Ticket #3065: testssl-result.xhtml

File testssl-result.xhtml, 13.4 KB (added by Jay-C, 8 years ago)

Test results from testssl.sh. Redacted for privacy.

Line 
1<?xml version="1.0" encoding="UTF-8" ?>
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><!-- This file was created with the aha Ansi HTML Adapter. http://ziz.delphigl.com/tool_aha.php -->
3<html xmlns="http://www.w3.org/1999/xhtml">
4 <head>
5 <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" />
6 <title>stdin</title>
7 </head>
8 <body>
9 <pre><span style="font-weight:bold;">
10###########################################################
11 testssl.sh 2.8 from https://testssl.sh/
12 (</span><span style="color:black;font-weight:bold;">1.582 2017/05/10 19:04:47</span><span
13style="font-weight:bold;">)
14
15 This program is free software. Distribution and
16 modification under GPLv2 permitted.
17 USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
18
19 Please file bugs @ https://testssl.sh/bugs/
20
21###########################################################</span>
22
23 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
24 on &lt;snip&gt;:&lt;snip&gt;testssl.sh/bin/openssl.Linux.x86_64
25 (built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")
26
27
28<span style="color:gray;background-color:black;"> Start 2017-06-23 07:33:40 --&gt;&gt; &lt;snip&gt; &lt;&lt;--</span>
29
30 rDNS (&lt;snip&gt;): --
31 Service detected: HTTP
32
33
34<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing protocols </span><span
35style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;">(via sockets except TLS 1.2, SPDY+HTTP2) </span>
36
37<span style="font-weight:bold;"> SSLv2 </span><span style="color:green;font-weight:bold;">not offered (OK)</span>
38<span style="font-weight:bold;"> SSLv3 </span><span style="color:green;font-weight:bold;">not offered (OK)</span>
39<span style="font-weight:bold;"> TLS 1 </span>offered
40<span style="font-weight:bold;"> TLS 1.1 </span>offered
41<span style="font-weight:bold;"> TLS 1.2 </span><span style="color:green;font-weight:bold;">offered (OK)</span>
42<span style="font-weight:bold;"> Version tolerance </span><span style="color:green;font-weight:bold;">downgraded to TLSv1.2 (OK)</span>
43<span style="font-weight:bold;"> SPDY/NPN </span>not offered
44<span style="font-weight:bold;"> HTTP2/ALPN </span>not offered
45
46<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing ~standard cipher lists </span>
47
48<span style="font-weight:bold;"> Null Ciphers </span><span style="color:green;font-weight:bold;">not offered (OK)</span>
49<span style="font-weight:bold;"> Anonymous NULL Ciphers </span><span style="color:green;font-weight:bold;">not offered (OK)</span>
50<span style="font-weight:bold;"> Anonymous DH Ciphers </span><span style="color:green;font-weight:bold;">not offered (OK)</span>
51<span style="font-weight:bold;"> 40 Bit encryption </span><span style="color:green;font-weight:bold;">not offered (OK)</span>
52<span style="font-weight:bold;"> 56 Bit export ciphers </span><span style="color:green;font-weight:bold;">not offered (OK)</span>
53<span style="font-weight:bold;"> Export Ciphers (general) </span><span style="color:green;font-weight:bold;">not offered (OK)</span>
54<span style="font-weight:bold;"> Low (&lt;=64 Bit) </span><span style="color:red;font-weight:bold;">offered (NOT ok)</span>
55<span style="font-weight:bold;"> DES Ciphers </span><span style="color:red;font-weight:bold;">offered (NOT ok)</span>
56<span style="font-weight:bold;"> "Medium" grade encryption </span><span style="color:red;">offered (NOT ok)</span>
57<span style="font-weight:bold;"> Triple DES Ciphers </span><span style="color:olive;">offered</span>
58<span style="font-weight:bold;"> High grade encryption </span><span style="color:green;font-weight:bold;">offered (OK)</span>
59
60
61<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 </span>
62
63<span style="color:olive;"> No ciphers supporting Forward Secrecy offered</span>
64
65
66<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing server preferences </span>
67
68<span style="font-weight:bold;"> Has server cipher order? </span><span style="color:red;">nope (NOT ok)</span>
69<span style="font-weight:bold;"> Negotiated protocol </span><span style="color:green;font-weight:bold;">TLSv1.2</span>
70<span style="font-weight:bold;"> Negotiated cipher </span><span style="color:green;font-weight:bold;">AES256-GCM-SHA384</span> (limited sense as client will pick)
71<span style="font-weight:bold;"> Negotiated cipher per proto</span> (limited sense as client will pick)
72 AES256-SHA: TLSv1, TLSv1.1
73 AES256-GCM-SHA384: TLSv1.2
74 No further cipher order check has been done as order is determined by the client
75
76
77<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing HTTP header response @ "/" </span>
78
79<span style="font-weight:bold;"> HTTP Status Code </span> 200 OK
80<span style="font-weight:bold;"> HTTP clock skew </span>0 sec from localtime
81<span style="font-weight:bold;"> Strict Transport Security </span>--
82<span style="font-weight:bold;"> Public Key Pinning </span>--
83<span style="font-weight:bold;"> Server banner </span>TwistedWeb/<span
84style="color:olive;">1</span><span style="color:olive;">3</span>.<span style="color:olive;">2</span>.<span
85style="color:olive;">0</span>
86<span style="font-weight:bold;"> Application banner </span>--
87<span style="font-weight:bold;"> Cookie(s) </span>(none issued at "/")
88<span style="font-weight:bold;"> Security headers </span><span style="color:olive;">--</span>
89<span style="font-weight:bold;"> Reverse Proxy banner </span>--
90
91
92<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing vulnerabilities </span>
93
94<span style="font-weight:bold;"> Heartbleed</span> (CVE-2014-0160) <span
95style="color:green;font-weight:bold;">not vulnerable (OK)</span>, timed out
96<span style="font-weight:bold;"> CCS</span> (CVE-2014-0224) <span
97style="color:green;font-weight:bold;">not vulnerable (OK)</span>
98<span style="font-weight:bold;"> Secure Renegotiation </span>(CVE-2009-3555) <span
99style="color:green;font-weight:bold;">not vulnerable (OK)</span>
100<span style="font-weight:bold;"> Secure Client-Initiated Renegotiation </span><span
101style="color:red;">VULNERABLE (NOT ok)</span>, DoS threat
102<span style="font-weight:bold;"> CRIME, TLS </span>(CVE-2012-4929) <span
103style="color:green;">not vulnerable (OK)</span>
104<span style="font-weight:bold;"> BREACH</span> (CVE-2013-3587) <span
105style="color:green;font-weight:bold;">no HTTP compression (OK) </span> - only supplied "/" tested
106<span style="font-weight:bold;"> POODLE, SSL</span> (CVE-2014-3566) <span
107style="color:green;font-weight:bold;">not vulnerable (OK)</span>
108<span style="font-weight:bold;"> TLS_FALLBACK_SCSV</span> (RFC 7507), <span
109style="color:green;">Downgrade attack prevention supported (OK)</span>
110<span style="font-weight:bold;"> FREAK</span> (CVE-2015-0204) <span
111style="color:green;font-weight:bold;">not vulnerable (OK)</span>
112<span style="font-weight:bold;"> DROWN</span> (2016-0800, CVE-2016-0703) <span
113style="color:green;font-weight:bold;">not vulnerable on this port (OK)</span>
114 make sure you don't use this certificate elsewhere with SSLv2 enabled services
115<span style="font-weight:bold;"> LOGJAM</span> (CVE-2015-4000), experimental <span
116style="color:green;font-weight:bold;">not vulnerable (OK)</span>, common primes not checked. See below for any DH ciphers + bit size
117<span style="font-weight:bold;"> BEAST</span> (CVE-2011-3389) TLS1:<span
118style="color:olive;font-weight:bold;"> DES-CBC-SHA DES-CBC3-SHA
119 AES128-SHA AES256-SHA CAMELLIA128-SHA
120 CAMELLIA256-SHA SEED-SHA</span>
121 <span style="color:olive;font-weight:bold;">VULNERABLE</span> -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
122<span style="font-weight:bold;"> RC4</span> (CVE-2013-2566, CVE-2015-2808) <span
123style="color:red;">VULNERABLE (NOT ok): </span><span style="color:red;">RC4-SHA </span><span
124style="color:red;">RC4-MD5 </span>
125
126
127<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing all 183 locally available ciphers against the server, ordered by encryption strength </span>
128
129Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
130---------------------------------------------------------------------------------------------------------------------------
131 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
132 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
133 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
134 x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
135 x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
136 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
137 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
138 x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA
139 x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
140 x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
141 x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5
142 x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
143 x09 DES-CBC-SHA RSA DES 56 TLS_RSA_WITH_DES_CBC_SHA
144
145
146<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Running browser simulations via sockets (experimental) </span>
147
148 Android 2.3.7 TLSv1.0 RC4-MD5
149 Android 4.1.1 TLSv1.0 AES256-SHA
150 Android 4.2.2 TLSv1.0 AES256-SHA
151 Android 4.4.2 TLSv1.2 AES256-GCM-SHA384
152 Android 5.0.0 TLSv1.2 AES256-SHA
153 Android 6.0 TLSv1.2 AES128-GCM-SHA256
154 Android 7.0 TLSv1.2 AES128-GCM-SHA256
155 Baidu Jan 2015 TLSv1.0 CAMELLIA256-SHA
156 BingPreview Jan 2015 TLSv1.2 AES256-GCM-SHA384
157 Chrome 48 OS X TLSv1.2 AES128-GCM-SHA256
158 Chrome 51 Win 7 TLSv1.2 AES128-GCM-SHA256
159 Edge 13 Win 10 TLSv1.2 AES256-GCM-SHA384
160 Edge 13 Win Phone 10 TLSv1.2 AES256-GCM-SHA384
161 Firefox 45 Win 7 TLSv1.2 AES128-SHA
162 Firefox 49 Win 7 TLSv1.2 AES128-SHA
163 Firefox 49 XP SP3 TLSv1.2 AES128-SHA
164 Googlebot Feb 2015 TLSv1.2 AES128-GCM-SHA256
165 IE 11 Win 10 TLSv1.2 AES256-GCM-SHA384
166 IE 11 Win 7 TLSv1.2 AES256-GCM-SHA384
167 IE 11 Win 8.1 TLSv1.2 AES256-GCM-SHA384
168 IE 11 Win Phone 8.1 TLSv1.2 AES128-SHA256
169 IE 11 Win Phone 8.1 Update TLSv1.2 AES256-GCM-SHA384
170 IE 6 XP No connection
171 IE 7 Vista TLSv1.0 AES128-SHA
172 IE 8 Win 7 TLSv1.0 AES128-SHA
173 IE 8 XP TLSv1.0 RC4-MD5
174 Java 6u45 TLSv1.0 RC4-MD5
175 Java 7u25 TLSv1.0 AES128-SHA
176 Java 8b132 TLSv1.2 AES128-SHA256
177 OpenSSL 1.0.1l TLSv1.2 AES256-GCM-SHA384
178 OpenSSL 1.0.2e TLSv1.2 AES256-GCM-SHA384
179 Opera 17 Win 7 TLSv1.2 AES256-SHA
180 Safari 5.1.9 OS X 10.6.8 TLSv1.0 AES128-SHA
181 Safari 6.0.4 OS X 10.8.4 TLSv1.0 AES128-SHA
182 Safari 7 OS X 10.9 TLSv1.2 AES256-SHA256
183 Safari 8 OS X 10.10 TLSv1.2 AES256-SHA256
184 Safari 9 iOS 9 TLSv1.2 AES256-GCM-SHA384
185 Safari 9 OS X 10.11 TLSv1.2 AES256-GCM-SHA384
186 Safari 10 OS X 10.12 TLSv1.2 AES256-GCM-SHA384
187 Apple ATS 9 iOS 9 No connection
188 Tor 17.0.9 Win 7 TLSv1.0 CAMELLIA256-SHA
189 Yahoo Slurp Jan 2015 TLSv1.2 AES256-GCM-SHA384
190 YandexBot Jan 2015 TLSv1.2 AES256-GCM-SHA384
191
192<span style="color:gray;background-color:black;"> Done 2017-06-23 07:34:23 --&gt;&gt; &lt;snip&gt; &lt;&lt;--</span>
193
194
195</pre>
196 </body>
197</html>