Skip to content

Instantly share code, notes, and snippets.

@jpluimers

jpluimers/-

Created Aug 26, 2015
Embed
What would you like to do?
forums.embarcadero.com:563 NNTP over SSL is still very vulnerable
(B
###########################################################
testssl.sh 2.6rc2 from https://testssl.sh/dev/
(3d6e6a1 2015-08-26 20:06:53 -- 1.359)
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2e-dev)" [~181 ciphers] on
retinambpro1tb.fritz.box:./bin/openssl.Darwin.x86_64
(built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")
Testing now (2015-08-26 22:36) ---> 204.216.225.61:563 (forums.embarcadero.com) <---
rDNS (204.216.225.61): --
Service detected: NNTP, thus skipping HTTP specific checks
--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
 SSLv2 not offered (OK)
 SSLv3 offered (NOT ok)
 TLS 1 offered
 TLS 1.1 not offered
 TLS 1.2 not offered (NOT ok)
 SPDY/NPN not offered
--> Testing ~standard cipher lists
 Null Ciphers not offered (OK)
 Anonymous NULL Ciphers not offered (OK)
 Anonymous DH Ciphers not offered (OK)
 40 Bit encryption offered (NOT ok)
 56 Bit encryption not offered (OK)
 Export Ciphers (general) offered (NOT ok)
 Low (<=64 Bit) offered (NOT ok)
 DES Ciphers offered (NOT ok)
 Medium grade encryption offered (NOT ok)
 Triple DES Ciphers offered (NOT ok)
 High grade encryption offered (OK)
--> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here
 PFS is offered (OK) DHE-RSA-AES128-SHA
--> Testing server preferences
 Has server cipher order? nope (NOT ok)
 Negotiated protocol TLSv1
 Negotiated cipher DHE-RSA-AES128-SHA, 768 bit DH (limited sense as client will pick)
 Negotiated cipher per proto (limited sense as client will pick)
DHE-RSA-AES128-SHA: SSLv3, TLSv1
No further cipher order check as order is determined by the client
--> Testing server defaults (Server Hello)
 TLS server extensions renegotiation info
 Session Tickets RFC 5077 (none)
 Server key size 2048 bit
 Signature Algorithm SHA256 with RSA
 Fingerprint / Serial SHA1 3E220AA3CF04F7159B0E9AAF67932B2E41C23D82 / 119A7F27A37BEBF1
SHA256 CF64906E17B20DD33E171F1D26569B334C8C10479B2A6E10CD6EB0CD235AF883
 Common Name (CN) *.embarcadero.com (matches certificate directly)
 subjectAltName (SAN) (B*.embarcadero.com(B (Bembarcadero.com(B
 Issuer (BGo Daddy Secure Certificate Authority - G2(B ((BGoDaddy.com, Inc.(B from (BUS(B)
 EV cert (experimental) no
 Certificate Expiration >= 60 days (2015-03-17 19:32 --> 2018-10-12 01:08 +0200)
 # of certificates provided 4
 Certificate Revocation List http://crl.godaddy.com/gdig2s1-87.crl
 OCSP URI http://ocsp.godaddy.com/
 OCSP stapling  not offered
 TLS clock skew -1 sec from localtime
--> Testing vulnerabilities
 Heartbleed (CVE-2014-0160) not vulnerable (OK) (timed out)
 CCS (CVE-2014-0224) not vulnerable (OK)
 Secure Renegotiation (CVE 2009-3555) not vulnerable (OK)
 Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
 CRIME, TLS (CVE-2012-4929) Local problem: ./bin/openssl.Darwin.x86_64 lacks zlib support
 POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
 TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention NOT supported
 FREAK (CVE-2015-0204), experimental VULNERABLE (NOT ok), uses EXPORT RSA ciphers
 LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok), uses DHE EXPORT ciphers
 BEAST (CVE-2011-3389) SSL3: EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA
EXP-DES-CBC-SHA
TLS1: EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA
EXP-DES-CBC-SHA
 RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-SHA RC4-MD5 RC4-MD5 EXP-RC4-MD5 EXP-RC4-MD5 
--> Testing all locally available 181 ciphers against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------
x33 DHE-RSA-AES128-SHA DH 768  AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5
x010080 RC4-MD5 RSA RC4 128 SSL_CK_RC4_128_WITH_MD5
x16 EDH-RSA-DES-CBC3-SHA DH 768  3DES 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
x15 EDH-RSA-DES-CBC-SHA DH 768  DES 56 TLS_DHE_RSA_WITH_DES_CBC_SHA
x09 DES-CBC-SHA RSA DES 56 TLS_RSA_WITH_DES_CBC_SHA
x14 EXP-EDH-RSA-DES-CBC-SHA DH(512) DES 40,export TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
x08 EXP-DES-CBC-SHA RSA(512) DES 40,export TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
x03 EXP-RC4-MD5 RSA(512) RC4 40,export TLS_RSA_EXPORT_WITH_RC4_40_MD5
x020080 EXP-RC4-MD5 RSA(512) RC4 40,export SSL_CK_RC4_128_EXPORT40_WITH_MD5
Done now (2015-08-26 22:39) ---> 204.216.225.61:563 (forums.embarcadero.com) <---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.