You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
163 lines
15 KiB
163 lines
15 KiB
<?xml version="1.0" encoding="UTF-8" ?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<!-- This file was created with testssl.sh. https://testssl.sh -->
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="application/xml+xhtml; charset=UTF-8" />
|
|
<title>testssl.sh</title>
|
|
</head>
|
|
<body>
|
|
<pre>
|
|
<span style="font-weight:bold;">
|
|
###########################################################
|
|
testssl.sh 3.0 from </span><a href="https://testssl.sh/" style="font-weight:bold;color:black;text-decoration:none;">https://testssl.sh/</a>
|
|
<span style="font-weight:bold;">
|
|
This program is free software. Distribution and
|
|
modification under GPLv2 permitted.
|
|
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
|
|
|
|
Please file bugs @ </span><a href="https://testssl.sh/bugs/" style="font-weight:bold;color:black;text-decoration:none;">https://testssl.sh/bugs/</a>
|
|
<span style="font-weight:bold;">
|
|
###########################################################</span>
|
|
|
|
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
|
|
on gandalf:/home/fuero/Appz/testssl.sh/bin/openssl.Linux.x86_64
|
|
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
|
|
|
|
|
|
<span style="color:white;background-color:black;"> Start 2020-02-19 18:01:26 -->> 85.126.106.144:25 (nihal.mag.eu) <<--</span>
|
|
|
|
rDNS (85.126.106.144): nihal.mag.eu.
|
|
Service set: STARTTLS via SMTP
|
|
|
|
<span style="text-decoration:underline;font-weight:bold;"> Testing protocols </span><u>via sockets </u>
|
|
|
|
<span style="font-weight:bold;"> SSLv2 </span><span style="color:lime;font-weight:bold;">not offered (OK)</span>
|
|
<span style="font-weight:bold;"> SSLv3 </span><span style="color:#cd0000;">offered (NOT ok)</span>
|
|
<span style="font-weight:bold;"> TLS 1 </span><span style="color:#cdcd00;font-weight:bold;">offered</span> (deprecated)
|
|
<span style="font-weight:bold;"> TLS 1.1 </span><span style="color:#cdcd00;font-weight:bold;">offered</span> (deprecated)
|
|
<span style="font-weight:bold;"> TLS 1.2 </span><span style="color:lime;font-weight:bold;">offered (OK)</span>
|
|
<span style="font-weight:bold;"> TLS 1.3 </span>not offered and downgraded to a weaker protocol
|
|
|
|
<span style="text-decoration:underline;font-weight:bold;"> Testing cipher categories </span>
|
|
|
|
<span style="font-weight:bold;"> NULL ciphers (no encryption) </span><span style="color:lime;font-weight:bold;">not offered (OK)</span>
|
|
<span style="font-weight:bold;"> Anonymous NULL Ciphers (no authentication) </span><span style="color:lime;font-weight:bold;">not offered (OK)</span>
|
|
<span style="font-weight:bold;"> Export ciphers (w/o ADH+NULL) </span><span style="color:lime;font-weight:bold;">not offered (OK)</span>
|
|
<span style="font-weight:bold;"> LOW: 64 Bit + DES, RC[2,4] (w/o export) </span><span style="color:#cd0000;">offered (NOT ok)</span>
|
|
<span style="font-weight:bold;"> Triple DES Ciphers / IDEA </span><span style="color:#cd8000;">offered</span>
|
|
<span style="font-weight:bold;"> Obsolete: SEED + 128+256 Bit CBC cipher </span><span style="color:#cdcd00;font-weight:bold;">offered</span>
|
|
<span style="font-weight:bold;"> Strong encryption (AEAD ciphers) </span><span style="color:lime;font-weight:bold;">offered (OK)</span>
|
|
|
|
|
|
<span style="text-decoration:underline;font-weight:bold;"> Testing robust (perfect) forward secrecy</span><u>, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 </u>
|
|
|
|
<span style="color:#00cd00;"> PFS is offered (OK)</span> ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
|
|
<span style="font-weight:bold;"> Elliptic curves offered: </span><span style="color:#00cd00;">prime256v1</span>
|
|
|
|
|
|
<span style="text-decoration:underline;font-weight:bold;"> Testing server preferences </span>
|
|
|
|
<span style="font-weight:bold;"> Has server cipher order? </span><span style="color:#cd0000;">no (NOT ok)</span>
|
|
<span style="font-weight:bold;"> Negotiated protocol </span><span style="color:lime;font-weight:bold;">TLSv1.2</span>
|
|
<span style="font-weight:bold;"> Negotiated cipher </span><span style="color:#00cd00;">AES128-GCM-SHA256</span><span style="color:#cd00cd;"> -- inconclusive test, matching cipher in list missing</span>, better see below
|
|
<span style="font-weight:bold;"> Negotiated cipher per proto</span> (matching cipher in list missing)
|
|
ECDHE-RSA-AES256-SHA: SSLv3, TLSv1, TLSv1.1
|
|
ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2
|
|
No further cipher order check has been done as order is determined by the client
|
|
|
|
|
|
<span style="text-decoration:underline;font-weight:bold;"> Testing server defaults (Server Hello) </span>
|
|
|
|
<span style="font-weight:bold;"> TLS extensions (standard) </span>"renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15"
|
|
<span style="font-weight:bold;"> Session Ticket RFC 5077 hint </span>300 seconds, session tickets keys seems to be rotated < daily
|
|
<span style="font-weight:bold;"> SSL Session ID support </span>yes
|
|
<span style="font-weight:bold;"> Session Resumption </span>Tickets: yes, ID: yes
|
|
<span style="font-weight:bold;"> TLS clock skew</span> Random values, no fingerprinting possible
|
|
<span style="font-weight:bold;"> Signature Algorithm </span><span style="color:#00cd00;">SHA256 with RSA</span>
|
|
<span style="font-weight:bold;"> Server key size </span>RSA 2048 bits
|
|
<span style="font-weight:bold;"> Server key usage </span>Digital Signature, Key Encipherment
|
|
<span style="font-weight:bold;"> Server extended key usage </span>TLS Web Server Authentication, TLS Web Client Authentication
|
|
<span style="font-weight:bold;"> Serial / Fingerprints </span>94B98C3B5E188707B87E3226540AB8A8 / SHA1 971883B598B6A6D94BDC1965C728D406EE9F9DFF
|
|
SHA256 3F8F389AA515D67A96BE0CF2B1E4B796B6855C49F5AA22AEE7C97DDD1BFFF400
|
|
<span style="font-weight:bold;"> Common Name (CN) </span><i>nihal.mag.eu </i>
|
|
<span style="font-weight:bold;"> subjectAltName (SAN) </span><i>nihal.mag.eu www.nihal.mag.eu </i>
|
|
<span style="font-weight:bold;"> Issuer </span><i>Don Dominio / MrDomain RSA DV CA</i> (<i>Soluciones Corporativas IP, SL</i> from <i>ES</i>)
|
|
<span style="font-weight:bold;"> Trust (hostname) </span><span style="color:#00cd00;">Ok via SAN</span> (same w/o SNI)
|
|
<span style="font-weight:bold;"> Chain of trust</span> <span style="color:#00cd00;">Ok </span><span style="color:#cd00cd;"></span>
|
|
<span style="font-weight:bold;"> EV cert</span> (experimental) no
|
|
<span style="font-weight:bold;"> ETS/"eTLS"</span>, visibility info not present
|
|
<span style="font-weight:bold;"> Certificate Validity (UTC) </span><span style="color:#00cd00;">114 >= 60 days</span> (2018-06-13 02:00 --> 2020-06-13 01:59)
|
|
<span style="font-weight:bold;"> # of certificates provided</span> 4
|
|
<span style="font-weight:bold;"> Certificate Revocation List </span>http://crl.usertrust.com/DonDominioMrDomainRSADVCA.crl
|
|
<span style="font-weight:bold;"> OCSP URI </span>http://ocsp.usertrust.com
|
|
<span style="font-weight:bold;"> OCSP stapling </span><span style="color:#cdcd00;font-weight:bold;">not offered</span>
|
|
<span style="font-weight:bold;"> OCSP must staple extension </span>--
|
|
<span style="font-weight:bold;"> DNS CAA RR</span> (experimental) <span style="color:#cdcd00;font-weight:bold;">not offered</span>
|
|
<span style="font-weight:bold;"> Certificate Transparency </span><span style="color:#00cd00;">yes</span> (certificate extension)
|
|
|
|
|
|
<span style="text-decoration:underline;font-weight:bold;"> Testing vulnerabilities </span>
|
|
|
|
<span style="font-weight:bold;"> Heartbleed</span> (CVE-2014-0160) <span style="color:lime;font-weight:bold;">not vulnerable (OK)</span>, timed out
|
|
<span style="font-weight:bold;"> CCS</span> (CVE-2014-0224) <span style="color:lime;font-weight:bold;">not vulnerable (OK)</span>
|
|
<span style="font-weight:bold;"> ROBOT </span><span style="color:lime;font-weight:bold;">not vulnerable (OK)</span>
|
|
<span style="font-weight:bold;"> Secure Renegotiation (RFC 5746) </span><span style="color:lime;font-weight:bold;">supported (OK)</span>
|
|
<span style="font-weight:bold;"> Secure Client-Initiated Renegotiation </span><span style="color:#cd8000;">VULNERABLE (NOT ok)</span>, potential DoS threat
|
|
<span style="font-weight:bold;"> CRIME, TLS </span>(CVE-2012-4929) <span style="color:#00cd00;">not vulnerable (OK)</span> (not using HTTP anyway)
|
|
<span style="font-weight:bold;"> POODLE, SSL</span> (CVE-2014-3566) <span style="color:#cd0000;">VULNERABLE (NOT ok)</span>, uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
|
|
<span style="font-weight:bold;"> TLS_FALLBACK_SCSV</span> (RFC 7507) <span style="color:#00cd00;">Downgrade attack prevention supported (OK)</span>
|
|
<span style="font-weight:bold;"> SWEET32</span> (CVE-2016-2183, CVE-2016-6329) <span style="color:#cdcd00;font-weight:bold;">VULNERABLE</span>, uses 64 bit block ciphers
|
|
<span style="font-weight:bold;"> FREAK</span> (CVE-2015-0204) <span style="color:lime;font-weight:bold;">not vulnerable (OK)</span>
|
|
<span style="font-weight:bold;"> DROWN</span> (CVE-2016-0800, CVE-2016-0703) <span style="color:lime;font-weight:bold;">not vulnerable on this host and port (OK)</span>
|
|
make sure you don't use this certificate elsewhere with SSLv2 enabled services
|
|
<a href="https://censys.io/ipv4?q=3F8F389AA515D67A96BE0CF2B1E4B796B6855C49F5AA22AEE7C97DDD1BFFF400" style="color:black;text-decoration:none;">https://censys.io/ipv4?q=3F8F389AA515D67A96BE0CF2B1E4B796B6855C49F5AA22AEE7C97DDD1BFFF400</a> could help you to find out
|
|
<span style="font-weight:bold;"> LOGJAM</span> (CVE-2015-4000), experimental <span style="color:#00cd00;">not vulnerable (OK):</span> no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
|
|
<span style="font-weight:bold;"> BEAST</span> (CVE-2011-3389) SSL3: <span style="color:#cdcd00;font-weight:bold;">ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA DES-CBC3-SHA </span>
|
|
TLS1: <span style="color:#cdcd00;font-weight:bold;">ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA DES-CBC3-SHA </span>
|
|
<span style="color:#cdcd00;font-weight:bold;">VULNERABLE</span> -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated)
|
|
<span style="font-weight:bold;"> LUCKY13</span> (CVE-2013-0169), experimental potentially <span style="color:#cdcd00;font-weight:bold;">VULNERABLE</span>, uses cipher block chaining (CBC) ciphers with TLS. Check patches
|
|
<span style="font-weight:bold;"> RC4</span> (CVE-2013-2566, CVE-2015-2808) <span style="color:#cd0000;">VULNERABLE (NOT ok): </span><span style="color:#cd0000;">RC4-SHA </span>
|
|
|
|
|
|
<span style="text-decoration:underline;font-weight:bold;"> Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength </span>
|
|
|
|
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
|
|
-----------------------------------------------------------------------------------------------------------------------------
|
|
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH<span style="color:#00cd00;"> 256</span> AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
xc028 ECDHE-RSA-AES256-SHA384 ECDH<span style="color:#00cd00;"> 256</span> AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
|
xc014 ECDHE-RSA-AES256-SHA ECDH<span style="color:#00cd00;"> 256</span> AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
|
|
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
|
|
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
|
|
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH<span style="color:#00cd00;"> 256</span> AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
xc027 ECDHE-RSA-AES128-SHA256 ECDH<span style="color:#00cd00;"> 256</span> AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
|
xc013 ECDHE-RSA-AES128-SHA ECDH<span style="color:#00cd00;"> 256</span> AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
|
|
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
|
|
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
|
|
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
|
|
|
|
|
<span style="text-decoration:underline;font-weight:bold;"> Running client simulations </span><span style="text-decoration:underline;font-weight:bold;">via sockets </span>
|
|
|
|
Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
Android 9.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
Android 10.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
Java 6u45 TLSv1.0 RC4-SHA, No FS
|
|
Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
Java 8u161 TLSv1.2 ECDHE-RSA-AES256-SHA384, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
Java 12.0.1 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
OpenSSL 1.1.1d (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
Thunderbird (68.3) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, <span style="color:#00cd00;">256 bit ECDH (P-256)</span>
|
|
|
|
<span style="color:white;background-color:black;"> Done 2020-02-19 18:03:25 [ 124s] -->> 85.126.106.144:25 (nihal.mag.eu) <<--</span>
|
|
|
|
|
|
</pre>
|
|
</body>
|
|
</html>
|
|
|