You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
152 lines
8.9 KiB
152 lines
8.9 KiB
> testssl.sh -t smtp nihal.mag.eu:25
|
|
|
|
###########################################################
|
|
testssl.sh 3.0 from https://testssl.sh/
|
|
|
|
This program is free software. Distribution and
|
|
modification under GPLv2 permitted.
|
|
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
|
|
|
|
Please file bugs @ https://testssl.sh/bugs/
|
|
|
|
###########################################################
|
|
|
|
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
|
|
on gandalf:/home/fuero/Appz/testssl.sh/bin/openssl.Linux.x86_64
|
|
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
|
|
|
|
|
|
Start 2020-02-19 18:01:26 -->> 85.126.106.144:25 (nihal.mag.eu) <<--
|
|
|
|
rDNS (85.126.106.144): nihal.mag.eu.
|
|
Service set: STARTTLS via SMTP
|
|
|
|
Testing protocols via sockets
|
|
|
|
SSLv2 not offered (OK)
|
|
SSLv3 offered (NOT ok)
|
|
TLS 1 offered (deprecated)
|
|
TLS 1.1 offered (deprecated)
|
|
TLS 1.2 offered (OK)
|
|
TLS 1.3 not offered and downgraded to a weaker protocol
|
|
|
|
Testing cipher categories
|
|
|
|
NULL ciphers (no encryption) not offered (OK)
|
|
Anonymous NULL Ciphers (no authentication) not offered (OK)
|
|
Export ciphers (w/o ADH+NULL) not offered (OK)
|
|
LOW: 64 Bit + DES, RC[2,4] (w/o export) offered (NOT ok)
|
|
Triple DES Ciphers / IDEA offered
|
|
Obsolete: SEED + 128+256 Bit CBC cipher offered
|
|
Strong encryption (AEAD ciphers) offered (OK)
|
|
|
|
|
|
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
|
|
|
|
PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
|
|
Elliptic curves offered: prime256v1
|
|
|
|
|
|
Testing server preferences
|
|
|
|
Has server cipher order? no (NOT ok)
|
|
Negotiated protocol TLSv1.2
|
|
Negotiated cipher AES128-GCM-SHA256 -- inconclusive test, matching cipher in list missing, better see below
|
|
Negotiated cipher per proto (matching cipher in list missing)
|
|
ECDHE-RSA-AES256-SHA: SSLv3, TLSv1, TLSv1.1
|
|
ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2
|
|
No further cipher order check has been done as order is determined by the client
|
|
|
|
|
|
Testing server defaults (Server Hello)
|
|
|
|
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15"
|
|
Session Ticket RFC 5077 hint 300 seconds, session tickets keys seems to be rotated < daily
|
|
SSL Session ID support yes
|
|
Session Resumption Tickets: yes, ID: yes
|
|
TLS clock skew Random values, no fingerprinting possible
|
|
Signature Algorithm SHA256 with RSA
|
|
Server key size RSA 2048 bits
|
|
Server key usage Digital Signature, Key Encipherment
|
|
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
|
|
Serial / Fingerprints 94B98C3B5E188707B87E3226540AB8A8 / SHA1 971883B598B6A6D94BDC1965C728D406EE9F9DFF
|
|
SHA256 3F8F389AA515D67A96BE0CF2B1E4B796B6855C49F5AA22AEE7C97DDD1BFFF400
|
|
Common Name (CN) nihal.mag.eu
|
|
subjectAltName (SAN) nihal.mag.eu www.nihal.mag.eu
|
|
Issuer Don Dominio / MrDomain RSA DV CA (Soluciones Corporativas IP, SL from ES)
|
|
Trust (hostname) Ok via SAN (same w/o SNI)
|
|
Chain of trust Ok
|
|
EV cert (experimental) no
|
|
ETS/"eTLS", visibility info not present
|
|
Certificate Validity (UTC) 114 >= 60 days (2018-06-13 02:00 --> 2020-06-13 01:59)
|
|
# of certificates provided 4
|
|
Certificate Revocation List http://crl.usertrust.com/DonDominioMrDomainRSADVCA.crl
|
|
OCSP URI http://ocsp.usertrust.com
|
|
OCSP stapling not offered
|
|
OCSP must staple extension --
|
|
DNS CAA RR (experimental) not offered
|
|
Certificate Transparency yes (certificate extension)
|
|
|
|
|
|
Testing vulnerabilities
|
|
|
|
Heartbleed (CVE-2014-0160) not vulnerable (OK), timed out
|
|
CCS (CVE-2014-0224) not vulnerable (OK)
|
|
ROBOT not vulnerable (OK)
|
|
Secure Renegotiation (RFC 5746) supported (OK)
|
|
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), potential DoS threat
|
|
CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway)
|
|
POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
|
|
TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK)
|
|
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers
|
|
FREAK (CVE-2015-0204) not vulnerable (OK)
|
|
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
|
|
make sure you don't use this certificate elsewhere with SSLv2 enabled services
|
|
https://censys.io/ipv4?q=3F8F389AA515D67A96BE0CF2B1E4B796B6855C49F5AA22AEE7C97DDD1BFFF400 could help you to find out
|
|
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
|
|
BEAST (CVE-2011-3389) SSL3: ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA DES-CBC3-SHA
|
|
TLS1: ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA DES-CBC3-SHA
|
|
VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated)
|
|
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
|
|
RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-SHA
|
|
|
|
|
|
Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
|
|
|
|
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
|
|
-----------------------------------------------------------------------------------------------------------------------------
|
|
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
|
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
|
|
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
|
|
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
|
|
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
|
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
|
|
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
|
|
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
|
|
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
|
|
|
|
|
Running client simulations via sockets
|
|
|
|
Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
|
|
Android 9.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
|
|
Android 10.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
|
|
Java 6u45 TLSv1.0 RC4-SHA, No FS
|
|
Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
|
|
Java 8u161 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256)
|
|
Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
|
|
Java 12.0.1 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
|
|
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
|
|
OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
|
|
OpenSSL 1.1.1d (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
|
|
Thunderbird (68.3) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
|
|
|
|
Done 2020-02-19 18:03:25 [ 124s] -->> 85.126.106.144:25 (nihal.mag.eu) <<--
|
|
|
|
|
|
|
|
|