diff --git a/data/bridge-info-stat.png b/data/bridge-info-stat.png index 6841e0d..b8ca195 100644 Binary files a/data/bridge-info-stat.png and b/data/bridge-info-stat.png differ diff --git a/data/bridge-recv-prog.gif b/data/bridge-recv-prog.gif index 835d40d..0376268 100644 Binary files a/data/bridge-recv-prog.gif and b/data/bridge-recv-prog.gif differ diff --git a/data/bridge-recv-stat.png b/data/bridge-recv-stat.png index 67e7775..6fe1b40 100644 Binary files a/data/bridge-recv-stat.png and b/data/bridge-recv-stat.png differ diff --git a/data/bridge-send-prog.gif b/data/bridge-send-prog.gif index 3ce824f..29a195a 100644 Binary files a/data/bridge-send-prog.gif and b/data/bridge-send-prog.gif differ diff --git a/data/bridge-send-stat.png b/data/bridge-send-stat.png index b9b3f98..20d6c07 100644 Binary files a/data/bridge-send-stat.png and b/data/bridge-send-stat.png differ diff --git a/data/brok-stat.png b/data/brok-stat.png deleted file mode 100644 index a688b2d..0000000 Binary files a/data/brok-stat.png and /dev/null differ diff --git a/data/cert-atla-26072024.png b/data/cert-atla-12112024.png similarity index 100% rename from data/cert-atla-26072024.png rename to data/cert-atla-12112024.png diff --git a/data/cert-mumb-26072024.png b/data/cert-mumb-12112024.png similarity index 100% rename from data/cert-mumb-26072024.png rename to data/cert-mumb-12112024.png diff --git a/data/prompt-recv-help.png b/data/prompt-recv-help.png deleted file mode 100644 index a3dc5ef..0000000 Binary files a/data/prompt-recv-help.png and /dev/null differ diff --git a/data/prompt-recv-prog.gif b/data/prompt-recv-prog.gif index cc4b617..e745abb 100644 Binary files a/data/prompt-recv-prog.gif and b/data/prompt-recv-prog.gif differ diff --git a/data/prompt-recv-stat.png b/data/prompt-recv-stat.png deleted file mode 100644 index c5a7841..0000000 Binary files a/data/prompt-recv-stat.png and /dev/null differ diff --git a/data/prompt-send-help.png b/data/prompt-send-help.png deleted file mode 100644 index 748ef78..0000000 Binary files a/data/prompt-send-help.png and /dev/null differ diff --git a/data/prompt-send-prog.gif b/data/prompt-send-prog.gif index 7a2c27e..56b44be 100644 Binary files a/data/prompt-send-prog.gif and b/data/prompt-send-prog.gif differ diff --git a/data/prompt-send-stat.png b/data/prompt-send-stat.png deleted file mode 100644 index 74bb1b7..0000000 Binary files a/data/prompt-send-stat.png and /dev/null differ diff --git a/data/test-atla-12112024.txt b/data/test-atla-12112024.txt new file mode 100644 index 0000000..6af78b5 --- /dev/null +++ b/data/test-atla-12112024.txt @@ -0,0 +1,211 @@ +########################################################### + testssl 3.2rc3 from https://testssl.sh/dev/ + + This program is free software. Distribution and + modification under GPLv2 permitted. + USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! + + Please file bugs @ https://testssl.sh/bugs/ + +########################################################### + + Using "OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)" [~94 ciphers] + on fedohide-origin:/usr/bin/openssl + (built: "Sep 12 00:00:00 2024", platform: "linux-x86_64") + + + Start 2024-11-12 05:25:34 -->> ***.***.***.***:443 (expedite-atla.gridhead.net) <<-- + + rDNS (***.***.***.***): ***-***-***-***-host.colocrossing.com. + Service detected: HTTP + + + Testing protocols via sockets except NPN+ALPN + + SSLv2 not offered (OK) + SSLv3 not offered (OK) + TLS 1 not offered + TLS 1.1 not offered + TLS 1.2 offered (OK) + TLS 1.3 offered (OK): final + NPN/SPDY not offered + ALPN/HTTP2 h2, http/1.1 (offered) + + Testing cipher categories + + NULL ciphers (no encryption) not offered (OK) + Anonymous NULL Ciphers (no authentication) not offered (OK) + Export ciphers (w/o ADH+NULL) not offered (OK) + LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) + Triple DES Ciphers / IDEA not offered + Obsoleted CBC ciphers (AES, ARIA etc.) offered + Strong encryption (AEAD ciphers) with no FS not offered + Forward Secrecy strong encryption (AEAD ciphers) offered (OK) + + + Testing server's cipher preferences + +Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) +----------------------------------------------------------------------------------------------------------------------------- +SSLv2 + - +SSLv3 + - +TLSv1 + - +TLSv1.1 + - +TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients) + xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + xc0ad ECDHE-ECDSA-AES256-CCM ECDH 253 AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM + xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + xc0ac ECDHE-ECDSA-AES128-CCM ECDH 253 AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM + xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +TLSv1.3 (server order -- server prioritizes ChaCha ciphers when preferred by clients) + x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 + x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 + x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 + x1304 TLS_AES_128_CCM_SHA256 ECDH 253 AESCCM 128 TLS_AES_128_CCM_SHA256 + + Has server cipher order? yes (OK) -- TLS 1.3 and below + + + Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 + + FS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 + ECDHE-ECDSA-AES128-SHA + Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 + Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 + TLS 1.2 sig_algs offered: ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224 + TLS 1.3 sig_algs offered: ECDSA+SHA256 + + Testing server defaults (Server Hello) + + TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "supported versions/#43" "key share/#51" "max fragment length/#1" "application layer protocol negotiation/#16" "encrypt-then-mac/#22" "extended master secret/#23" + Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily + SSL Session ID support yes + Session Resumption Tickets: yes, ID: yes + TLS clock skew Random values, no fingerprinting possible + Certificate Compression none + Client Authentication none + Signature Algorithm ECDSA with SHA384 + Server key size EC 256 bits (curve P-256) + Server key usage Digital Signature + Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication + Serial 032949A41F4938FAF4C1DBAA984F965F6380 (OK: length 18) + Fingerprints SHA1 7FA23560DDD26C28EF497C286F59F411C367F61F + SHA256 10772449545FC60A04A177BB84611F12BCB2FBA179B5675AEEC6DB23E2A2ECD9 + Common Name (CN) *.gridhead.net (CN in response to request w/o SNI: *.apexaltruism.net ) + subjectAltName (SAN) *.gridhead.net gridhead.net + Trust (hostname) Ok via SAN wildcard and CN wildcard (SNI mandatory) + Chain of trust basename: extra operand ‘/etc/pki/tls/fips_local.cnf’ +Try 'basename --help' for more information. +"/etc/pki/tls/*.pem" cannot be found / not readable + EV cert (experimental) no + Certificate Validity (UTC) 62 >= 30 days (2024-10-16 05:05 --> 2025-01-14 05:05) + ETS/"eTLS", visibility info not present + Certificate Revocation List -- + OCSP URI http://e5.o.lencr.org + OCSP stapling not offered + OCSP must staple extension -- + DNS CAA RR (experimental) not offered + Certificate Transparency yes (certificate extension) + Certificates provided 2 + Issuer E5 (Let's Encrypt from US) + Intermediate cert validity #1: ok > 40 days (2027-03-12 23:59). E5 <-- ISRG Root X1 + Intermediate Bad OCSP (exp.) Ok + + + Testing HTTP header response @ "/" + + HTTP Status Code 426 Upgrade Required. Oh, didn't expect "426 Upgrade Required" + HTTP clock skew -35 sec from localtime + Strict Transport Security not offered + Public Key Pinning -- + Server banner Python/3.12 websockets/12.0 + Application banner -- + Cookie(s) (none issued at "/") -- maybe better try target URL of 30x + Security headers Upgrade: websocket + Reverse Proxy banner -- + + + Testing vulnerabilities + + Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension + CCS (CVE-2014-0224) not vulnerable (OK) + Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) + ROBOT Server does not support any cipher suites that use RSA key transport + Secure Renegotiation (RFC 5746) supported (OK) + Secure Client-Initiated Renegotiation not vulnerable (OK) + CRIME, TLS (CVE-2012-4929) not vulnerable (OK) + BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested + POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support + TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered + SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) + FREAK (CVE-2015-0204) not vulnerable (OK) + DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) + no RSA certificate, thus certificate can't be used with SSLv2 elsewhere + LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 + BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 + LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches + Winshock (CVE-2014-6321), experimental not vulnerable (OK) + RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) + + + Running client simulations (HTTP) via sockets + + Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy +------------------------------------------------------------------------------------------------ + Android 6.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) + Android 7.0 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 11 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Chrome 79 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + IE 6 XP No connection + IE 8 Win 7 No connection + IE 8 XP No connection + IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) + Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) + Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 7u25 No connection + Java 8u161 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit ECDH (P-256) + Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 253 bit ECDH (X25519) + OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.0.3 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Apple Mail (16.0) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + + + Rating (experimental) + + Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) + Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide + Protocol Support (weighted) 100 (30) + Key Exchange (weighted) 100 (30) + Cipher Strength (weighted) 90 (36) + Final Score 96 + Overall Grade A + Grade cap reasons Grade capped to A. HSTS is not offered + + Done 2024-11-12 05:28:32 [ 182s] -->> ***.***.***.***:443 (expedite-atla.gridhead.net) <<-- + \ No newline at end of file diff --git a/data/test-atla-26072024.txt b/data/test-atla-26072024.txt deleted file mode 100644 index 79229f7..0000000 --- a/data/test-atla-26072024.txt +++ /dev/null @@ -1,181 +0,0 @@ -##################################################################### - testssl.sh version 3.0.9 from https://testssl.sh/ - - This program is free software. Distribution and modification under - GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! - - Please file bugs @ https://testssl.sh/bugs/ - -##################################################################### - - Using bash 5.2.26. OpenSSL 1.0.2-bad (1.0.2k-dev) [~179 ciphers] - on archdesk:./bin/openssl.Linux.x86_64 - (built: Sep 1 14:03:44 2022, platform: linux-x86_64) - - Start 2024-07-26 09:50:59 -->> ***.***.***.***:443 (expedite-atla.apexaltruism.net) <<-- - - rDNS (***.***.***.***): ***-***-***-***-host.colocrossing.com. - Service detected: HTTP - - - Testing protocols via sockets except NPN+ALPN - - SSLv2 not offered (OK) - SSLv3 not offered (OK) - TLS 1 not offered - TLS 1.1 not offered - TLS 1.2 offered (OK) - TLS 1.3 offered (OK): final - NPN/SPDY not offered - ALPN/HTTP2 h2, http/1.1 (offered) - - Testing cipher categories - - NULL ciphers (no encryption) not offered (OK) - Anonymous NULL Ciphers (no authentication) not offered (OK) - Export ciphers (w/o ADH+NULL) not offered (OK) - LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) - Triple DES Ciphers / IDEA not offered - Obsolete CBC ciphers (AES, ARIA etc.) offered - Strong encryption (AEAD ciphers) offered (OK) - - - Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 - - PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 - Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 - - Testing server preferences - - Has server cipher order? yes (OK) -- TLS 1.3 and below - Negotiated protocol TLSv1.3 - Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Cipher order - TLSv1.2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA - TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 - - - Testing server defaults (Server Hello) - - TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "supported versions/#43" "key share/#51" "supported_groups/#10" "max fragment length/#1" "application layer protocol negotiation/#16" - "encrypt-then-mac/#22" "extended master secret/#23" - Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily - SSL Session ID support yes - Session Resumption Tickets: yes, ID: yes - TLS clock skew Random values, no fingerprinting possible - Signature Algorithm ECDSA with SHA384 - Server key size EC 256 bits - Server key usage Digital Signature - Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication - Serial 03E4F5F4193B80C23260316A3DAD48FEB7C2 (OK: length 18) - Fingerprints SHA1 C586B26696875DF4194D3888AC43F7098FD3A247 - SHA256 27466B5CC0E6909FF9EB05601432F275A5F6F5594B834DC30AFFBACBF798855E - Common Name (CN) *.apexaltruism.net - subjectAltName (SAN) *.apexaltruism.net apexaltruism.net - Issuer E6 (Let's Encrypt from US) - Trust (hostname) Ok via SAN wildcard (same w/o SNI) - Chain of trust Ok - EV cert (experimental) no - ETS/"eTLS", visibility info not present - Certificate Validity (UTC) 89 >= 30 days (2024-07-25 14:57 --> 2024-10-23 14:57) - # of certificates provided 2 - Certificate Revocation List -- - OCSP URI http://e6.o.lencr.org - OCSP stapling not offered - OCSP must staple extension -- - DNS CAA RR (experimental) not offered - Certificate Transparency yes (certificate extension) - - - Testing HTTP header response @ "/" - - HTTP Status Code 426 Upgrade Required. Oh, didn't expect "426 Upgrade Required" - HTTP clock skew -12 sec from localtime - Strict Transport Security not offered - Public Key Pinning -- - Server banner Python/3.12 websockets/12.0 - Application banner -- - Cookie(s) (none issued at "/") -- maybe better try target URL of 30x - Security headers Upgrade: websocket - Reverse Proxy banner -- - - - Testing vulnerabilities - - Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension - CCS (CVE-2014-0224) not vulnerable (OK) - Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) - ROBOT Server does not support any cipher suites that use RSA key transport - Secure Renegotiation (RFC 5746) supported (OK) - Secure Client-Initiated Renegotiation not vulnerable (OK) - CRIME, TLS (CVE-2012-4929) not vulnerable (OK) - BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested - POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support - TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered - SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) - FREAK (CVE-2015-0204) not vulnerable (OK) - DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) - no RSA certificate, thus certificate can't be used with SSLv2 elsewhere - LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 - BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 - LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches - RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) - - - Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength - -Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ------------------------------------------------------------------------------------------------------------------------------ - x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 - x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 - xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - xc00a ECDHE-ECDSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 - xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - xc009 ECDHE-ECDSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - - - Running client simulations (HTTP) via sockets - - Android 6.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - Android 7.0 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) - Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Android 11 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Android 12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Chrome 79 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - IE 6 XP No connection - IE 8 Win 7 No connection - IE 8 XP No connection - IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) - Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 253 bit ECDH (X25519) - Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 253 bit ECDH (X25519) - Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Java 7u25 No connection - Java 8u161 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) - Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) - OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) - OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - OpenSSL 3.0.3 (git) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Apple Mail (16.0) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - - Done 2024-07-26 09:55:57 [ 332s] -->> ***.***.***.***:443 (expedite-atla.apexaltruism.net) <<-- diff --git a/data/test-mumb-12112024.txt b/data/test-mumb-12112024.txt new file mode 100644 index 0000000..5d9becb --- /dev/null +++ b/data/test-mumb-12112024.txt @@ -0,0 +1,211 @@ +########################################################### + testssl 3.2rc3 from https://testssl.sh/dev/ + + This program is free software. Distribution and + modification under GPLv2 permitted. + USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! + + Please file bugs @ https://testssl.sh/bugs/ + +########################################################### + + Using "OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)" [~94 ciphers] + on fedohide-origin:/usr/bin/openssl + (built: "Sep 12 00:00:00 2024", platform: "linux-x86_64") + + + Start 2024-11-12 05:22:18 -->> ***.***.***.***:443 (expedite-mumb.gridhead.net) <<-- + + rDNS (***.***.***.***): -- + Service detected: HTTP + + + Testing protocols via sockets except NPN+ALPN + + SSLv2 not offered (OK) + SSLv3 not offered (OK) + TLS 1 not offered + TLS 1.1 not offered + TLS 1.2 offered (OK) + TLS 1.3 offered (OK): final + NPN/SPDY not offered + ALPN/HTTP2 not offered + + Testing cipher categories + + NULL ciphers (no encryption) not offered (OK) + Anonymous NULL Ciphers (no authentication) not offered (OK) + Export ciphers (w/o ADH+NULL) not offered (OK) + LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) + Triple DES Ciphers / IDEA not offered + Obsoleted CBC ciphers (AES, ARIA etc.) offered + Strong encryption (AEAD ciphers) with no FS not offered + Forward Secrecy strong encryption (AEAD ciphers) offered (OK) + + + Testing server's cipher preferences + +Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) +----------------------------------------------------------------------------------------------------------------------------- +SSLv2 + - +SSLv3 + - +TLSv1 + - +TLSv1.1 + - +TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients) + xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + xc0ad ECDHE-ECDSA-AES256-CCM ECDH 253 AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM + xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + xc0ac ECDHE-ECDSA-AES128-CCM ECDH 253 AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM + xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +TLSv1.3 (server order -- server prioritizes ChaCha ciphers when preferred by clients) + x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 + x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 + x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 + x1304 TLS_AES_128_CCM_SHA256 ECDH 253 AESCCM 128 TLS_AES_128_CCM_SHA256 + + Has server cipher order? yes (OK) -- TLS 1.3 and below + + + Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 + + FS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES128-CCM + Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 + Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 + TLS 1.2 sig_algs offered: ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224 + TLS 1.3 sig_algs offered: ECDSA+SHA256 + + Testing server defaults (Server Hello) + + TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "supported versions/#43" "key share/#51" "max fragment length/#1" "encrypt-then-mac/#22" "extended master secret/#23" + Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily + SSL Session ID support yes + Session Resumption Tickets: yes, ID: yes + TLS clock skew Random values, no fingerprinting possible + Certificate Compression none + Client Authentication none + Signature Algorithm ECDSA with SHA384 + Server key size EC 256 bits (curve P-256) + Server key usage Digital Signature + Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication + Serial 032949A41F4938FAF4C1DBAA984F965F6380 (OK: length 18) + Fingerprints SHA1 7FA23560DDD26C28EF497C286F59F411C367F61F + SHA256 10772449545FC60A04A177BB84611F12BCB2FBA179B5675AEEC6DB23E2A2ECD9 + Common Name (CN) *.gridhead.net (CN in response to request w/o SNI: *.apexaltruism.net ) + subjectAltName (SAN) *.gridhead.net gridhead.net + Trust (hostname) Ok via SAN wildcard and CN wildcard (SNI mandatory) + Chain of trust basename: extra operand ‘/etc/pki/tls/fips_local.cnf’ +Try 'basename --help' for more information. +"/etc/pki/tls/*.pem" cannot be found / not readable + EV cert (experimental) no + Certificate Validity (UTC) 62 >= 30 days (2024-10-16 05:05 --> 2025-01-14 05:05) + ETS/"eTLS", visibility info not present + Certificate Revocation List -- + OCSP URI http://e5.o.lencr.org + OCSP stapling not offered + OCSP must staple extension -- + DNS CAA RR (experimental) not offered + Certificate Transparency yes (certificate extension) + Certificates provided 2 + Issuer E5 (Let's Encrypt from US) + Intermediate cert validity #1: ok > 40 days (2027-03-12 23:59). E5 <-- ISRG Root X1 + Intermediate Bad OCSP (exp.) Ok + + + Testing HTTP header response @ "/" + + HTTP Status Code 426 Upgrade Required. Oh, didn't expect "426 Upgrade Required" + HTTP clock skew -1 sec from localtime + Strict Transport Security not offered + Public Key Pinning -- + Server banner Python/3.12 websockets/12.0 + Application banner -- + Cookie(s) (none issued at "/") -- maybe better try target URL of 30x + Security headers Upgrade: websocket + Reverse Proxy banner -- + + + Testing vulnerabilities + + Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension + CCS (CVE-2014-0224) not vulnerable (OK) + Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) + ROBOT Server does not support any cipher suites that use RSA key transport + Secure Renegotiation (RFC 5746) supported (OK) + Secure Client-Initiated Renegotiation not vulnerable (OK) + CRIME, TLS (CVE-2012-4929) not vulnerable (OK) + BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested + POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support + TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered + SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) + FREAK (CVE-2015-0204) not vulnerable (OK) + DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) + no RSA certificate, thus certificate can't be used with SSLv2 elsewhere + LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 + BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 + LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches + Winshock (CVE-2014-6321), experimental not vulnerable (OK) + RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) + + + Running client simulations (HTTP) via sockets + + Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy +------------------------------------------------------------------------------------------------ + Android 6.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 256 bit ECDH (P-256) + Android 7.0 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 11 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Chrome 79 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + IE 6 XP No connection + IE 8 Win 7 No connection + IE 8 XP No connection + IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) + Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) + Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 7u25 No connection + Java 8u161 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit ECDH (P-256) + Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 253 bit ECDH (X25519) + OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.0.3 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Apple Mail (16.0) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + + + Rating (experimental) + + Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) + Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide + Protocol Support (weighted) 100 (30) + Key Exchange (weighted) 100 (30) + Cipher Strength (weighted) 90 (36) + Final Score 96 + Overall Grade A + Grade cap reasons Grade capped to A. HSTS is not offered + + Done 2024-11-12 05:23:24 [ 70s] -->> ***.***.***.***:443 (expedite-mumb.gridhead.net) <<-- + \ No newline at end of file diff --git a/data/test-mumb-26072024.txt b/data/test-mumb-26072024.txt deleted file mode 100644 index 33687cd..0000000 --- a/data/test-mumb-26072024.txt +++ /dev/null @@ -1,182 +0,0 @@ -##################################################################### - testssl.sh version 3.0.9 from https://testssl.sh/ - - This program is free software. Distribution and modification under - GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! - - Please file bugs @ https://testssl.sh/bugs/ - -##################################################################### - - Using bash 5.2.26. OpenSSL 1.0.2-bad (1.0.2k-dev) [~179 ciphers] - on archdesk:./bin/openssl.Linux.x86_64 - (built: Sep 1 14:03:44 2022, platform: linux-x86_64) - - Start 2024-07-26 09:45:14 -->>***.***.***.***:443 (expedite-mumb.apexaltruism.net) <<-- - - rDNS (***.***.***.***): -- - Service detected: HTTP - - - Testing protocols via sockets except NPN+ALPN - - SSLv2 not offered (OK) - SSLv3 not offered (OK) - TLS 1 not offered - TLS 1.1 not offered - TLS 1.2 offered (OK) - TLS 1.3 offered (OK): final - NPN/SPDY not offered - ALPN/HTTP2 not offered - - Testing cipher categories - - NULL ciphers (no encryption) not offered (OK) - Anonymous NULL Ciphers (no authentication) not offered (OK) - Export ciphers (w/o ADH+NULL) not offered (OK) - LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) - Triple DES Ciphers / IDEA not offered - Obsolete CBC ciphers (AES, ARIA etc.) offered - Strong encryption (AEAD ciphers) offered (OK) - - - Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 - - PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES128-CCM - Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 - Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 - - Testing server preferences - - Has server cipher order? yes (OK) -- TLS 1.3 and below - Negotiated protocol TLSv1.3 - Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Cipher order - TLSv1.2: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-CCM ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA - TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 - - - Testing server defaults (Server Hello) - - TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "supported versions/#43" "key share/#51" "supported_groups/#10" "max fragment length/#1" "encrypt-then-mac/#22" "extended master secret/#23" - Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily - SSL Session ID support yes - Session Resumption Tickets: yes, ID: yes - TLS clock skew Random values, no fingerprinting possible - Signature Algorithm ECDSA with SHA384 - Server key size EC 256 bits - Server key usage Digital Signature - Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication - Serial 03E4F5F4193B80C23260316A3DAD48FEB7C2 (OK: length 18) - Fingerprints SHA1 C586B26696875DF4194D3888AC43F7098FD3A247 - SHA256 27466B5CC0E6909FF9EB05601432F275A5F6F5594B834DC30AFFBACBF798855E - Common Name (CN) *.apexaltruism.net - subjectAltName (SAN) *.apexaltruism.net apexaltruism.net - Issuer E6 (Let's Encrypt from US) - Trust (hostname) Ok via SAN wildcard (same w/o SNI) - Chain of trust Ok - EV cert (experimental) no - ETS/"eTLS", visibility info not present - Certificate Validity (UTC) 89 >= 30 days (2024-07-25 14:57 --> 2024-10-23 14:57) - # of certificates provided 2 - Certificate Revocation List -- - OCSP URI http://e6.o.lencr.org - OCSP stapling not offered - OCSP must staple extension -- - DNS CAA RR (experimental) not offered - Certificate Transparency yes (certificate extension) - - - Testing HTTP header response @ "/" - - HTTP Status Code 426 Upgrade Required. Oh, didn't expect "426 Upgrade Required" - HTTP clock skew 0 sec from localtime - Strict Transport Security not offered - Public Key Pinning -- - Server banner Python/3.12 websockets/12.0 - Application banner -- - Cookie(s) (none issued at "/") -- maybe better try target URL of 30x - Security headers Upgrade: websocket - Reverse Proxy banner -- - - - Testing vulnerabilities - - Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension - CCS (CVE-2014-0224) not vulnerable (OK) - Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) - ROBOT Server does not support any cipher suites that use RSA key transport - Secure Renegotiation (RFC 5746) supported (OK) - Secure Client-Initiated Renegotiation not vulnerable (OK) - CRIME, TLS (CVE-2012-4929) not vulnerable (OK) - BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested - POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support - TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered - SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) - FREAK (CVE-2015-0204) not vulnerable (OK) - DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) - no RSA certificate, thus certificate can't be used with SSLv2 elsewhere - LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 - BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 - LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches - RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) - - - Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength - -Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ------------------------------------------------------------------------------------------------------------------------------ - x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 - x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 - xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - xc00a ECDHE-ECDSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - xc0ad ECDHE-ECDSA-AES256-CCM ECDH 253 AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM - x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 - x1304 TLS_AES_128_CCM_SHA256 ECDH 253 AESCCM 128 TLS_AES_128_CCM_SHA256 - xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - xc009 ECDHE-ECDSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - xc0ac ECDHE-ECDSA-AES128-CCM ECDH 253 AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM - - - Running client simulations (HTTP) via sockets - - Android 6.0 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) - Android 7.0 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) - Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Android 11 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Android 12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Chrome 79 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - IE 6 XP No connection - IE 8 Win 7 No connection - IE 8 XP No connection - IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) - Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 253 bit ECDH (X25519) - Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 253 bit ECDH (X25519) - Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Java 7u25 No connection - Java 8u161 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) - Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) - OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) - OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - OpenSSL 3.0.3 (git) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - Apple Mail (16.0) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) - Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) - - Done 2024-07-26 09:46:48 [ 143s] -->> ***.***.***.***:443 (expedite-mumb.apexaltruism.net) <<--