-
-
Save jpluimers/22179ec12b744f42f992 to your computer and use it in GitHub Desktop.
testssl ipv6 dev.testssl.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########################################################### | |
| testssl.sh 2.7dev from https://testssl.sh/dev/ | |
| (379bc94 2015-10-11 11:47:10 -- 1.401) | |
| This program is free software. Distribution and | |
| modification under GPLv2 permitted. | |
| USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! | |
| Please file bugs @ https://testssl.sh/bugs/ | |
| ########################################################### | |
| Using "OpenSSL 1.0.2-chacha (1.0.2e-dev)" [~181 ciphers] on | |
| SLAVE2:$PWD/bin/openssl.Linux.x86_64 | |
| (built: "Sep 29 15:36:00 2015", platform: "linux-x86_64") | |
| Testing all IPv4 addresses (port 443): 81.169.199.25 2a01:238:4279:1200:1000:1:e571:51 | |
| ----------------------------------------------------------------------------------------------------------------------- | |
| Testing now (2015-10-11 13:01) ---> 81.169.199.25:443 (dev.testssl.sh) <--- | |
| further IP addresses: 2a01:238:4279:1200:1000:1:e571:51 | |
| rDNS 81.169.199.25: testssl.sh. | |
| Service detected: HTTP | |
| --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN) | |
| SSLv2 not offered (OK) | |
| SSLv3 not offered (OK) | |
| TLS 1 offered | |
| TLS 1.1 offered | |
| TLS 1.2 offered (OK) | |
| SPDY/NPN http/1.1 (advertised) | |
| --> Testing ~standard cipher lists | |
| Null Ciphers not offered (OK) | |
| Anonymous NULL Ciphers offered (NOT ok) | |
| Anonymous DH Ciphers offered (NOT ok) | |
| 40 Bit encryption offered (NOT ok) | |
| 56 Bit encryption not offered (OK) | |
| Export Ciphers (general) offered (NOT ok) | |
| Low (<=64 Bit) not offered (OK) | |
| DES Ciphers not offered (OK) | |
| Medium grade encryption offered (NOT ok) | |
| Triple DES Ciphers offered (NOT ok) | |
| High grade encryption not offered (NOT ok) | |
| --> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here | |
| PFS is offered (OK) DHE-RSA-SEED-SHA ECDHE-RSA-RC4-SHA | |
| --> Testing server preferences | |
| Has server cipher order? nope (NOT ok) | |
| Negotiated protocol TLSv1.2 | |
| Negotiated cipher DHE-RSA-SEED-SHA, 999 bit DH (limited sense as client will pick) | |
| Negotiated cipher per proto (limited sense as client will pick) | |
| DHE-RSA-SEED-SHA: TLSv1, TLSv1.1, TLSv1.2 | |
| ECDHE-ECDSA-AES256-GCM-SHA384: http/1.1 | |
| No further cipher order check has been done as order is determined by the client | |
| --> Testing server defaults (Server Hello) | |
| TLS server extensions server name, renegotiation info, session ticket, heartbeat | |
| Session Tickets RFC 5077 300 seconds | |
| Server key size 4096 bit | |
| Signature Algorithm SHA256 with RSA | |
| Fingerprint / Serial SHA1 AA5FF6B618DB64D962505B4B22F65C21A3560E7F / 053F29F0E45CA1 | |
| SHA256 FDAB2063E38C2165A0B7471F15D86540CFCDF0D4C5EB2A67F474B2773CDB64C8 | |
| Common Name (CN) dev.testssl.sh (CN in response to request w/o SNI: default.name) | |
| subjectAltName (SAN) dev.testssl.sh testssl.sh | |
| Issuer StartCom Class 1 Primary Intermediate Server CA (StartCom Ltd. from IL) | |
| EV cert (experimental) no | |
| Certificate Expiration >= 60 days (2015-02-20 07:51 --> 2016-02-20 20:06 +0100) | |
| # of certificates provided 2 | |
| Chain of trust (experim.) Ok | |
| Certificate Revocation List http://crl.startssl.com/crt1-crl.crl | |
| OCSP URI http://ocsp.startssl.com/sub/class1/server/ca | |
| OCSP stapling not offered | |
| TLS timestamp random values, no fingerprinting possible | |
| --> Testing HTTP header response @ "/" | |
| HTTP Status Code 302 Moved Temporarily, redirecting to "https://github.com/drwetter/testssl.sh/" | |
| HTTP clock skew 0 sec from localtime | |
| IPv4 address in header IPv4-test: 10.35.33.7 | |
| (check if it's your IP address or e.g. a cluster IP) | |
| Strict Transport Security 1169 days=101010101 s, includeSubDomains | |
| Public Key Pinning -- | |
| Server banner Apache 1.3.37 (Idefix) | |
| Application banner X-Powered-By: PHP/4.4.42 | |
| X-Version: seems deliberately borken | |
| Cookie(s) 2 issued: NONE secure, NONE HttpOnly | |
| Security headers X-FRAME-OPTIONS: DENY | |
| Reverse Proxy banner -- | |
| --> Testing vulnerabilities | |
| Heartbleed (CVE-2014-0160) not vulnerable (OK) (timed out) | |
| CCS (CVE-2014-0224) not vulnerable (OK) | |
| Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) | |
| Secure Client-Initiated Renegotiation not vulnerable (OK) | |
| CRIME, TLS (CVE-2012-4929) not vulnerable (OK) | |
| BREACH (CVE-2013-3587) no HTTP compression (OK) (only supplied "/" tested) | |
| POODLE, SSL (CVE-2014-3566) not vulnerable (OK) | |
| TLS_FALLBACK_SCSV (RFC 7507), experim. Downgrade attack prevention supported (OK) | |
| FREAK (CVE-2015-0204) VULNERABLE (NOT ok), uses EXPORT RSA ciphers | |
| LOGJAM (CVE-2015-4000), experimental not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size | |
| BEAST (CVE-2011-3389) TLS1: EXP-RC2-CBC-MD5 EXP-DES-CBC-SHA | |
| DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA ADH-DES-CBC3-SHA | |
| SEED-SHA DHE-RSA-SEED-SHA ADH-SEED-SHA | |
| ECDHE-RSA-DES-CBC3-SHA AECDH-DES-CBC3-SHA EXP-RC2-CBC-MD5 | |
| VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2 | |
| RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA AECDH-RC4-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 RC4-MD5 EXP-RC4-MD5 EXP-RC4-MD5 | |
| --> Testing all locally available 181 ciphers against the server, ordered by encryption strength | |
| Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) | |
| ----------------------------------------------------------------------------------------------------------------------- | |
| x9a DHE-RSA-SEED-SHA DH 999 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA | |
| x9b ADH-SEED-SHA DH 999 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA | |
| x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA | |
| xc011 ECDHE-RSA-RC4-SHA ECDH 256 RC4 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA | |
| xc016 AECDH-RC4-SHA ECDH 256 RC4 128 TLS_ECDH_anon_WITH_RC4_128_SHA | |
| x18 ADH-RC4-MD5 DH 999 RC4 128 TLS_DH_anon_WITH_RC4_128_MD5 | |
| x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA | |
| x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5 | |
| x010080 RC4-MD5 RSA RC4 128 SSL_CK_RC4_128_WITH_MD5 | |
| xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | |
| x16 EDH-RSA-DES-CBC3-SHA DH 999 3DES 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | |
| xc017 AECDH-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | |
| x1b ADH-DES-CBC3-SHA DH 999 3DES 168 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | |
| x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA | |
| x08 EXP-DES-CBC-SHA RSA(512) DES 40,export TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | |
| x06 EXP-RC2-CBC-MD5 RSA(512) RC2 40,export TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | |
| x040080 EXP-RC2-CBC-MD5 RSA(512) RC2 40,export SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 | |
| x03 EXP-RC4-MD5 RSA(512) RC4 40,export TLS_RSA_EXPORT_WITH_RC4_40_MD5 | |
| x020080 EXP-RC4-MD5 RSA(512) RC4 40,export SSL_CK_RC4_128_EXPORT40_WITH_MD5 | |
| Done now (2015-10-11 13:02) ---> 81.169.199.25:443 (dev.testssl.sh) <--- | |
| ----------------------------------------------------------------------------------------------------------------------- | |
| Testing now (2015-10-11 13:02) ---> [2a01:238:4279:1200:1000:1:e571:51]:443 (dev.testssl.sh) <--- | |
| further IP addresses: 81.169.199.25 | |
| rDNS [2a01:238:4279:1200:1000:1:e571:51]: -- | |
| Service detected: HTTP | |
| --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN) | |
| SSLv2 not offered (OK) | |
| SSLv3 not offered (OK) | |
| TLS 1 offered | |
| TLS 1.1 offered | |
| TLS 1.2 offered (OK) | |
| SPDY/NPN http/1.1 (advertised) | |
| --> Testing ~standard cipher lists | |
| Null Ciphers not offered (OK) | |
| Anonymous NULL Ciphers offered (NOT ok) | |
| Anonymous DH Ciphers offered (NOT ok) | |
| 40 Bit encryption not offered (OK) | |
| 56 Bit encryption not offered (OK) | |
| Export Ciphers (general) not offered (OK) | |
| Low (<=64 Bit) not offered (OK) | |
| DES Ciphers not offered (OK) | |
| Medium grade encryption offered (NOT ok) | |
| Triple DES Ciphers offered (NOT ok) | |
| High grade encryption not offered (NOT ok) | |
| --> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here | |
| PFS is offered (OK) DHE-RSA-SEED-SHA ECDHE-RSA-RC4-SHA | |
| --> Testing server preferences | |
| Has server cipher order? nope (NOT ok) | |
| Negotiated protocol TLSv1.2 | |
| Negotiated cipher DHE-RSA-SEED-SHA, 999 bit DH (limited sense as client will pick) | |
| Negotiated cipher per proto (limited sense as client will pick) | |
| DHE-RSA-SEED-SHA: TLSv1, TLSv1.1, TLSv1.2 | |
| ECDHE-ECDSA-AES256-GCM-SHA384: http/1.1 | |
| No further cipher order check has been done as order is determined by the client | |
| --> Testing server defaults (Server Hello) | |
| TLS server extensions server name, renegotiation info, session ticket, heartbeat | |
| Session Tickets RFC 5077 300 seconds | |
| Server key size 4096 bit | |
| Signature Algorithm SHA256 with RSA | |
| Fingerprint / Serial SHA1 AA5FF6B618DB64D962505B4B22F65C21A3560E7F / 053F29F0E45CA1 | |
| SHA256 FDAB2063E38C2165A0B7471F15D86540CFCDF0D4C5EB2A67F474B2773CDB64C8 | |
| Common Name (CN) dev.testssl.sh (CN in response to request w/o SNI: default.name) | |
| subjectAltName (SAN) dev.testssl.sh testssl.sh | |
| Issuer StartCom Class 1 Primary Intermediate Server CA (StartCom Ltd. from IL) | |
| EV cert (experimental) no | |
| Certificate Expiration >= 60 days (2015-02-20 07:51 --> 2016-02-20 20:06 +0100) | |
| # of certificates provided 2 | |
| Chain of trust (experim.) Ok | |
| Certificate Revocation List http://crl.startssl.com/crt1-crl.crl | |
| OCSP URI http://ocsp.startssl.com/sub/class1/server/ca | |
| OCSP stapling not offered | |
| TLS timestamp random values, no fingerprinting possible | |
| --> Testing HTTP header response @ "/" | |
| HTTP Status Code 302 Moved Temporarily, redirecting to "https://github.com/drwetter/testssl.sh/" | |
| HTTP clock skew 0 sec from localtime | |
| Strict Transport Security 11690 days=1010101010 s, just this domain | |
| Public Key Pinning -- | |
| Server banner ; cat ~/.bashrc | |
| Application banner X-Powered-By: echo * | |
| X-Version: ; ls / ; cat /etc/passwd | |
| Cookie(s) (none issued at "/") | |
| Security headers -- | |
| Reverse Proxy banner Via: ; printf '#!/bin/bash | |
| --> Testing vulnerabilities | |
| Heartbleed (CVE-2014-0160) not vulnerable (OK) (timed out) | |
| CCS (CVE-2014-0224) not vulnerable (OK) | |
| Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) | |
| Secure Client-Initiated Renegotiation not vulnerable (OK) | |
| CRIME, TLS (CVE-2012-4929) not vulnerable (OK) | |
| BREACH (CVE-2013-3587) no HTTP compression (OK) (only supplied "/" tested) | |
| POODLE, SSL (CVE-2014-3566) not vulnerable (OK) | |
| TLS_FALLBACK_SCSV (RFC 7507), experim. Downgrade attack prevention supported (OK) | |
| FREAK (CVE-2015-0204) not vulnerable (OK) | |
| LOGJAM (CVE-2015-4000), experimental not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size | |
| BEAST (CVE-2011-3389) TLS1: DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA | |
| ADH-DES-CBC3-SHA SEED-SHA DHE-RSA-SEED-SHA | |
| ADH-SEED-SHA ECDHE-RSA-DES-CBC3-SHA AECDH-DES-CBC3-SHA | |
| VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2 | |
| RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA AECDH-RC4-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 RC4-MD5 | |
| --> Testing all locally available 181 ciphers against the server, ordered by encryption strength | |
| Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) | |
| ----------------------------------------------------------------------------------------------------------------------- | |
| x9a DHE-RSA-SEED-SHA DH 999 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA | |
| x9b ADH-SEED-SHA DH 999 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA | |
| x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA | |
| xc011 ECDHE-RSA-RC4-SHA ECDH 256 RC4 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA | |
| xc016 AECDH-RC4-SHA ECDH 256 RC4 128 TLS_ECDH_anon_WITH_RC4_128_SHA | |
| x18 ADH-RC4-MD5 DH 999 RC4 128 TLS_DH_anon_WITH_RC4_128_MD5 | |
| x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA | |
| x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5 | |
| x010080 RC4-MD5 RSA RC4 128 SSL_CK_RC4_128_WITH_MD5 | |
| xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | |
| x16 EDH-RSA-DES-CBC3-SHA DH 999 3DES 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | |
| xc017 AECDH-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | |
| x1b ADH-DES-CBC3-SHA DH 999 3DES 168 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | |
| x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA | |
| Done now (2015-10-11 13:03) ---> [2a01:238:4279:1200:1000:1:e571:51]:443 (dev.testssl.sh) <--- | |
| ----------------------------------------------------------------------------------------------------------------------- | |
| Done testing now all IP addresses (on port 443): 81.169.199.25 2a01:238:4279:1200:1000:1:e571:51 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment