for Non-Public Servers
While SSL Checker works only on publicly accessible domains, numerous alternatives exist for testing SSL/TLS on localhost and internal servers. Command-line tools like openssl, comprehensive tools like testssl.sh, and commercial scanners provide detailed analysis. For development and internal testing, these alternatives provide the same detailed information as online tools. The important principle is testing your SSL/TLS configuration thoroughly in every environment, not just production—using whatever tools are available for each environment.
