pbohman/istio-tls-proto-and-ciphers

## istio-tls-proto-and-ciphers
 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 h2, http/1.1 (offered)

 Testing cipher categories

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     not offered (OK)
 Average: SEED + 128+256 Bit CBC ciphers       offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

 PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256
                              ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA
 Elliptic curves offered:     prime256v1 X25519


 Testing server preferences

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Cipher order
    TLSv1:     ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
    TLSv1.1:   ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
    TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA


 Testing server defaults (Server Hello)

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "extended master secret/#23" "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID resumption test failed
 TLS clock skew               0 sec from localtime
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Server key usage             Digital Signature, Key Encipherment
	Testing protocols via sockets except NPN+ALPN

	SSLv2 not offered (OK)
	SSLv3 not offered (OK)
	TLS 1 offered
	TLS 1.1 offered
	TLS 1.2 offered (OK)
	TLS 1.3 offered (OK): final
	NPN/SPDY not offered
	ALPN/HTTP2 h2, http/1.1 (offered)

	Testing cipher categories

	NULL ciphers (no encryption) not offered (OK)
	Anonymous NULL Ciphers (no authentication) not offered (OK)
	Export ciphers (w/o ADH+NULL) not offered (OK)
	LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK)
	Triple DES Ciphers / IDEA not offered (OK)
	Average: SEED + 128+256 Bit CBC ciphers offered
	Strong encryption (AEAD ciphers) offered (OK)


	Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

	PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256
	ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA
	Elliptic curves offered: prime256v1 X25519


	Testing server preferences

	Has server cipher order? yes (OK)
	Negotiated protocol TLSv1.2
	Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
	Cipher order
	TLSv1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
	TLSv1.1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
	TLSv1.2: ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA


	Testing server defaults (Server Hello)

	TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "extended master secret/#23" "application layer protocol negotiation/#16"
	Session Ticket RFC 5077 hint no -- no lifetime advertised
	SSL Session ID support yes
	Session Resumption Tickets no, ID resumption test failed
	TLS clock skew 0 sec from localtime
	Signature Algorithm SHA256 with RSA
	Server key size RSA 2048 bits
	Server key usage Digital Signature, Key Encipherment