Skip to content

Instantly share code, notes, and snippets.

@adam-p

adam-p/Tor-testssl.sh.md

Last active August 29, 2015 14:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adam-p/349d6753aa23fd359e67 to your computer and use it in GitHub Desktop.
Save adam-p/349d6753aa23fd359e67 to your computer and use it in GitHub Desktop.
Download ZIP
./testssl.sh --mx torproject.org
Raw
checktls.com.txt
Checking gettor@torproject.org
looking up MX hosts on domain "torproject.org"
eugeni.torproject.org (preference:10)
Trying TLS on eugeni.torproject.org[38.229.72.13] (10):
seconds test stage and result
[000.026] Connected to server
[002.432] <-- 220 eugeni.torproject.org ESMTP Postfix (Debian/GNU)
[002.432] We are allowed to connect
[002.432] --> EHLO checktls.com
[002.448] <-- 250-eugeni.torproject.org
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[002.448] We can use this server
[002.448] TLS is an option on this server
[002.449] --> STARTTLS
[002.466] <-- 220 2.0.0 Ready to start TLS
[002.466] STARTTLS command works on this server
[002.521] Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
[002.521] Connection converted to SSL
[002.538]
Certificate 1 of 3 in chain:
subject= /ST=Klatch/L=Al Khali/O=torproject.org/OU=auto-CA/CN=eugeni.torproject.org/emailAddress=hostmaster@eugeni.torproject.org
issuer= /ST=Klatch/L=Al Khali/O=torproject.org/OU=auto-CA/CN=auto-ca.torproject.org/emailAddress=torproject-admin@torproject.org
[002.552]
Certificate 2 of 3 in chain:
subject= /ST=Klatch/L=Al Khali/O=torproject.org/OU=auto-CA/CN=auto-ca.torproject.org/emailAddress=torproject-admin@torproject.org
issuer= /ST=Klatch/L=Al Khali/O=torproject.org/OU=auto-CA/CN=auto-ca.torproject.org/emailAddress=torproject-admin@torproject.org
[002.565]
Certificate 3 of 3 in chain:
subject= /ST=Klatch/L=Al Khali/O=torproject.org/OU=auto-CA/CN=auto-ca.torproject.org/emailAddress=torproject-admin@torproject.org
issuer= /ST=Klatch/L=Al Khali/O=torproject.org/OU=auto-CA/CN=auto-ca.torproject.org/emailAddress=torproject-admin@torproject.org
[002.565] Cert NOT VALIDATED: self signed certificate in certificate chain
[002.566] So email is encrypted but the domain is not verified
[002.566] Cert Hostname VERIFIED (eugeni.torproject.org = eugeni.torproject.org)
[002.566] ~~> EHLO checktls.com
[002.597] <~~ 250-eugeni.torproject.org
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[002.611] TLS successfully started on this server
[002.611] ~~> MAIL FROM:<test@checktls.com>
[002.630] <~~ 250 2.1.0 Ok
[002.630] Sender is OK
[002.631] ~~> RCPT TO:<gettor@torproject.org>
[005.666] <~~ 450 4.2.0 <gettor@torproject.org>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/torproject.org.html
[005.666] Cannot proof e-mail address (reason: RCPT TO rejected)
[005.667] Note: This does not affect the CheckTLS Confidence Factor
[005.667] ~~> QUIT
[005.682] <~~ 221 2.0.0 Bye
Raw
out.html
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- This file was created with the aha Ansi HTML Adapter. http://ziz.delphigl.com/tool_aha.php -->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="application/xml+xhtml; charset=UTF-8" />
<title>stdin</title>
</head>
<body>
<pre>
<span style="font-weight:bold;">
#########################################################
testssl.sh 2.5dev http://dev.testssl.sh
(</span><span style="color:dimgray;font-weight:bold;">59299ce 2015-06-17 11:33:29 -- 1.279</span><span style="font-weight:bold;">)
This program is free software. Redistribution +
modification under GPLv2 is permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Note: you can only check the server with what is
available (ciphers/protocols) locally on your machine!
#########################################################</span>
Using &quot;OpenSSL 1.0.2a 19 Mar 2015&quot; [~141 ciphers] on
adam-w530:/usr/bin/openssl
(built: &quot;reproducible build, date unspecified&quot;, platform: &quot;Cygwin-x86_64&quot;)
<span style="color:purple;">For now I am providing the config file in to have GOST support</span>
<span style="font-weight:bold;">Testing now all MX records (on port 25): </span>eugeni.torproject.org
-------------------------------------------------------------------------------------------------------------------------
<span style="color:gray;background-color:black;">Testing now (2015-06-19 11:29) ---&gt; 38.229.72.13:25 (eugeni.torproject.org) &lt;---</span>
rDNS (38.229.72.13): eugeni.torproject.org
Service set: STARTTLS via SMTP
<span style="color:blue;font-weight:bold;">--&gt; Testing protocols </span>(via native openssl)
SSLv2 <span style="color:green;font-weight:bold;">not offered (OK)</span>
SSLv3 <span style="color:red;">offered (NOT ok)</span>
TLS 1 offered
TLS 1.1 offered
TLS 1.2 <span style="color:green;font-weight:bold;">offered (OK)</span>
SPDY/NPN (SPDY is a HTTP protocol and thus not tested here)
<span style="color:blue;font-weight:bold;">--&gt; Testing ~standard cipher lists</span>
Null Ciphers <span style="color:green;font-weight:bold;">not offered (OK)</span>
Anonymous NULL Ciphers <span style="color:green;font-weight:bold;">not offered (OK)</span>
Anonymous DH Ciphers <span style="color:green;font-weight:bold;">not offered (OK)</span>
40 Bit encryption <span style="color:red;font-weight:bold;">offered (NOT ok)</span>
56 Bit encryption <span style="color:purple;font-weight:bold;">Local problem: No 56 Bit encryption configured in /usr/bin/openssl</span>
Export Ciphers (general) <span style="color:red;font-weight:bold;">offered (NOT ok)</span>
Low (&lt;=64 Bit) <span style="color:red;font-weight:bold;">offered (NOT ok)</span>
DES Ciphers <span style="color:red;font-weight:bold;">offered (NOT ok)</span>
Medium grade encryption <span style="color:red;">offered (NOT ok)</span>
Triple DES Ciphers <span style="color:olive;">offered (NOT ok)</span>
High grade encryption <span style="color:green;font-weight:bold;">offered (OK)</span>
<span style="color:blue;font-weight:bold;">--&gt; Testing (perfect) forward secrecy, (P)FS</span> -- omitting 3DES, RC4 and Null Encryption here
<span style="color:green;"> PFS ciphers (OK): </span>ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4-SHA
<span style="color:blue;font-weight:bold;">--&gt; Testing server preferences</span>
Has server cipher order? <span style="color:red;">nope (NOT ok)</span>
Negotiated protocol <span style="color:green;font-weight:bold;">TLSv1.2</span>
Negotiated cipher <span style="color:green;font-weight:bold;">ECDHE-RSA-AES256-GCM-SHA384</span>, <span style="color:green;">256 bit ECDH</span> (limited sense as client will pick)
Negotiated cipher per proto (limited sense as client will pick)(SPDY is a HTTP protocol and thus not tested here)
ECDHE-RSA-AES256-SHA: SSLv3, TLSv1, TLSv1.1
ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2
No further cipher order check as order is determined by the client
<span style="color:blue;font-weight:bold;">--&gt; Testing server defaults (Server Hello)</span>
TLS timestamp: (not yet implemented for STARTTLS)
HTTP clock skew: not tested as we're not targeting HTTP
TLS server extensions renegotiation info, EC point formats, session ticket, heartbeat
Session Tickets RFC 5077 7200 seconds
Server key size 2048 bit
Signature Algorithm <span style="color:olive;">SHA1 with RSA</span>
Fingerprint / Serial SHA1 62D590B1F07257E21B08EB88D9295C0EF00F3EA2 / 01B8
SHA256 ED83D27364F556AEAAA066E4D35FB46E959C033C579E226D89A8850F9FDACB5C
Common Name (CN) <span style="text-decoration:underline;">eugeni.torproject.org</span> (matches certificate directly)
subjectAltName (SAN) --
Issuer <span style="text-decoration:underline;">auto-ca.torproject.org</span> (<span style="text-decoration:underline;">torproject.org</span>)
Certificate Expiration <span style="color:green;">&gt;= 60 days</span> (2015-03-10 20:00 --&gt; 2016-03-09 19:00 -0500)
# of certificates provided 2
Certificate Revocation List <span style="color:red;">--</span>
OCSP URI <span style="color:red;">--</span>
OCSP stapling not offered
<span style="color:blue;font-weight:bold;">--&gt; Testing vulnerabilities</span>
<span style="font-weight:bold;"> Heartbleed</span> (CVE-2014-0160) (not yet implemented for STARTTLS)
<span style="font-weight:bold;"> CCS</span> (CVE-2014-0224) (not yet implemented for STARTTLS)
<span style="font-weight:bold;"> Secure Renegotiation </span>(CVE 2009-3555) <span style="color:green;font-weight:bold;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> Secure Client-Initiated Renegotiation </span><span style="color:green;">likely not vulnerable (OK)</span> (timed out)
<span style="font-weight:bold;"> CRIME, TLS </span>(CVE-2012-4929) <span style="color:olive;">VULNERABLE (NOT ok), but not using HTTP: probably no exploit known</span>
<span style="font-weight:bold;"> POODLE, SSL</span> (CVE-2014-3566) <span style="color:red;">VULNERABLE (NOT ok)</span>, uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
<span style="font-weight:bold;"> TLS_FALLBACK_SCSV</span> (RFC 7507) <span style="color:olive;">Downgrade attack prevention NOT supported</span>
<span style="font-weight:bold;"> FREAK</span> (CVE-2015-0204), experimental <span style="color:red;font-weight:bold;">VULNERABLE (NOT ok)</span>, uses EXPORT RSA ciphers
<span style="font-weight:bold;"> LOGJAM</span> (CVE-2015-4000), experimental <span style="color:red;font-weight:bold;">VULNERABLE (NOT ok)</span>, uses DHE EXPORT ciphers
<span style="font-weight:bold;"> BEAST</span> (CVE-2011-3389) SSL3:<span style="color:olive;"> ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5
EXP-RC2-CBC-MD5</span>
TLS1:<span style="color:olive;"> ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5
EXP-RC2-CBC-MD5</span>
-- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
<span style="font-weight:bold;"> RC4</span> (CVE-2013-2566, CVE-2015-2808) <span style="color:red;">VULNERABLE (NOT ok): </span><span style="color:red;">ECDHE-RSA-RC4-SHA </span><span style="color:red;">RC4-SHA </span><span style="color:red;">RC4-MD5 </span><span style="color:red;">RC4-MD5 </span><span style="color:red;">EXP-RC4-MD5 </span><span style="color:red;">EXP-RC4-MD5 </span>
<span style="color:blue;font-weight:bold;">--&gt; Testing all locally available 141 ciphers against the server</span>, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH <span style="color:green;">256 </span> AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc028 ECDHE-RSA-AES256-SHA384 ECDH <span style="color:green;">256 </span> AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc014 ECDHE-RSA-AES256-SHA ECDH <span style="color:green;">256 </span> AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
x9f DHE-RSA-AES256-GCM-SHA384 DH <span style="color:olive;">1024 </span> AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
x6b DHE-RSA-AES256-SHA256 DH <span style="color:olive;">1024 </span> AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
x39 DHE-RSA-AES256-SHA DH <span style="color:olive;">1024 </span> AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
x88 DHE-RSA-CAMELLIA256-SHA DH <span style="color:olive;">1024 </span> Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH <span style="color:green;">256 </span> AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc027 ECDHE-RSA-AES128-SHA256 ECDH <span style="color:green;">256 </span> AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
xc013 ECDHE-RSA-AES128-SHA ECDH <span style="color:green;">256 </span> AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x9e DHE-RSA-AES128-GCM-SHA256 DH <span style="color:olive;">1024 </span> AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
x67 DHE-RSA-AES128-SHA256 DH <span style="color:olive;">1024 </span> AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
x33 DHE-RSA-AES128-SHA DH <span style="color:olive;">1024 </span> AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
x9a DHE-RSA-SEED-SHA DH <span style="color:olive;">1024 </span> SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA
x45 DHE-RSA-CAMELLIA128-SHA DH <span style="color:olive;">1024 </span> Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA
x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
xc011 ECDHE-RSA-RC4-SHA ECDH <span style="color:green;">256 </span> RC4 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5
x010080 RC4-MD5 RSA RC4 128 SSL_CK_RC4_128_WITH_MD5
xc012 ECDHE-RSA-DES-CBC3-SHA ECDH <span style="color:green;">256 </span> 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
x16 EDH-RSA-DES-CBC3-SHA DH <span style="color:olive;">1024 </span> 3DES 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
x15 EDH-RSA-DES-CBC-SHA DH <span style="color:olive;">1024 </span> DES 56 TLS_DHE_RSA_WITH_DES_CBC_SHA
x09 DES-CBC-SHA RSA DES 56 TLS_RSA_WITH_DES_CBC_SHA
x14 EXP-EDH-RSA-DES-CBC-SHA DH(512) DES 40,export TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
x08 EXP-DES-CBC-SHA RSA(512) DES 40,export TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
x06 EXP-RC2-CBC-MD5 RSA(512) RC2 40,export TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
x040080 EXP-RC2-CBC-MD5 RSA(512) RC2 40,export SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
x03 EXP-RC4-MD5 RSA(512) RC4 40,export TLS_RSA_EXPORT_WITH_RC4_40_MD5
x020080 EXP-RC4-MD5 RSA(512) RC4 40,export SSL_CK_RC4_128_EXPORT40_WITH_MD5
<span style="color:gray;background-color:black;">Done now (2015-06-19 11:41) ---&gt; 38.229.72.13:25 (eugeni.torproject.org) &lt;---</span>
-------------------------------------------------------------------------------------------------------------------------
<span style="font-weight:bold;">Done testing now all MX records (on port 25): </span>eugeni.torproject.org
</pre>
</body>
</html>
Raw
out.txt
#########################################################
testssl.sh 2.5dev http://dev.testssl.sh
(59299ce 2015-06-17 11:33:29 -- 1.279)
This program is free software. Redistribution +
modification under GPLv2 is permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Note: you can only check the server with what is
available (ciphers/protocols) locally on your machine!
#########################################################
Using "OpenSSL 1.0.2a 19 Mar 2015" [~141 ciphers] on
adam-w530:/usr/bin/openssl
(built: "reproducible build, date unspecified", platform: "Cygwin-x86_64")
For now I am providing the config file in to have GOST support
Testing now all MX records (on port 25): eugeni.torproject.org
-------------------------------------------------------------------------------------------------------------------------
Testing now (2015-06-19 11:17) ---> 38.229.72.13:25 (eugeni.torproject.org) <---
rDNS (38.229.72.13): eugeni.torproject.org
Service set: STARTTLS via SMTP
--> Testing protocols (via native openssl)
SSLv2 not offered (OK)
SSLv3 offered (NOT ok)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY/NPN (SPDY is a HTTP protocol and thus not tested here)
--> Testing ~standard cipher lists
Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption offered (NOT ok)
56 Bit encryption Local problem: No 56 Bit encryption configured in /usr/bin/openssl
Export Ciphers (general) offered (NOT ok)
Low (<=64 Bit) offered (NOT ok)
DES Ciphers offered (NOT ok)
Medium grade encryption offered (NOT ok)
Triple DES Ciphers offered (NOT ok)
High grade encryption offered (OK)
--> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here
PFS ciphers (OK): ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4-SHA
--> Testing server preferences
Has server cipher order? nope (NOT ok)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (limited sense as client will pick)
Negotiated cipher per proto (limited sense as client will pick)(SPDY is a HTTP protocol and thus not tested here)
ECDHE-RSA-AES256-SHA: SSLv3, TLSv1, TLSv1.1
ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2
No further cipher order check as order is determined by the client
--> Testing server defaults (Server Hello)
TLS timestamp: (not yet implemented for STARTTLS)
HTTP clock skew: not tested as we're not targeting HTTP
TLS server extensions renegotiation info, EC point formats, session ticket, heartbeat
Session Tickets RFC 5077 7200 seconds
Server key size 2048 bit
Signature Algorithm SHA1 with RSA
Fingerprint / Serial SHA1 62D590B1F07257E21B08EB88D9295C0EF00F3EA2 / 01B8
SHA256 ED83D27364F556AEAAA066E4D35FB46E959C033C579E226D89A8850F9FDACB5C
Common Name (CN) eugeni.torproject.org (matches certificate directly)
subjectAltName (SAN) --
Issuer auto-ca.torproject.org (torproject.org)
Certificate Expiration >= 60 days (2015-03-10 20:00 --> 2016-03-09 19:00 -0500)
# of certificates provided 2
Certificate Revocation List --
OCSP URI --
OCSP stapling not offered
--> Testing vulnerabilities
Heartbleed (CVE-2014-0160) (not yet implemented for STARTTLS)
CCS (CVE-2014-0224) (not yet implemented for STARTTLS)
Secure Renegotiation (CVE 2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation likely not vulnerable (OK) (timed out)
CRIME, TLS (CVE-2012-4929) VULNERABLE (NOT ok), but not using HTTP: probably no exploit known
POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention NOT supported
FREAK (CVE-2015-0204), experimental VULNERABLE (NOT ok), uses EXPORT RSA ciphers
LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok), uses DHE EXPORT ciphers
BEAST (CVE-2011-3389) SSL3: ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5
EXP-RC2-CBC-MD5
TLS1: ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5
EXP-RC2-CBC-MD5
-- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 RC4-MD5 EXP-RC4-MD5 EXP-RC4-MD5
--> Testing all locally available 141 ciphers against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
x9f DHE-RSA-AES256-GCM-SHA384 DH 1024 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
x6b DHE-RSA-AES256-SHA256 DH 1024 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
x39 DHE-RSA-AES256-SHA DH 1024 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
x88 DHE-RSA-CAMELLIA256-SHA DH 1024 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x9e DHE-RSA-AES128-GCM-SHA256 DH 1024 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
x67 DHE-RSA-AES128-SHA256 DH 1024 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
x33 DHE-RSA-AES128-SHA DH 1024 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
x9a DHE-RSA-SEED-SHA DH 1024 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA
x45 DHE-RSA-CAMELLIA128-SHA DH 1024 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA
x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
xc011 ECDHE-RSA-RC4-SHA ECDH 256 RC4 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5
x010080 RC4-MD5 RSA RC4 128 SSL_CK_RC4_128_WITH_MD5
xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
x16 EDH-RSA-DES-CBC3-SHA DH 1024 3DES 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
x15 EDH-RSA-DES-CBC-SHA DH 1024 DES 56 TLS_DHE_RSA_WITH_DES_CBC_SHA
x09 DES-CBC-SHA RSA DES 56 TLS_RSA_WITH_DES_CBC_SHA
x14 EXP-EDH-RSA-DES-CBC-SHA DH(512) DES 40,export TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
x08 EXP-DES-CBC-SHA RSA(512) DES 40,export TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
x06 EXP-RC2-CBC-MD5 RSA(512) RC2 40,export TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
x040080 EXP-RC2-CBC-MD5 RSA(512) RC2 40,export SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
x03 EXP-RC4-MD5 RSA(512) RC4 40,export TLS_RSA_EXPORT_WITH_RC4_40_MD5
x020080 EXP-RC4-MD5 RSA(512) RC4 40,export SSL_CK_RC4_128_EXPORT40_WITH_MD5
Done now (2015-06-19 11:29) ---> 38.229.72.13:25 (eugeni.torproject.org) <---
-------------------------------------------------------------------------------------------------------------------------
Done testing now all MX records (on port 25): eugeni.torproject.org
Raw
Tor-testssl.sh.md

Output of ./testssl.sh --mx torproject.org, in text format and HTML format.

Output of checktls.com sender test.

2015-06-19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment