This presentation will tackle the subject of SSL/TLS testing from the viewpoint of a penetration tester. This will be a practical guide, not heavy on cryptography, but I will assume that attendees are happy with the basic concepts of the issues under discussion. The talk will be broad in scope, covering SSL/TLS protocol versions, cipher suite checks, certificate problems, poor SSL practice in web applications along with well-known flaws surrounding renegotiation, RC4, BEAST and Heartbleed. For each issue, the focus will be on what to look out for, how tools can let you down and how you can go about checking issues manually.