Skip to content

Instantly share code, notes, and snippets.

@jpluimers

jpluimers/- Secret

Created October 11, 2015 09:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jpluimers/9e21ce721a4de4d6110f to your computer and use it in GitHub Desktop.
Save jpluimers/9e21ce721a4de4d6110f to your computer and use it in GitHub Desktop.
testssl community.embarcadero.com
###########################################################
testssl.sh 2.7dev from https://testssl.sh/dev/
(4eacc75 2015-10-11 10:03:19 -- 1.401)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2e-dev)" [~181 ciphers] on
retinambpro1tb.fritz.box:./bin/openssl.Darwin.x86_64
(built: "Aug 27 20:29:14 2015", platform: "darwin64-x86_64-cc")
Testing now (2015-10-11 11:27) ---> 204.216.225.111:443 (community.embarcadero.com) <---
rDNS (204.216.225.111): 204-216-225-111.navisite.com.
Service detected: HTTP
--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
SSLv2 not offered (OK)
SSLv3 offered (NOT ok)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY/NPN not offered
--> Testing ~standard cipher lists
Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit encryption not offered (OK)
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Ciphers not offered (OK)
Medium grade encryption offered (NOT ok)
Triple DES Ciphers offered (NOT ok)
High grade encryption offered (OK)
--> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here
PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4-SHA
--> Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher AES256-SHA (openssl cannot show DH bits)
Cipher order
SSLv3: AES256-SHA AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA DES-CBC3-SHA RC4-SHA RC4-MD5
TLSv1: AES256-SHA AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA DES-CBC3-SHA RC4-SHA RC4-MD5
TLSv1.1: AES256-SHA AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA DES-CBC3-SHA RC4-SHA RC4-MD5
TLSv1.2: AES256-SHA AES128-SHA AES256-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA DES-CBC3-SHA RC4-SHA RC4-MD5
--> Testing server defaults (Server Hello)
TLS server extensions renegotiation info
Session Tickets RFC 5077 (none)
Server key size 2048 bit
Signature Algorithm SHA256 with RSA
Fingerprint / Serial SHA1 3E220AA3CF04F7159B0E9AAF67932B2E41C23D82 / 119A7F27A37BEBF1
SHA256 CF64906E17B20DD33E171F1D26569B334C8C10479B2A6E10CD6EB0CD235AF883
Common Name (CN) *.embarcadero.com (wildcard certificate match) (CN in response to request w/o SNI: *.embarcadero.com)
subjectAltName (SAN) *.embarcadero.com embarcadero.com
Issuer Go Daddy Secure Certificate Authority - G2 (GoDaddy.com, Inc. from US)
EV cert (experimental) no
Certificate Expiration >= 60 days (2015-03-17 19:32 --> 2018-10-12 01:08 +0200)
# of certificates provided 2
Chain of trust (experim.) NOT ok: microsoft: (chain incomplete) mozilla: (chain incomplete)
OK: linux java
Certificate Revocation List http://crl.godaddy.com/gdig2s1-87.crl
OCSP URI http://ocsp.godaddy.com/
OCSP stapling not offered
TLS clock skew -432 sec from localtime
--> Testing HTTP header response @ "/"
HTTP Status Code 200 OK
HTTP clock skew -2 sec from localtime
Strict Transport Security --
Public Key Pinning --
Server banner Apache
Application banner X-Powered-By: PHP/5.6.11
Cookie(s) 3 issued: 1/3 secure, 2/3 HttpOnly
Security headers --
Reverse Proxy banner --
--> Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK)
CCS (CVE-2014-0224) not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) NOT ok: uses gzip HTTP compression (only supplied "/" tested)
POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
TLS_FALLBACK_SCSV (RFC 7507), experim. Downgrade attack prevention supported (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
BEAST (CVE-2011-3389) SSL3: DES-CBC3-SHA AES128-SHA
AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
TLS1: DES-CBC3-SHA AES128-SHA
AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 RC4-MD5
--> Testing all locally available 181 ciphers against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
xc011 ECDHE-RSA-RC4-SHA ECDH 256 RC4 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5
x010080 RC4-MD5 RSA RC4 128 SSL_CK_RC4_128_WITH_MD5
xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
Done now (2015-10-11 11:31) ---> 204.216.225.111:443 (community.embarcadero.com) <---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment