SSL Report: bourdiol.xyz ( )

Transcription

1 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > bourdiol.xyz > SSL Report: bourdiol.xyz ( ) Assessed on: Sun Apr 19 12:22:55 PDT 2015 HIDDEN Clear cache Scan Another» Summary Overall Rating Certificate 100 A Protocol Support 95 Key Exchange 90 Cipher Strength Visit our documentation page for more information, configuration guides, and books. Known issues are documented here. This site works only in browsers with SNI support. This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. Authentication Server Key and Certificate #1 Common names Alternative names Prefix handling bourdiol.xyz Both (with and without WWW) Valid from Sat Apr 18 17:00:00 PDT 2015 Tue Apr 19 16:59:59 PDT 2016 (expires in 1 year) Key RSA 2048 bits (e 65537) Weak key (Debian) Issuer Extended Validation Revocation information Revocation status Trusted SHA256withRSA CRL, OCSP Good (not revoked) Additional Certificates (if supplied) Certificates provided Chain issues 3 (4196 bytes) ne 1 sur 5 19/04/ :35

2 Additional Certificates (if supplied) #2 Subject Wed Sep 11 16:59:59 PDT 2024 (expires in 9 years and 4 months) Key RSA 2048 bits (e 65537) Issuer SHA384withRSA #3 Subject Fingerprint: eab040689a0d805b5d6fd654fc168cff00b78be3 Sat May 30 03:48:38 PDT 2020 (expires in 5 years and 1 month) Key RSA 4096 bits (e 65537) Issuer AddTrust External CA Root SHA384withRSA Certification Paths Path #1: Trusted 1 Sent by server 2 Sent by server 3 In trust store Fingerprint: 201a7ea6a abae487accddaddbe5670a20 RSA 2048 bits (e 65537) / SHA256withRSA RSA 2048 bits (e 65537) / SHA384withRSA Self-signed Fingerprint: 2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e RSA 4096 bits (e 65537) / SHA384withRSA Path #2: Trusted 1 Sent by server 2 Sent by server 3 Sent by server 4 In trust store Fingerprint: 201a7ea6a abae487accddaddbe5670a20 RSA 2048 bits (e 65537) / SHA256withRSA RSA 2048 bits (e 65537) / SHA384withRSA Fingerprint: eab040689a0d805b5d6fd654fc168cff00b78be3 RSA 4096 bits (e 65537) / SHA384withRSA AddTrust External CA Root Self-signed Fingerprint: 02faf3e df5e45b RSA 2048 bits (e 65537) / SHA1withRSA Weak or insecure signature, but no impact on root certificate Configuration Protocols TLS 1.2 TLS 1.1 TLS sur 5 19/04/ :35

3 Protocols SSL 3 SSL 2 Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq bits RSA) FS 128 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq bits RSA) FS 112 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits (p: 256, g: 1, Ys: 256) FS 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits (p: 256, g: 1, Ys: 256) FS 128 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 2048 bits (p: 256, g: 1, Ys: 256) FS 112 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 Handshake Simulation Android SNI 2 Protocol or cipher suite mismatch Fail 3 Android TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Android TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Android TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Android 4.3 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Android TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 Android TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 Baidu Jan 2015 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 BingPreview Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 Chrome 40 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 Firefox ESR / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 Firefox 35 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 Googlebot Feb 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 IE 6 / XP FS 1 SNI 2 Protocol or cipher suite mismatch Fail 3 IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 IE 8 / XP FS 1 SNI 2 Protocol or cipher suite mismatch Fail 3 IE 8-10 / Win 7 R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 IE 11 / Win 7 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 IE 11 / Win 8.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 IE Mobile 10 / Win Phone 8.0 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 IE Mobile 11 / Win Phone 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128 Java 6u45 SNI 2 Protocol or cipher suite mismatch Fail 3 Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128 Java 8u31 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256 OpenSSL 1.0.1l R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 OpenSSL R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS sur 5 19/04/ :35

4 Handshake Simulation Safari / OS X TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Safari 6 / ios R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Safari / OS X R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Safari 7 / ios 7.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Safari 7 / OS X 10.9 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Safari 8 / ios R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Safari 8 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Yahoo Slurp Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 YandexBot Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 (1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it. (2) support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI. (3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version. (R) Denotes a reference browser or client, with which we expect better effective security. (All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE). Protocol Details Secure Renegotiation Secure Client-Initiated Renegotiation Insecure Client-Initiated Renegotiation BEAST attack POODLE (SSLv3) POODLE (TLS) Downgrade attack prevention TLS compression RC4 Heartbeat (extension) Heartbleed (vulnerability) OpenSSL CCS vuln. (CVE ) Forward Secrecy Next Protocol Negotiation (NPN) Session resumption (caching) Session resumption (tickets) OCSP stapling Strict Transport Security (HSTS) Public Key Pinning (HPKP) Long handshake intolerance TLS extension intolerance Supported t mitigated server-side (more info) TLS 1.0: 0xc014, SSL 3 not supported (more info) (more info), TLS_FALLBACK_SCSV supported (more info) (more info) (more info) (with most browsers) ROBUST (more info) TLS version intolerance TLS 2.98 SSL 2 handshake compatibility Miscellaneous Test date Sun Apr 19 12:21:02 PDT 2015 Test duration seconds HTTP status code 200 HTTP server signature Server hostname Apache/ gpaas12.dc0.gandi.net 4 sur 5 19/04/ :35

5 SSL Report v Copyright Qualys, Inc. All Rights Reserved. Terms and Conditions 5 sur 5 19/04/ :35