Created
March 12, 2022 00:04
-
-
Save sozercan/30d778dc81368467118d7aa1abe0faff to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rDNS (10.96.209.121): gatekeeper-webhook-service.gatekeeper-system.svc.cluster.local. | |
Service detected: HTTP | |
Testing protocols via sockets except NPN+ALPN | |
SSLv2 not offered (OK) | |
SSLv3 not offered (OK) | |
TLS 1 not offered | |
TLS 1.1 not offered | |
TLS 1.2 offered (OK) | |
TLS 1.3 offered (OK): final | |
NPN/SPDY not offered | |
ALPN/HTTP2 h2 (offered) | |
Testing cipher categories | |
NULL ciphers (no encryption) not offered (OK) | |
Anonymous NULL Ciphers (no authentication) not offered (OK) | |
Export ciphers (w/o ADH+NULL) not offered (OK) | |
LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) | |
Triple DES Ciphers / IDEA offered | |
Obsoleted CBC ciphers (AES, ARIA etc.) offered | |
Strong encryption (AEAD ciphers) with no FS offered (OK) | |
Forward Secrecy strong encryption (AEAD ciphers) offered (OK) | |
Testing server's cipher preferences | |
Has server cipher order? yes (OK) -- only for < TLS 1.3 | |
Negotiated protocol TLSv1.3 | |
Negotiated cipher TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) | |
Cipher per protocol | |
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) | |
----------------------------------------------------------------------------------------------------------------------------- | |
SSLv2 | |
- | |
SSLv3 | |
- | |
TLSv1 | |
- | |
TLSv1.1 | |
- | |
TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients) | |
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | |
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | |
xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | |
xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | |
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 | |
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 | |
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA | |
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA | |
xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 521 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | |
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA | |
TLSv1.3 (no server order, thus listed by strength) | |
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 | |
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 | |
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 | |
Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 | |
FS is offered (OK) TLS_AES_256_GCM_SHA384 | |
TLS_CHACHA20_POLY1305_SHA256 | |
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA | |
ECDHE-RSA-CHACHA20-POLY1305 | |
TLS_AES_128_GCM_SHA256 | |
ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA | |
Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 | |
Testing server defaults (Server Hello) | |
TLS extensions (standard) "session ticket/#35" "renegotiation info/#65281" | |
"EC point formats/#11" "supported versions/#43" | |
"key share/#51" | |
"application layer protocol negotiation/#16" | |
Session Ticket RFC 5077 hint no -- no lifetime advertised | |
SSL Session ID support yes | |
Session Resumption Tickets no, ID: no | |
TLS clock skew Random values, no fingerprinting possible | |
Certificate Compression none | |
Client Authentication none | |
Signature Algorithm SHA256 with RSA | |
Server key size RSA 2048 bits (exponent is 65537) | |
Server key usage Digital Signature, Key Encipherment | |
Server extended key usage TLS Web Server Authentication | |
Serial 01 NOT ok: length should be >= 64 bits entropy (is: 1 bytes) | |
Fingerprints SHA1 552D5793A29F7B86837B38641E598F6127DA0407 | |
SHA256 5440656FD113C7478ED8DB374306E0991B3124A1B31C55671ECDB559C1310146 | |
Common Name (CN) gatekeeper-webhook-service.gatekeeper-system.svc | |
subjectAltName (SAN) gatekeeper-webhook-service.gatekeeper-system.svc | |
Trust (hostname) certificate does not match supplied URI | |
Chain of trust NOT ok (chain incomplete) | |
EV cert (experimental) no | |
Certificate Validity (UTC) 3649 >= 60 days (2022-03-11 19:19 --> 2032-03-08 20:19) | |
>= 10 years is way too long | |
ETS/"eTLS", visibility info not present | |
Certificate Revocation List -- | |
OCSP URI -- | |
NOT ok -- neither CRL nor OCSP URI provided | |
OCSP stapling not offered | |
OCSP must staple extension -- | |
DNS CAA RR (experimental) not offered | |
Certificate Transparency -- | |
Certificates provided 1 | |
Issuer gatekeeper-ca (gatekeeper) | |
Intermediate Bad OCSP (exp.) Ok | |
Testing HTTP header response @ "/" | |
HTTP Status Code 404 Not Found (Hint: supply a path which doesn't give a "404 Not Found") | |
HTTP clock skew 0 sec from localtime | |
Strict Transport Security not offered | |
Public Key Pinning -- | |
Server banner (no "Server" line in header, interesting!) | |
Application banner -- | |
Cookie(s) (none issued at "/") -- maybe better try target URL of 30x | |
Security headers X-Content-Type-Options: nosniff | |
Reverse Proxy banner -- | |
Testing vulnerabilities | |
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension | |
CCS (CVE-2014-0224) not vulnerable (OK) | |
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) | |
ROBOT not vulnerable (OK) | |
Secure Renegotiation (RFC 5746) supported (OK) | |
Secure Client-Initiated Renegotiation not vulnerable (OK) | |
CRIME, TLS (CVE-2012-4929) not vulnerable (OK) | |
BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested | |
POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support | |
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered | |
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers | |
FREAK (CVE-2015-0204) not vulnerable (OK) | |
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) | |
make sure you don't use this certificate elsewhere with SSLv2 enabled services | |
https://censys.io/ipv4?q=5440656FD113C7478ED8DB374306E0991B3124A1B31C55671ECDB559C1310146 could help you to find out | |
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 | |
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 | |
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches | |
Winshock (CVE-2014-6321), experimental not vulnerable (OK) | |
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) | |
Running client simulations (HTTP) via sockets | |
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy | |
------------------------------------------------------------------------------------------------ | |
Android 4.4.2 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 521 bit ECDH (P-521) | |
Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 521 bit ECDH (P-521) | |
Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) | |
Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) | |
Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) | |
Android 9.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) | |
Android 10.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) | |
Chrome 74 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) | |
Chrome 79 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) | |
Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) | |
Firefox 71 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) | |
IE 6 XP No connection | |
IE 8 Win 7 No connection | |
IE 8 XP No connection | |
IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) | |
IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) | |
IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) | |
IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) | |
Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) | |
Edge 17 (Win 10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) | |
Opera 66 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) | |
Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) | |
Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) | |
Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) | |
Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) | |
Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) | |
Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) | |
Java 6u45 No connection | |
Java 7u25 No connection | |
Java 8u161 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) | |
Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256 256 bit ECDH (P-256) | |
Java 12.0.1 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256 256 bit ECDH (P-256) | |
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) | |
OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) | |
OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) | |
Thunderbird (68.3) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) | |
Rating (experimental) | |
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) | |
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide | |
Protocol Support (weighted) 0 (0) | |
Key Exchange (weighted) 0 (0) | |
Cipher Strength (weighted) 0 (0) | |
Final Score 0 | |
Overall Grade T | |
Grade cap reasons Grade capped to T. Issues with the chain of trust (chain incomplete) | |
Grade capped to M. Domain name mismatch | |
Grade capped to A. HSTS is not offered |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment