Context Navigation

Back to Ticket #3629

Ticket #3629: mux_testssl.out

File mux_testssl.out, 11.2 KB (added by Tom Goddard, 5 years ago)
Server scan results after fix, using testssl.sh

Line
1	[goddard@watson ~/testssl.sh]$ ./testssl.sh localhost:8443
2
3	###########################################################
4	testssl.sh 3.1dev from https://testssl.sh/dev/
5	(565c93e 2020-08-14 10:21:36 -- )
6
7	This program is free software. Distribution and
8	modification under GPLv2 permitted.
9	USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
10
11	Please file bugs @ https://testssl.sh/bugs/
12
13	###########################################################
14
15	Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
16	on watson:./bin/openssl.Linux.x86_64
17	(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
18
19
20	Start 2020-08-17 16:08:23 -->> 127.0.0.1:8443 (localhost) <<--
21
22	rDNS (127.0.0.1): localhost.
23	Service detected: certificate-based authentication => skipping all HTTP checks
24
25
26	Testing protocols via sockets except NPN+ALPN
27
28	SSLv2 not offered (OK)
29	SSLv3 not offered (OK)
30	TLS 1 not offered
31	TLS 1.1 not offered
32	TLS 1.2 offered (OK)
33	TLS 1.3 not offered and downgraded to a weaker protocol
34	NPN/SPDY not offered
35	ALPN/HTTP2 not offered
36
37	Testing cipher categories
38
39	NULL ciphers (no encryption) not offered (OK)
40	Anonymous NULL Ciphers (no authentication) not offered (OK)
41	Export ciphers (w/o ADH+NULL) not offered (OK)
42	LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
43	Triple DES Ciphers / IDEA not offered
44	Obsoleted CBC ciphers (AES, ARIA etc.) offered
45	Strong encryption (AEAD ciphers) with no FS offered (OK)
46	Forward Secrecy strong encryption (AEAD ciphers) offered (OK)
47
48
49	Testing server's cipher preferences
50
51	Has server cipher order? yes (OK)
52	Negotiated protocol TLSv1.2
53	Negotiated cipher ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
54	Cipher per protocol
55
56	Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
57	-----------------------------------------------------------------------------------------------------------------------------
58	SSLv2
59	-
60	SSLv3
61	-
62	TLSv1
63	-
64	TLSv1.1
65	-
66	TLSv1.2 (server order)
67	xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
68	xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
69	xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
70	x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
71	x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
72	x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
73	x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
74	xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
75	xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
76	xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
77	x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
78	x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
79	x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
80	x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
81	TLSv1.3
82	-
83
84
85	Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
86
87	FS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256
88	ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
89	Elliptic curves offered: secp256k1 prime256v1 secp384r1 secp521r1
90
91
92	Testing server defaults (Server Hello)
93
94	TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15"
95	Session Ticket RFC 5077 hint no -- no lifetime advertised
96	SSL Session ID support yes
97	Session Resumption Tickets no, Client Auth: ID resumption test not supported
98	TLS clock skew Random values, no fingerprinting possible
99	Signature Algorithm SHA256 with RSA
100	Server key size RSA 2048 bits (exponent is 65537)
101	Server key usage --
102	Server extended key usage --
103	Serial / Fingerprints F4895DBB521021E3 / SHA1 4E9A9C0F2B7FDBB4DB88471CDD9FB94C42DF8D54
104	SHA256 AEB418FB3CC0AC70CDFFD894686FED31926B4823CA8C0811C51B991554DA9087
105	Common Name (CN) UCSF ChimeraX
106	subjectAltName (SAN) missing -- no SAN is deprecated
107	Issuer UCSF ChimeraX (UCSF from US)
108	Trust (hostname) certificate does not match supplied URI (same w/o SNI)
109	Chain of trust NOT ok (self signed)
110	EV cert (experimental) no
111	Bad OCSP intermediate (exp.) Ok
112	ETS/"eTLS", visibility info not present
113	Certificate Validity (UTC) 206 >= 60 days (2020-03-11 17:24 --> 2021-03-11 16:24)
114	# of certificates provided 1
115	Certificate Revocation List --
116	OCSP URI --
117	NOT ok -- neither CRL nor OCSP URI provided
118	OCSP stapling not offered
119	OCSP must staple extension --
120	DNS CAA RR (experimental) not offered
121	Certificate Transparency --
122
123
124	Testing vulnerabilities
125
126	Heartbleed (CVE-2014-0160) not vulnerable (OK), timed out
127	CCS (CVE-2014-0224) not vulnerable (OK)
128	Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session tickets
129	ROBOT not vulnerable (OK)
130	Secure Renegotiation (RFC 5746) supported (OK)
131	Secure Client-Initiated Renegotiation client x509-based authentication prevents this from being tested
132	CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
133	BREACH (CVE-2013-3587) cannot be tested (server side requires x509 authentication)
134	First request failed (HTTP header request stalled and was terminated) POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
135	TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered
136	SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
137	FREAK (CVE-2015-0204) not vulnerable (OK)
138	DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
139	make sure you don't use this certificate elsewhere with SSLv2 enabled services
140	https://censys.io/ipv4?q=AEB418FB3CC0AC70CDFFD894686FED31926B4823CA8C0811C51B991554DA9087 could help you to find out
141	LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
142	BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
143	LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
144	RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
145
146	Could not determine the protocol, only simulating generic clients.
147
148	Running client simulations via sockets
149
150	Android 4.4.2 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
151	Android 5.0.0 TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
152	Android 6.0 TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
153	Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
154	Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
155	Android 9.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
156	Android 10.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
157	Chrome 74 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
158	Chrome 79 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
159	Firefox 66 (Win 8.1/10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
160	Firefox 71 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
161	IE 6 XP No connection
162	IE 8 Win 7 No connection
163	IE 8 XP No connection
164	IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256)
165	IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256)
166	IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
167	IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
168	Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
169	Edge 17 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
170	Opera 66 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
171	Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
172	Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
173	Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
174	Safari 12.1 (iOS 12.2) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
175	Safari 13.0 (macOS 10.14.6) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
176	Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
177	Java 6u45 No connection
178	Java 7u25 No connection
179	Java 8u161 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
180	Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
181	Java 12.0.1 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
182	OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
183	OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
184	OpenSSL 1.1.1d (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
185	Thunderbird (68.3) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
186
187
188	Rating (experimental)
189
190	Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
191	Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
192	Protocol Support (weighted) 0 (0)
193	Key Exchange (weighted) 0 (0)
194	Cipher Strength (weighted) 0 (0)
195	Final Score 0
196	Overall Grade T
197	Grade cap reasons Grade capped to T. Issues with the chain of trust (self signed)
198	Grade capped to M. Domain name mismatch
199
200	Done 2020-08-17 16:09:57 [ 100s] -->> 127.0.0.1:8443 (localhost) <<--
201
202
203	[goddard@watson ~/testssl.sh]$

Download in other formats:

Original Format