Another XF forum switching to centminmod?

Mr. Jinx · Apr 19, 2021

Hello All,

I am currently exploring centminmod and so far I like it
Right now I am really playing with it, starting with a fresh VPS, installing centminmod, breaking things and re-installing. Just to get a feeling.

I have been using Direct Admin for a long time and recently also tried Cyberpanel.
DA is a great control panel. I'm not going to say anything bad about it. However, it is more focused on multi user hosting with lots of options. For my situation too much options.
Still I think it is the best control panel. A mix between commandline and GUI. And the GUI is very light, fast and secure running it's own web server.

While searching for alternatives I wanted to take a look at OpenLiteSpeed. This brought me to Cyberpanel. Played with it, but I saw some bugs and security related stuff I didn't like. Their community was not very active and the bugs I reported are still open. Nobody ever responded, so this was a no-go for me.

Then I tried centminmod. Installed a test forum and saw that the php generation time of my (test) forum was twice as fast as my current hosting plan, out of the box! I also compared it to another clean DA install and Cyberpanel running on exact the same VPS setup. Still, CMM was the winner looking at pure speed.

So that is interesting, but I'm afraid for all the extra work. Running my website on managed hosting, I don't have to think about anything but I also don't have any control.
Or switching to CMM, more maintenance (I think), more control and more speed.

rdan · Apr 19, 2021

If you have more time, try ApisCP · A modern hosting platform | Apis Networks
It's similar to CMM but with web UI.

eva2000 · Apr 20, 2021

Mr. Jinx said: ↑

I am currently exploring centminmod and so far I like it
Click to expand...

welcome @Mr. Jinx to Centmin Mod Community and Centmin Mod. Plenty of Xenforo owners running on Centmin Mod LEMP stack Xenforo - Centmin Mod LEMP powers ~10% of Xenforo's largest forums !

There are 6 steps to learning more about Centmin Mod And to modifying config files and manage services more quickly, check out Centmin Mod Command Shortcuts. Recently relaunched official Centmin Mod Blog at https://blog.centminmod.com/ also have more advanced tips and tutorials as well

Might also be interested in reading up on latest LEMP stack comparison benchmarks tagged here.

You might want to try the 123.09beta01 build as it will be next stable release and well has alot of improvements if you check 2nd post change log at Beta Branch - Centmin Mod .09 beta branch Testing. And you can share your initial install times here.

Threads you might want to participate in

What are you using Centmin Mod for ?

How did you find out about Centmin Mod ?

What PHP Version do you use ?

How much memory installed on server running Centmin Mod ?

Fill out Centmin Mod 2016 Survey

Attention Future Centmin Mod Experts !

Quick Tips

If you use Putty SSH client, for best Centmin Mod experience set your windows setting configuration to at least 160 columns, 70 rows and 256000 scrollback buffer size.

You may want to measure your existing site's page load speed before and after migration to Centmin Mod LEMP servers using webpagetest.org tool - WebPerf - PageSpeed - How to use webpagetest.org for page load speed testing

Threads & Info To Bookmark

Threads to read, pages to bookmark and threads to watch/subscribe to get to know Centmin Mod would include:

Getting Started Guide, FAQ, Config Files and What's New and centmin.sh guide.

Install - Nginx - MariaDB - Letsencrypt - Quick Centmin Mod Install + Nginx Vhost Site + MySQL Database Setup

How to troubleshoot initial installs (as well as find the log files for all software for troubleshooting).

How to troubleshoot Nginx installs/upgrades

How to boost Centmin Mod LEMP stack performance

Centmin Mod 123.09beta01's Letsencrypt SSL integration via addons/acmetool.sh

How to Install Centmin Mod 1.2.3-eva2000.08 Stable - you'd want to bookmark or subscribe to this thread for updates to the code, bug fixes, security updates etc.

How to upgrade Centmin Mod 1.2.3-eva2000.08+ stable

Centmin Mod Configuration Files Overview

Centmin Mod + Youtube Resources - recently created to illustrate visually what Centmin Mod can do. Alot of the vidoes are to showcase Centmin Mod .08 betas features which eventually will become the next stable release.

All things SSL https related at SSL - HTTPS as a Google ranking signal

Centmin Mod Insights forum - delve deeper into Centmin Mod code if you want to tweak it or extend it yourself. Find out how PHP Opcode cachers like APC Cache, Zend Opcache and Xcache are configured and installed and how Memcached server is setup etc.

Several ways to follow Centmin Mod code development and changes/commits via Github Commit forum or directly on Centmin Mod Github repository - 123.08stable branche

For forums, also check threads in dedicated Forum Software Usage forums. Some Xenforo users including myself have posted out Nginx vhost configs at Xenforo - My Xenforo Nginx vhost configuration

If you're playing with Xenforo 2.0 Dev Preview releases, you'd want to read Xenforo - Xenforo 2 installation

For Nginx Pagespeed check out the official site page for Centmin Mod's integration of ngx_pagespeed module. Also check out the prefix linked forum url Nginx, PHP-FPM & MariaDB MySQL | Centmin Mod Community easy way to jump into all threads and info related to ngx_pagespeed. In particular bookmark the Nginx PageSpeed Troubleshooting sticky thread as there is high chance you need to tweak your Nginx pagespeed.conf config file for your web apps and styles used. You can see an example of this forum's pagespeed.conf tweaked for Xenforo and my particular used Xenforo style/theme and some discussion of troubleshooting advertising and ngx_pagespeed.

Nginx example configuration listing at centminmod.com/nginx_configure.html

SSH login MOTD displayed text changes

Official Centmin Mod Linode StackScript install method

Faster tar + zstd compression based file backups

How to enable GeoIP 2 Lite Nginx Module Support ?

Centmin Mod Insights Forum

The Centmin Mod Insights forums digs deeper into the inner workings of Centmin Mod so some useful threads in this forum include:

Centmin Mod Command Shortcuts

cminfo command explained

Upgrade - How to upgrade Centmin Mod + backing up customisations

Nginx - Developer Overview: How Nginx is installed on Centmin Mod LEMP stack

[Guide] Save time creating Nginx vhost & MySQL users and databases

Nginx - How to properly password protect a directory or file?

Redis - How to install Redis server on Centmin Mod LEMP stack

Centmin Mod Site Data Migration Guide

How To Transfer cPanel/WHM Sites To Centmin Mod LEMP Servers

tools/backup-perm.sh backup & restore file/directory permissions

Adding Additional IP Addresses

keep track of Centmin Mod installed software updates

Security Related Developments

A few security related developments you might be interested reading about

Auditd Addon

CSF Firewall native fail2ban functionality

fail2ban + csf Security - Cloudflare - fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

bad bot blocking/rate limiting Security - Blocking bad or aggressive bots

modsecurity support Beta Branch - update prep for ModSecurity v3.0

enabling CSF Firewall blocklists and advance blocklists selectively if you have non-OpenVZ system that supports IPSET

Nginx also supports connection, rate and bandwidth limiting natively which maybe useful and Nginx - Nginx rate limiting new article

How to block country traffic in CSF Firewall

How to block countries for specific ports only in CSF Firewall

Premium Membership

Centmin Mod Premium Membership Benefits - including access to custom tailored dbbackup.sh mysql database backup script and updates/improvements.

Centmin Mod Donations

You now can show your love and support for Centmin Mod via

Bitcoin Donations

Patreon

Paypal Donate

Rake-GH · Apr 25, 2021

From my experience, once you get up and running with CMM, you really don't have to do much.

My only work related to using CMM is, once a month I:

Backup everything locally (it auto backups every week)

Check the CMM forums for any important updates

Update everything & reboot

If website still loads, my job is done

Doesn't take more than 20 minutes per month.

My only problems I've had were user error because I did not understand nginx when I first started using CMM, but now that I've learned everything, it's been great. The CMM forum is filled with important information, anytime I have an issue I can usually find a solution in a few minutes.

Yes it is more work and you have to learn more stuff, mostly all in the beginning, but I've really enjoyed it and once you've learned it, you're good to go. I think the most important thing is to learn nginx, because that's what you'll be playing with the most

buik · Apr 25, 2021

Mr. Jinx said: ↑

So that is interesting, but I'm afraid for all the extra work. Running my website on managed hosting, I don't have to think about anything but I also don't have any control.
Or switching to CMM, more maintenance (I think), more control and more speed.
Click to expand...

Don't be put off by ISP scaremongering.

As long as you take care of backups, backups and more backups there is nothing to worry about.

Before each centmin update (maintenance), take a snapshot and should issues arise.
Then you simply put the snapshot back.

As long as you keep current backups, you can basically switch to any form of hosting.
According to your preference.

Mr. Jinx · Apr 25, 2021

Thanks for the heads up. So far so good!
Most work for now was adding the extra security measures:

Disabled all incoming ports, except 80/443

Changed SSH port and only allow it from my IP

Added a sudo user and disable root logins (centmin maintenance will still be done as root using sudo su -)

Added SSH keys and disabled password logins

Changed ssl_ciphers to intermediate

Change dhparam.pem to use ffdhe3072

Enabled IPv6

I like this site to test some basic security stuff:
Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.

My site now scores 100%.

Mr. Jinx · May 9, 2021

This graph show the difference in loadtimes from my site. This is PRTG getting the index of my site, without external downloads.

My site running on shared hosting. They promised containerization with reserved 3 cores and 4GB. However, as you can see, the speed was not that 'reserved'. Apache + PHP 8 + MariaDB 10.4 + Redis.

Migrated to a 2 core 4GB VPS from UpCloud, running Centminmod default install with PHP 7.4 and MariaDB 10.3. The spikes you see come from reboots and maintenance I was doing. During this period I upgraded to PHP 8 with PGO and JIT enabled. I also enabled XF guest caching, which wouldn't work correctly on my previous host.

The final rsult, after all the upgrades and tweaks, my site is running very nicely without spikes. Going from 200-350 msec to a constant 100msec load time.

Andy · May 10, 2021

Mr. Jinx said: ↑

View attachment 7739
This graph show the difference in loadtimes from my site. This is PRTG getting the index of my site, without external downloads.

My site running on shared hosting. They promised containerization with reserved 3 cores and 4GB. However, as you can see, the speed was not that 'reserved'. Apache + PHP 8 + MariaDB 10.4 + Redis.

Migrated to a 2 core 4GB VPS from UpCloud, running Centminmod default install with PHP 7.4 and MariaDB 10.3. The spikes you see come from reboots and maintenance I was doing. During this period I upgraded to PHP 8 with PGO and JIT enabled. I also enabled XF guest caching, which wouldn't work correctly on my previous host.

The final rsult, after all the upgrades and tweaks, my site is running very nicely without spikes. Going from 200-350 msec to a constant 100msec load time.

Click to expand...

What is your site URL? Would be interested in learning how you get 100% score you mentioned in post #6.

Mr. Jinx · May 10, 2021

This one: Website test: ziggoforum.nl
Only one recommendation left regarding the Content Security Policy, but I haven't found a good policy that doesn't break the site (especially AMP).

Andy · May 10, 2021

Mr. Jinx said: ↑

This one: Website test: ziggoforum.nl
Only one recommendation left regarding the Content Security Policy, but I haven't found a good policy that doesn't break the site (especially AMP).
Click to expand...

Yes, CSP is not easily implement right now.
Can you share the cipher suites that you use in your nginx conf file?

Mr. Jinx · May 10, 2021

This one:
Code:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
I got this list of ciphers from Mozilla using the intermediate configuration:
Mozilla SSL Configuration Generator

eva2000 · May 11, 2021

Mr. Jinx said: ↑
This one:
Code:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
I got this list of ciphers from Mozilla using the intermediate configuration:
Mozilla SSL Configuration Generator
Click to expand...
FYI, if you use Cloudflare in front of Centmin Mod Nginx, then SSL cipher choices aren't really used by visitors and just Cloudflare edge servers which would already choose the best SSL ciphers that default Centmin Mod Nginx ssl_ciphers directive has set.

Andy · May 11, 2021

Mr. Jinx said: ↑
This one:
Code:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
I got this list of ciphers from Mozilla using the intermediate configuration:
Mozilla SSL Configuration Generator
Click to expand...
Hum,
I used your cipher suite and still got the error about key exchange parameters.
Website test: quantnet.com

@eva2000 any idea?

Mr. Jinx · May 11, 2021

That is about the dhparam.pem file.
They don't recommend a self generated one. Instead you can use ffdhe3072

Andy · May 11, 2021

Oh, I used the Let's encrypt free SSL cert generator that came with centminmod.
Is it something I can change?

eva2000 · May 11, 2021

Mr. Jinx said: ↑

They don't recommend a self generated one. Instead you can use ffdhe3072
Click to expand...

I think it comes from this discussion Advise dynamic dh parameters instead of downloading from mozilla · Issue #60 · mozilla/ssl-config-generator if using Intermediate SSL cipher preferences with TLSv1.3 supported Nginx

@Andy so you'd replace your dhparam.pem with their downloaded one if you modified SSL cipher preferences from Centmin Mod Nginx default to the intermediate profile

so if you had
Code (Text):
ssl_dhparam /usr/local/nginx/conf/ssl/test.com/dhparam.pem;
you'd change it to ffdhe2048.txt downloaded version via command
Code (Text):
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /usr/local/nginx/conf/ssl/test.com/dhparam.pem
and only if you intend to create all future Nginx vhosts with intermediate SSL cipher preferences, also save the local copy template version which Centmin Mod saves when first creating a Nginx HTTPS/SSL vhost at /usr/local/nginx/conf/ssl/dhparam.pem which is then copied to new subsequent Nginx HTTPS/SSL vhosts to save time
Code (Text):
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /usr/local/nginx/conf/ssl/dhparam.pem
Note if you do not intend to modify each Nginx HTTPS/SSL vhost with intermediate SSL cipher preferences, then don't override /usr/local/nginx/conf/ssl/dhparam.pem

Mr. Jinx · May 11, 2021

That's exactly what I did, except you should use ffdhe3072 as a minimum, which is the one I linked to.
Can also be found over here: Security/Archive/Server Side TLS 4.0 - MozillaWiki

eva2000 · May 11, 2021

Mr. Jinx said: ↑

That's exactly what I did, except you should use ffdhe3072 as a minimum, which is the one I linked to.
Can also be found over here: Security/Archive/Server Side TLS 4.0 - MozillaWiki
Click to expand...

I'd just use 2048bit, as you go higher performance for Nginx may suffer

Mr. Jinx · May 11, 2021

Okay, but the question was how to comply the internet.nl test with a 100% score
You will need 3072 bit to pass the test fully, as 2048 was not sufficient (phase out, don't know why)
I haven't noticed any performance hit on my site, thus I'm using this without any problems.

eva2000 · May 11, 2021

Yeah the performance hit would be for DHE based key exchange requests only so depends on how ancient your visitor's browser/clients are as most would use ECDHE based key exchanges.

I whipped up a quick script to switch between Centmin Mod 123.09beta01 default Nginx ssl_ciphers and dhparam and Mozilla's Intermediate ssl_ciphers and ffdhe 2048/3072 dhparam files.

Code (Text):

/root/tools/switch-nginx-ciphers.sh

Usage:

/root/tools/switch-nginx-ciphers.sh intermediate-bulk
/root/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
/root/tools/switch-nginx-ciphers.sh default-bulk
/root/tools/switch-nginx-ciphers.sh default /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
/root/tools/switch-nginx-ciphers.sh testssl domain.com:443

for 2048bit

Code (Text):

/root/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/test.com.ssl.conf
setup ffdhe2048 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
replace /usr/local/nginx/conf/ssl/test.com/dhparam.pem

switched ssl_ciphers
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

for 3072bit

Code (Text):

/root/tools/switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/test.com.ssl.conf
setup ffdhe3072 dhparam file: /usr/local/nginx/conf/ssl/dhparam.pem
replace /usr/local/nginx/conf/ssl/test.com/dhparam.pem

switched ssl_ciphers
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

Eventually will make it Centmin Mod Nginx default seeing as how many client browsers already phased out TLSv1.0 and TLSv1.1 limiting DHE usage to only Windows 7/8 IE11 itseems for testssl config test with self-sigend SSL

Code (Text):

/root/tools/switch-nginx-ciphers.sh testssl test.com:443

 Start 2021-05-10 19:42:58        -->> xxx.xxx.xxx.xxx:443 (test.com) <<--

 A record via:           /etc/hosts
 rDNS (xxx.xxx.xxx.xxx):   (instructed to minimize DNS queries)
 Service detected:       HTTP


 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)

 Testing server's cipher preferences

 Has server cipher order?     yes (OK) -- TLS 1.3 and below
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher per protocol

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 -
SSLv3
 -
TLSv1
 -
TLSv1.1
 -
TLSv1.2 (server order)
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256            
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384            
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256      
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256              
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384              
TLSv1.3 (server order)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                            
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                      
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                            


 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4

 FS is offered (OK) , ciphers follow (client/browser support is important here)

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                            
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                      
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384            
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256      
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                            
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256            
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256              

 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448
 DH group offered:            ffdhe2048

 Testing server defaults (Server Hello)

 TLS extensions (standard)    "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "next protocol/#13172" "supported versions/#43" "key share/#51"
                              "supported_groups/#10" "max fragment length/#1" "application layer protocol negotiation/#16" "extended master secret/#23"
 Session Ticket RFC 5077 hint 3600 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               Random values, no fingerprinting possible
 Client Authentication        none
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits (exponent is 65537)
 Server key usage             Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
 Server extended key usage    --
 Serial / Fingerprints        DE3C5E3746D583EE / SHA1 2FE9A5F3C5996F76AA2EAE6232134EB423E1C04F
                              SHA256 5CDB253933F17968786EB19C74E7B535F40DE9A63CD4B32D12D01943803C91C8
 Common Name (CN)             test.com  (CN in response to request w/o SNI: ffdhe.centminmod.com )
 subjectAltName (SAN)         test.com www.test.com
 Trust (hostname)             Ok via SAN and CN (SNI mandatory)
 Chain of trust               NOT ok (chain incomplete)
 EV cert (experimental)       no
 Certificate Validity (UTC)   36499 >= 60 days (2021-05-10 16:11 --> 2121-04-16 16:11)
                              >= 10 years is way too long
 ETS/"eTLS", visibility info  not present
 Certificate Revocation List  --
 OCSP URI                     --
                              NOT ok -- neither CRL nor OCSP URI provided
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    (instructed to minimize DNS queries)
 Certificate Transparency     --
 Certificates provided        1
 Issuer                       test.com (test.com from US)
 Intermediate Bad OCSP (exp.) Ok



 Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 -
SSLv3
 -
TLS 1
 -
TLS 1.1
 -
TLS 1.2
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384            
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256      
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256            
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256              
TLS 1.3
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                            
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                      
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                            

 Running client simulations (HTTP) via sockets

 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
------------------------------------------------------------------------------------------------
 Android 4.4.2                TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 5.0.0                TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 6.0                  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 7.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Android 9.0 (native)         TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Chrome 74 (Win 10)           TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Chrome 79 (Win 10)           TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Firefox 71 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 8 Win 7                   No connection
 IE 8 XP                      No connection
 IE 11 Win 7                  TLSv1.2   DHE-RSA-AES128-GCM-SHA256         2048 bit DH  (ffdhe2048)
 IE 11 Win 8.1                TLSv1.2   DHE-RSA-AES128-GCM-SHA256         2048 bit DH  (ffdhe2048)
 IE 11 Win Phone 8.1          No connection
 IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Edge 17 (Win 10)             TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Opera 66 (Win 10)            TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Safari 9 iOS 9               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Safari 9 OS X 10.11          TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Safari 10 OS X 10.12         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Apple ATS 9 iOS 9            TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Java 6u45                    No connection
 Java 7u25                    No connection
 Java 8u161                   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            256 bit ECDH (P-256)
 Java 12.0.1 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Thunderbird (68.3)           TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Another XF forum switching to centminmod?

Mr. Jinx New Member

rdan Well-Known Member

eva2000 Administrator Staff Member

Quick Tips

Threads & Info To Bookmark

Centmin Mod Insights Forum

Security Related Developments

Premium Membership

Centmin Mod Donations

Rake-GH Active Member

buik “The best traveler is one without a camera.”

Mr. Jinx New Member

Mr. Jinx New Member

Andy Active Member

Mr. Jinx New Member

Andy Active Member

Mr. Jinx New Member

eva2000 Administrator Staff Member

Andy Active Member

Mr. Jinx New Member

Andy Active Member

eva2000 Administrator Staff Member

Mr. Jinx New Member

eva2000 Administrator Staff Member

Mr. Jinx New Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Another XF forum switching to centminmod?

Mr. Jinx New Member

rdan Well-Known Member

eva2000 Administrator Staff Member

Quick Tips

Threads & Info To Bookmark

Centmin Mod Insights Forum

Security Related Developments

Premium Membership

Centmin Mod Donations

Rake-GH Active Member

buik “The best traveler is one without a camera.”

Mr. Jinx New Member

Mr. Jinx New Member

Andy Active Member

Mr. Jinx New Member

Andy Active Member

Mr. Jinx New Member

eva2000 Administrator Staff Member

Andy Active Member

Mr. Jinx New Member

Andy Active Member

eva2000 Administrator Staff Member

Mr. Jinx New Member

eva2000 Administrator Staff Member

Mr. Jinx New Member

eva2000 Administrator Staff Member

.