Created
September 9, 2016 13:47
-
-
Save jpluimers/6d536c6ed8af20bcacb0d89077101f41 to your computer and use it in GitHub Desktop.
AHA of testssl.sh output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[1m | |
########################################################### | |
testssl.sh 2.7dev from https://testssl.sh/dev/ | |
([1;30m16d161f 2016-05-27 15:52:23 -- 1.487[m[1m) | |
This program is free software. Distribution and | |
modification under GPLv2 permitted. | |
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! | |
Please file bugs @ https://testssl.sh/bugs/ | |
###########################################################[m | |
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers] | |
on retinambpro1tb:./bin/openssl.Darwin.x86_64 | |
(built: "Sep 7 19:34:54 2016", platform: "darwin64-x86_64-cc") | |
[7m Start 2016-09-09 15:40:16 -->> 81.169.199.25:443 (testssl.sh) <<--[m | |
rDNS (81.169.199.25): testssl.sh. | |
Service detected: HTTP | |
[1m[4m Testing protocols [m[1m[4m(via sockets except TLS 1.2, SPDY+HTTP2) [m | |
[1m SSLv2 [m[1;32mnot offered (OK)[m | |
[m[1m SSLv3 [m[1;32mnot offered (OK)[m | |
[1m TLS 1 [moffered | |
[1m TLS 1.1 [moffered | |
[1m TLS 1.2 [m[1;32moffered (OK)[m | |
[1m SPDY/NPN [mh2, http/1.1 (advertised) | |
[1m HTTP2/ALPN [mh2, http/1.1 (offered) | |
[1m[4m Testing ~standard cipher lists [m | |
[1m Null Ciphers [m[1;32mnot offered (OK)[m | |
[1m Anonymous NULL Ciphers [m[1;32mnot offered (OK)[m | |
[1m Anonymous DH Ciphers [m[1;32mnot offered (OK)[m | |
[1m 40 Bit encryption [m[1;32mnot offered (OK)[m | |
[1m 56 Bit encryption [m[1;32mnot offered (OK)[m | |
[1m Export Ciphers (general) [m[1;32mnot offered (OK)[m | |
[1m Low (<=64 Bit) [m[1;32mnot offered (OK)[m | |
[1m DES Ciphers [m[1;32mnot offered (OK)[m | |
[1m Medium grade encryption [m[0;32mnot offered (OK)[m | |
[1m Triple DES Ciphers [mnot offered (OK) | |
[1m High grade encryption [m[1;32moffered (OK)[m | |
[1m[4m Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here [m | |
[0;32m PFS is offered (OK)[m ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES128-SHA | |
[1m[4m Testing server preferences [m | |
[1m Has server cipher order? [m[1;32myes (OK)[m | |
[1m Negotiated protocol [m[1;32mTLSv1.2[m | |
[1m Negotiated cipher [m[1;32mECDHE-RSA-AES256-GCM-SHA384[m, [0;32m256 bit ECDH[m | |
[1m Cipher order[m | |
TLSv1: DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA | |
TLSv1.1: DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA | |
TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES256-SHA | |
h2: ECDHE-ECDSA-AES256-GCM-SHA384 | |
http/1.1: ECDHE-ECDSA-AES256-GCM-SHA384 | |
[1m[4m Testing server defaults (Server Hello) [m | |
[1m TLS extensions (standard) [m"server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "heartbeat/#15" "next protocol/#13172" | |
[1m Session Tickets RFC 5077 [m300 seconds [1;33m(PFS requires session ticket keys to be rotated <= daily)[m | |
[1m SSL Session ID support [myes | |
[1m TLS clock skew[m random values, no fingerprinting possible | |
[1m Signature Algorithm [m[0;32mSHA256 with RSA[m | |
[1m Server key size [m[0;32m4096[m bits | |
[1m Fingerprint / Serial [mSHA1 04B271342358DA65561A7604D63CBDC340DD7ADD / 664152EE3E270CB2E35F6AAB2E381898 | |
SHA256 A82B73476774DDD484D14E98466C5E36C804BFD8F3C24D7BD60FD75AF3ECF707 | |
[1m Common Name (CN) [m"testssl.sh" (CN in response to request w/o SNI: "default.name") | |
[1m subjectAltName (SAN) [m"testssl.sh" "bugs.testssl.sh" "dev.testssl.sh" "borken.testssl.sh" "secure.testssl.sh" "www.testssl.sh" | |
[1m Issuer [m"StartCom Class 1 DV Server CA" ("StartCom Ltd." from "IL") | |
[1m EV cert[m (experimental) no | |
[1m Certificate Expiration [m[0;32m163 >= 60 days[m (2016-02-19 22:30 --> 2017-02-19 22:30 +0100) | |
[1m # of certificates provided[m 2 | |
[1m Chain of trust[m (experim.) [0;32mOk [m[0;35m[m | |
[1m Certificate Revocation List [mhttp://crl.startssl.com/sca-server1.crl | |
[1m OCSP URI [mhttp://ocsp.startssl.com | |
[1m OCSP stapling [m[0;32moffered[m | |
[1m[4m Testing HTTP header response @ "/" [m | |
[1m HTTP Status Code [m 200 OK | |
[1m HTTP clock skew [m0 sec from localtime | |
[1m Strict Transport Security [m[0;32m362 days[m=31337000 s[0;36m, just this domain[m | |
[1m Public Key Pinning [m# of keys: 2, [0;32m30 days[m=2592000 s[0;36m, just this domain[m | |
matching host key: [0;32m0SAMpcsNkPtjORdHdRDxho0NjSUJBgJGVPIFfieSEeA[m | |
[1m Server banner [mNever trust a banner | |
[1m Application banner [m[33m[1mX-Powered-By(B[m: A portion of humor | |
[1m Cookie(s) [m(none issued at "/") | |
[1m Security headers [m[0;32mX-FRAME-OPTIONS:[m DENY | |
[0;32mX-XSS-Protection:[m 1; mode=block | |
[0;32mX-Content-Type-Options:[m nosniff | |
[1m Reverse Proxy banner [m-- | |
[1m[4m Testing vulnerabilities [m | |
[1m Heartbleed[m (CVE-2014-0160) [1;32mnot vulnerable (OK)[m (timed out) | |
[1m CCS[m (CVE-2014-0224) [1;32mnot vulnerable (OK)[m | |
[1m Secure Renegotiation [m(CVE-2009-3555) [1;32mnot vulnerable (OK)[m | |
[1m Secure Client-Initiated Renegotiation [m[0;32mnot vulnerable (OK)[m | |
[1m CRIME, TLS [m(CVE-2012-4929) [0;32mnot vulnerable (OK)[m | |
[1m BREACH[m (CVE-2013-3587) [1;32mno HTTP compression (OK) [m - only supplied "/" tested | |
[1m POODLE, SSL[m (CVE-2014-3566) [1;32mnot vulnerable (OK)[m | |
[1m TLS_FALLBACK_SCSV[m (RFC 7507), experim. [0;32mDowngrade attack prevention supported (OK)[m | |
[1m FREAK[m (CVE-2015-0204) [1;32mnot vulnerable (OK)[m | |
[1m DROWN[m (2016-0800, CVE-2016-0703), exper. [1;32mnot vulnerable on this port (OK)[m | |
make sure you don't use this certificate elsewhere with SSLv2 enabled services | |
https://censys.io/ipv4?q=A82B73476774DDD484D14E98466C5E36C804BFD8F3C24D7BD60FD75AF3ECF707 could help you to find out | |
[1m LOGJAM[m (CVE-2015-4000), experimental [1;32mnot vulnerable (OK)[m, common primes not checked. See below for any DH ciphers + bit size | |
[1m BEAST[m (CVE-2011-3389) TLS1:[1;33m DHE-RSA-AES128-SHA AES256-SHA | |
DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-CAMELLIA256-SHA | |
ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA[m | |
[1;33mVULNERABLE[m -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2 | |
[1m RC4[m (CVE-2013-2566, CVE-2015-2808) [0;32mno RC4 ciphers detected (OK)[m | |
[1m[4m Testing all 183 locally available ciphers against the server, ordered by encryption strength [m | |
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) | |
-------------------------------------------------------------------------------------------------------------------------- | |
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH [0;32m256 [m AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | |
xc028 ECDHE-RSA-AES256-SHA384 ECDH [0;32m256 [m AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | |
xc014 ECDHE-RSA-AES256-SHA ECDH [0;32m256 [m AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | |
x9f DHE-RSA-AES256-GCM-SHA384 DH [0;32m2048 [m AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | |
x6b DHE-RSA-AES256-SHA256 DH [0;32m2048 [m AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | |
x39 DHE-RSA-AES256-SHA DH [0;32m2048 [m AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA | |
x88 DHE-RSA-CAMELLIA256-SHA DH [0;32m2048 [m Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | |
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 | |
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 | |
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA | |
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH [0;32m256 [m AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |
xc027 ECDHE-RSA-AES128-SHA256 ECDH [0;32m256 [m AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | |
xc013 ECDHE-RSA-AES128-SHA ECDH [0;32m256 [m AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | |
x9e DHE-RSA-AES128-GCM-SHA256 DH [0;32m2048 [m AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | |
x67 DHE-RSA-AES128-SHA256 DH [0;32m2048 [m AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | |
x33 DHE-RSA-AES128-SHA DH [0;32m2048 [m AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA | |
x45 DHE-RSA-CAMELLIA128-SHA DH [0;32m2048 [m Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | |
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 | |
[1m[4m Running browser simulations (experimental) [m | |
Android 2.3.7 No connection | |
Android 4.0.4 TLSv1 ECDHE-RSA-AES128-SHA | |
Android 4.1.1 TLSv1 ECDHE-RSA-AES256-SHA | |
Android 4.2.2 TLSv1 ECDHE-RSA-AES256-SHA | |
Android 4.3 TLSv1.0 ECDHE-RSA-AES256-SHA | |
Android 4.4.2 TLSv1.1 ECDHE-RSA-AES256-SHA | |
Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
Baidu Jan 2015 TLSv1 DHE-RSA-CAMELLIA256-SHA | |
BingPreview Jan 2015 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Chrome 47 / OSX TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
Firefox 31.3.0ESR / Win7 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
Firefox 42 / OSX TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
GoogleBot Feb 2015 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
IE6 / XP No connection | |
IE7 / Vista TLSv1.0 ECDHE-RSA-AES256-SHA | |
IE8 / XP No connection | |
IE8-10 / Win7 TLSv1.0 ECDHE-RSA-AES256-SHA | |
IE11 / Win7 TLSv1.2 DHE-RSA-AES256-GCM-SHA384 | |
IE11 / Win8.1 TLSv1.2 DHE-RSA-AES256-GCM-SHA384 | |
IE10 / Win Phone 8.0 TLSv1.0 ECDHE-RSA-AES256-SHA | |
IE11 / Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES256-SHA | |
IE11 / Win Phone 8.1 Update TLSv1.2 DHE-RSA-AES256-GCM-SHA384 | |
IE11 / Win10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Edge 13 / Win10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Edge 12 / Win Phone 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Java 6u45 No connection | |
Java 7u25 TLSv1 ECDHE-RSA-AES128-SHA | |
Java 8u31 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
OpenSSL 0.9.8y TLSv1 DHE-RSA-AES256-SHA | |
OpenSSL 1.0.1l TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Safari 5.1.9/ OSX 10.6.8 TLSv1 ECDHE-RSA-AES256-SHA | |
Safari 6 / iOS 6.0.1 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 6.0.4/ OS X 10.8.4 TLSv1 ECDHE-RSA-AES256-SHA | |
Safari 7 / iOS 7.1 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 7 / OS X 10.9 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 8 / iOS 8.4 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 8 / OS X 10.10 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 9 / iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Safari 9 / OS X 10.11 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
[7m Done 2016-09-09 15:45:36 -->> 81.169.199.25:443 (testssl.sh) <<--[m | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8" ?> | |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> | |
<!-- This file was created with the aha Ansi HTML Adapter. http://ziz.delphigl.com/tool_aha.php --> | |
<html xmlns="http://www.w3.org/1999/xhtml"> | |
<head> | |
<meta http-equiv="Content-Type" content="application/xml+xhtml; charset=UTF-8" /> | |
<title>/tmp/testssl.sh.ansi.txt</title> | |
</head> | |
<body> | |
<pre> | |
<span style="font-weight:bold;"> | |
########################################################### | |
testssl.sh 2.7dev from https://testssl.sh/dev/ | |
(</span><span style="color:dimgray;font-weight:bold;">16d161f 2016-05-27 15:52:23 -- 1.487</span><span style="font-weight:bold;">) | |
This program is free software. Distribution and | |
modification under GPLv2 permitted. | |
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! | |
Please file bugs @ https://testssl.sh/bugs/ | |
###########################################################</span> | |
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers] | |
on retinambpro1tb:./bin/openssl.Darwin.x86_64 | |
(built: "Sep 7 19:34:54 2016", platform: "darwin64-x86_64-cc") | |
<span style="color:gray;background-color:black;"> Start 2016-09-09 15:40:16 -->> 81.169.199.25:443 (testssl.sh) <<--</span> | |
rDNS (81.169.199.25): testssl.sh. | |
Service detected: HTTP | |
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing protocols </span><span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;">(via sockets except TLS 1.2, SPDY+HTTP2) </span> | |
<span style="font-weight:bold;"> SSLv2 </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> SSLv3 </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> TLS 1 </span>offered | |
<span style="font-weight:bold;"> TLS 1.1 </span>offered | |
<span style="font-weight:bold;"> TLS 1.2 </span><span style="color:green;font-weight:bold;">offered (OK)</span> | |
<span style="font-weight:bold;"> SPDY/NPN </span>h2, http/1.1 (advertised) | |
<span style="font-weight:bold;"> HTTP2/ALPN </span>h2, http/1.1 (offered) | |
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing ~standard cipher lists </span> | |
<span style="font-weight:bold;"> Null Ciphers </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> Anonymous NULL Ciphers </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> Anonymous DH Ciphers </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> 40 Bit encryption </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> 56 Bit encryption </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> Export Ciphers (general) </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> Low (<=64 Bit) </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> DES Ciphers </span><span style="color:green;font-weight:bold;">not offered (OK)</span> | |
<span style="font-weight:bold;"> Medium grade encryption </span><span style="color:green;">not offered (OK)</span> | |
<span style="font-weight:bold;"> Triple DES Ciphers </span>not offered (OK) | |
<span style="font-weight:bold;"> High grade encryption </span><span style="color:green;font-weight:bold;">offered (OK)</span> | |
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here </span> | |
<span style="color:green;"> PFS is offered (OK)</span> ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES128-SHA | |
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing server preferences </span> | |
<span style="font-weight:bold;"> Has server cipher order? </span><span style="color:green;font-weight:bold;">yes (OK)</span> | |
<span style="font-weight:bold;"> Negotiated protocol </span><span style="color:green;font-weight:bold;">TLSv1.2</span> | |
<span style="font-weight:bold;"> Negotiated cipher </span><span style="color:green;font-weight:bold;">ECDHE-RSA-AES256-GCM-SHA384</span>, <span style="color:green;">256 bit ECDH</span> | |
<span style="font-weight:bold;"> Cipher order</span> | |
TLSv1: DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA | |
TLSv1.1: DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA | |
TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES256-SHA | |
h2: ECDHE-ECDSA-AES256-GCM-SHA384 | |
http/1.1: ECDHE-ECDSA-AES256-GCM-SHA384 | |
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing server defaults (Server Hello) </span> | |
<span style="font-weight:bold;"> TLS extensions (standard) </span>"server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "heartbeat/#15" "next protocol/#13172" | |
<span style="font-weight:bold;"> Session Tickets RFC 5077 </span>300 seconds <span style="color:olive;font-weight:bold;">(PFS requires session ticket keys to be rotated <= daily)</span> | |
<span style="font-weight:bold;"> SSL Session ID support </span>yes | |
<span style="font-weight:bold;"> TLS clock skew</span> random values, no fingerprinting possible | |
<span style="font-weight:bold;"> Signature Algorithm </span><span style="color:green;">SHA256 with RSA</span> | |
<span style="font-weight:bold;"> Server key size </span><span style="color:green;">4096</span> bits | |
<span style="font-weight:bold;"> Fingerprint / Serial </span>SHA1 04B271342358DA65561A7604D63CBDC340DD7ADD / 664152EE3E270CB2E35F6AAB2E381898 | |
SHA256 A82B73476774DDD484D14E98466C5E36C804BFD8F3C24D7BD60FD75AF3ECF707 | |
<span style="font-weight:bold;"> Common Name (CN) </span>"testssl.sh" (CN in response to request w/o SNI: "default.name") | |
<span style="font-weight:bold;"> subjectAltName (SAN) </span>"testssl.sh" "bugs.testssl.sh" "dev.testssl.sh" "borken.testssl.sh" "secure.testssl.sh" "www.testssl.sh" | |
<span style="font-weight:bold;"> Issuer </span>"StartCom Class 1 DV Server CA" ("StartCom Ltd." from "IL") | |
<span style="font-weight:bold;"> EV cert</span> (experimental) no | |
<span style="font-weight:bold;"> Certificate Expiration </span><span style="color:green;">163 >= 60 days</span> (2016-02-19 22:30 --> 2017-02-19 22:30 +0100) | |
<span style="font-weight:bold;"> # of certificates provided</span> 2 | |
<span style="font-weight:bold;"> Chain of trust</span> (experim.) <span style="color:green;">Ok </span><span style="color:purple;"></span> | |
<span style="font-weight:bold;"> Certificate Revocation List </span>http://crl.startssl.com/sca-server1.crl | |
<span style="font-weight:bold;"> OCSP URI </span>http://ocsp.startssl.com | |
<span style="font-weight:bold;"> OCSP stapling </span><span style="color:green;">offered</span> | |
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing HTTP header response @ "/" </span> | |
<span style="font-weight:bold;"> HTTP Status Code </span> 200 OK | |
<span style="font-weight:bold;"> HTTP clock skew </span>0 sec from localtime | |
<span style="font-weight:bold;"> Strict Transport Security </span><span style="color:green;">362 days</span>=31337000 s<span style="color:teal;">, just this domain</span> | |
<span style="font-weight:bold;"> Public Key Pinning </span># of keys: 2, <span style="color:green;">30 days</span>=2592000 s<span style="color:teal;">, just this domain</span> | |
matching host key: <span style="color:green;">0SAMpcsNkPtjORdHdRDxho0NjSUJBgJGVPIFfieSEeA</span> | |
<span style="font-weight:bold;"> Server banner </span>Never trust a banner | |
<span style="font-weight:bold;"> Application banner </span><span style="color:olive;"></span><span style="color:olive;font-weight:bold;">X-Powered-By</span>: A portion of humor | |
<span style="font-weight:bold;"> Cookie(s) </span>(none issued at "/") | |
<span style="font-weight:bold;"> Security headers </span><span style="color:green;">X-FRAME-OPTIONS:</span> DENY | |
<span style="color:green;">X-XSS-Protection:</span> 1; mode=block | |
<span style="color:green;">X-Content-Type-Options:</span> nosniff | |
<span style="font-weight:bold;"> Reverse Proxy banner </span>-- | |
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing vulnerabilities </span> | |
<span style="font-weight:bold;"> Heartbleed</span> (CVE-2014-0160) <span style="color:green;font-weight:bold;">not vulnerable (OK)</span> (timed out) | |
<span style="font-weight:bold;"> CCS</span> (CVE-2014-0224) <span style="color:green;font-weight:bold;">not vulnerable (OK)</span> | |
<span style="font-weight:bold;"> Secure Renegotiation </span>(CVE-2009-3555) <span style="color:green;font-weight:bold;">not vulnerable (OK)</span> | |
<span style="font-weight:bold;"> Secure Client-Initiated Renegotiation </span><span style="color:green;">not vulnerable (OK)</span> | |
<span style="font-weight:bold;"> CRIME, TLS </span>(CVE-2012-4929) <span style="color:green;">not vulnerable (OK)</span> | |
<span style="font-weight:bold;"> BREACH</span> (CVE-2013-3587) <span style="color:green;font-weight:bold;">no HTTP compression (OK) </span> - only supplied "/" tested | |
<span style="font-weight:bold;"> POODLE, SSL</span> (CVE-2014-3566) <span style="color:green;font-weight:bold;">not vulnerable (OK)</span> | |
<span style="font-weight:bold;"> TLS_FALLBACK_SCSV</span> (RFC 7507), experim. <span style="color:green;">Downgrade attack prevention supported (OK)</span> | |
<span style="font-weight:bold;"> FREAK</span> (CVE-2015-0204) <span style="color:green;font-weight:bold;">not vulnerable (OK)</span> | |
<span style="font-weight:bold;"> DROWN</span> (2016-0800, CVE-2016-0703), exper. <span style="color:green;font-weight:bold;">not vulnerable on this port (OK)</span> | |
make sure you don't use this certificate elsewhere with SSLv2 enabled services | |
https://censys.io/ipv4?q=A82B73476774DDD484D14E98466C5E36C804BFD8F3C24D7BD60FD75AF3ECF707 could help you to find out | |
<span style="font-weight:bold;"> LOGJAM</span> (CVE-2015-4000), experimental <span style="color:green;font-weight:bold;">not vulnerable (OK)</span>, common primes not checked. See below for any DH ciphers + bit size | |
<span style="font-weight:bold;"> BEAST</span> (CVE-2011-3389) TLS1:<span style="color:olive;font-weight:bold;"> DHE-RSA-AES128-SHA AES256-SHA | |
DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-CAMELLIA256-SHA | |
ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA</span> | |
<span style="color:olive;font-weight:bold;">VULNERABLE</span> -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2 | |
<span style="font-weight:bold;"> RC4</span> (CVE-2013-2566, CVE-2015-2808) <span style="color:green;">no RC4 ciphers detected (OK)</span> | |
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing all 183 locally available ciphers against the server, ordered by encryption strength </span> | |
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) | |
-------------------------------------------------------------------------------------------------------------------------- | |
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH <span style="color:green;">256 </span> AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | |
xc028 ECDHE-RSA-AES256-SHA384 ECDH <span style="color:green;">256 </span> AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | |
xc014 ECDHE-RSA-AES256-SHA ECDH <span style="color:green;">256 </span> AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | |
x9f DHE-RSA-AES256-GCM-SHA384 DH <span style="color:green;">2048 </span> AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | |
x6b DHE-RSA-AES256-SHA256 DH <span style="color:green;">2048 </span> AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | |
x39 DHE-RSA-AES256-SHA DH <span style="color:green;">2048 </span> AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA | |
x88 DHE-RSA-CAMELLIA256-SHA DH <span style="color:green;">2048 </span> Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | |
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 | |
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 | |
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA | |
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH <span style="color:green;">256 </span> AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |
xc027 ECDHE-RSA-AES128-SHA256 ECDH <span style="color:green;">256 </span> AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | |
xc013 ECDHE-RSA-AES128-SHA ECDH <span style="color:green;">256 </span> AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | |
x9e DHE-RSA-AES128-GCM-SHA256 DH <span style="color:green;">2048 </span> AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | |
x67 DHE-RSA-AES128-SHA256 DH <span style="color:green;">2048 </span> AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | |
x33 DHE-RSA-AES128-SHA DH <span style="color:green;">2048 </span> AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA | |
x45 DHE-RSA-CAMELLIA128-SHA DH <span style="color:green;">2048 </span> Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | |
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 | |
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Running browser simulations (experimental) </span> | |
Android 2.3.7 No connection | |
Android 4.0.4 TLSv1 ECDHE-RSA-AES128-SHA | |
Android 4.1.1 TLSv1 ECDHE-RSA-AES256-SHA | |
Android 4.2.2 TLSv1 ECDHE-RSA-AES256-SHA | |
Android 4.3 TLSv1.0 ECDHE-RSA-AES256-SHA | |
Android 4.4.2 TLSv1.1 ECDHE-RSA-AES256-SHA | |
Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
Baidu Jan 2015 TLSv1 DHE-RSA-CAMELLIA256-SHA | |
BingPreview Jan 2015 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Chrome 47 / OSX TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
Firefox 31.3.0ESR / Win7 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
Firefox 42 / OSX TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
GoogleBot Feb 2015 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
IE6 / XP No connection | |
IE7 / Vista TLSv1.0 ECDHE-RSA-AES256-SHA | |
IE8 / XP No connection | |
IE8-10 / Win7 TLSv1.0 ECDHE-RSA-AES256-SHA | |
IE11 / Win7 TLSv1.2 DHE-RSA-AES256-GCM-SHA384 | |
IE11 / Win8.1 TLSv1.2 DHE-RSA-AES256-GCM-SHA384 | |
IE10 / Win Phone 8.0 TLSv1.0 ECDHE-RSA-AES256-SHA | |
IE11 / Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES256-SHA | |
IE11 / Win Phone 8.1 Update TLSv1.2 DHE-RSA-AES256-GCM-SHA384 | |
IE11 / Win10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Edge 13 / Win10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Edge 12 / Win Phone 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Java 6u45 No connection | |
Java 7u25 TLSv1 ECDHE-RSA-AES128-SHA | |
Java 8u31 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | |
OpenSSL 0.9.8y TLSv1 DHE-RSA-AES256-SHA | |
OpenSSL 1.0.1l TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Safari 5.1.9/ OSX 10.6.8 TLSv1 ECDHE-RSA-AES256-SHA | |
Safari 6 / iOS 6.0.1 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 6.0.4/ OS X 10.8.4 TLSv1 ECDHE-RSA-AES256-SHA | |
Safari 7 / iOS 7.1 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 7 / OS X 10.9 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 8 / iOS 8.4 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 8 / OS X 10.10 TLSv1.2 ECDHE-RSA-AES256-SHA384 | |
Safari 9 / iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
Safari 9 / OS X 10.11 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 | |
<span style="color:gray;background-color:black;"> Done 2016-09-09 15:45:36 -->> 81.169.199.25:443 (testssl.sh) <<--</span> | |
</pre> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment