/ Register

Join the community today
Register Now

SSL Testssl results?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jimmy, Jun 27, 2016.

Tags:
Previous Thread Next Thread
Loading...
  1. Jun 27, 2016 #1
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    11:39 PM
    I just did a clean install of centmin mod 09beta with php 7.0.8 Nginx 1.11.1 and got this result via testssl.

    Code:
    [root@localhost centminmod]# testssl https://sslspdy.com

No engine or GOST support via engine with your /usr/bin/openssl

###########################################################
    testssl       2.6 from https://testssl.sh/
    (c7c259b 2016-06-26 15:44:23 -- 1.379B)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.1e-fips 11 Feb 2013" [~121 ciphers] on
localhost.localdomain:/usr/bin/openssl
(built: "May  9 08:07:32 2016", platform: "linux-x86_64")


Testing now (2016-06-26 17:33) ---> 192.184.89.66:443 (sslspdy.com) <---

further IP addresses:   2604:180:1::fd2c:e402
rDNS (192.184.89.66):   sslspdy.com.
Service detected:       HTTP


--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)

SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLS 1      offered
TLS 1.1    offered
TLS 1.2    offered (OK)
SPDY/NPN   h2, spdy/3.1, http/1.1 (advertised)

--> Testing ~standard cipher lists

Null Ciphers                 not offered (OK)
Anonymous NULL Ciphers       not offered (OK)
Anonymous DH Ciphers         not offered (OK)
40 Bit encryption            not offered (OK)
56 Bit encryption            Local problem: No 56 Bit encryption configured in /usr/bin/openssl
Export Ciphers (general)     not offered (OK)
Low (<=64 Bit)               not offered (OK)
DES Ciphers                  not offered (OK)
Medium grade encryption      not offered (OK)
Triple DES Ciphers           not offered (OK)
High grade encryption        offered (OK)

--> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here

PFS is offered (OK)  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA

--> Testing server preferences

Has server cipher order?     nope (NOT ok)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-ECDSA-AES256-GCM-SHA384,  (limited sense as client will pick)
Negotiated cipher per proto  (limited sense as client will pick)
     ECDHE-ECDSA-AES128-SHA:        TLSv1, TLSv1.1
     ECDHE-ECDSA-AES256-GCM-SHA384: TLSv1.2, spdy/3.1
No further cipher order check has been done as order is determined by the client

--> Testing server defaults (Server Hello)

TLS server extensions        renegotiation info, EC point formats, session ticket, status request
Session Tickets RFC 5077     600 seconds
Server key size              EC 256 bit
Signature Algorithm          ECDSA with SHA256
Fingerprint / Serial         SHA1 155AA462E9EBFC2C608D18AB83DD32C17245C89A / 6F2CECA22E73F3FFA5266435705B5390
                              SHA256 91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11
Common Name (CN)             *.sslspdy.com (wildcard certificate match) (CN in response to request w/o SNI: *.sslspdy.com)
subjectAltName (SAN)         *.sslspdy.com sslspdy.com
Issuer                       COMODO ECC Domain Validation Secure Server CA (COMODO CA Limited from GB)
EV cert (experimental)       no
Certificate Expiration       >= 60 days (2014-10-24 00:00 --> 2016-10-23 23:59 +0000)
# of certificates provided   3
Certificate Revocation List  http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
OCSP URI                     http://ocsp.comodoca.com
OCSP stapling                offered
TLS timestamp                random values, no fingerprinting possible


--> Testing HTTP header response @ "/"

HTTP Status Code             200 OK
HTTP clock skew              -1464583849 sec from localtime
Strict Transport Security    365 days=31536000 s, includeSubDomains
Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                              matching host key: QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE
Server banner                nginx centminmod
Application banner           X-Powered-By: centminmod
Cookie(s)                    (none issued at "/")
Security headers             --
Reverse Proxy banner         --


--> Testing vulnerabilities

Heartbleed (CVE-2014-0160)                not vulnerable (OK)
CCS (CVE-2014-0224)                       not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
Secure Client-Initiated Renegotiation     not vulnerable (OK)
CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
BREACH (CVE-2013-3587)                    NOT ok: uses gzip HTTP compression (only "/" tested)
POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
FREAK (CVE-2015-0204)                     not vulnerable (OK) (tested with 4/9 ciphers)
LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK) (tested w/ 2/4 ciphers only!), common primes not checked.
BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)
RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


--> Testing all locally available 121 ciphers against the server, ordered by encryption strength
    (Your /usr/bin/openssl cannot show DH/ECDH bits)

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------
xc02c   ECDHE-ECDSA-AES256-GCM-SHA384  ECDH       AESGCM     256         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384    
xc024   ECDHE-ECDSA-AES256-SHA384      ECDH       AES        256         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384    
xc02b   ECDHE-ECDSA-AES128-GCM-SHA256  ECDH       AESGCM     128         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256    
xc023   ECDHE-ECDSA-AES128-SHA256      ECDH       AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256    
xc009   ECDHE-ECDSA-AES128-SHA         ECDH       AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA      


Done now (2016-06-26 17:34) ---> 192.184.89.66:443 (sslspdy.com) <---

     
  2. Jun 27, 2016 #2
    eva2000

    eva2000 Administrator Staff Member

    55,445
    12,257
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,841
    Local Time:
    1:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looks about right as you're using system OpenSSL 1.0.1e for testssl i think which only support NPN protocol and not ALPN in OpenSSL 1.0.2+

    centos 6/7 only has openssl 1.0.1e system package

    you can test with ssllabs too SSL Server Test: sslspdy.com (Powered by Qualys SSL Labs)

    with OpenSSL 1.02i system testssl via my ubuntu nghttp2 docker image
    Code (Text):
    testssl https://sslspdy.com

###########################################################
    testssl       2.7dev from https://testssl.sh/dev/
    (1.507 2016/06/24 17:00:58)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on efba3ce3f543:/usr/local/http2-15/bin/openssl
(built: "reproducible build, date unspecified", platform: "linux-x86_64")


Start 2016-06-26 19:09:23    -->> 192.184.89.66:443 (sslspdy.com) <<--

further IP addresses:   2604:180:1::fd2c:e402
rDNS (192.184.89.66):   sslspdy.com.
Service detected:       HTTP


Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLS 1      offered
TLS 1.1    offered
TLS 1.2    offered (OK)
SPDY/NPN   h2, spdy/3.1, http/1.1 (advertised)
HTTP2/ALPN h2, spdy/3.1, http/1.1 (offered)

Testing ~standard cipher lists

Null Ciphers                 not offered (OK)
Anonymous NULL Ciphers       not offered (OK)
Anonymous DH Ciphers         not offered (OK)
40 Bit encryption            not offered (OK)
56 Bit encryption            not offered (OK)
Export Ciphers (general)     not offered (OK)
Low (<=64 Bit)               not offered (OK)
DES Ciphers                  not offered (OK)
Medium grade encryption      not offered (OK)
Triple DES Ciphers           not offered (OK)
High grade encryption        offered (OK)


Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here

PFS is offered (OK)  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA


Testing server preferences

Has server cipher order?     yes (OK)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-ECDSA-CHACHA20-POLY1305-OLD, 256 bit ECDH
Cipher order
    TLSv1:     ECDHE-ECDSA-AES128-SHA
    TLSv1.1:   ECDHE-ECDSA-AES128-SHA
    TLSv1.2:   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA
    h2:        ECDHE-ECDSA-CHACHA20-POLY1305-OLD
    spdy/3.1:  ECDHE-ECDSA-CHACHA20-POLY1305-OLD
    http/1.1:  ECDHE-ECDSA-CHACHA20-POLY1305-OLD


Testing server defaults (Server Hello)

TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "next protocol/#13172"
Session Tickets RFC 5077     600 seconds (PFS requires session ticket keys to be rotated <= daily)
SSL Session ID support       yes
TLS clock skew               random values, no fingerprinting possible
Signature Algorithm          ECDSA with SHA256
Server key size              ECDSA 256 bits
Fingerprint / Serial         SHA1 155AA462E9EBFC2C608D18AB83DD32C17245C89A / 6F2CECA22E73F3FFA5266435705B5390
                              SHA256 91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11
Common Name (CN)             "*.sslspdy.com" (wildcard certificate match) (works w/o SNI)
subjectAltName (SAN)         "*.sslspdy.com" "sslspdy.com"
Issuer                       "COMODO ECC Domain Validation Secure Server CA" ("COMODO CA Limited" from "GB")
EV cert (experimental)       no
Certificate Expiration       119 >= 60 days (2014-10-24 00:00 --> 2016-10-23 23:59 +0000)
# of certificates provided   3
Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
Certificate Revocation List  http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
OCSP URI                     http://ocsp.comodoca.com
OCSP stapling                offered


Testing HTTP header response @ "/"

HTTP Status Code             200 OK
HTTP clock skew              -1464583848 sec from localtime
Strict Transport Security    365 days=31536000 s, includeSubDomains
Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                              matching host key: QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE
Server banner                nginx centminmod
Application banner           X-Powered-By: centminmod
Cookie(s)                    (none issued at "/")
Security headers             --
Reverse Proxy banner         --


Testing vulnerabilities

Heartbleed (CVE-2014-0160)                not vulnerable (OK) (no heartbeat extension)
CCS (CVE-2014-0224)                       not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
Secure Client-Initiated Renegotiation     not vulnerable (OK)
CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
FREAK (CVE-2015-0204)                     not vulnerable (OK)
DROWN (2016-0800, CVE-2016-0703), exper.  not vulnerable on this port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11 could help you to find out
LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
BEAST (CVE-2011-3389)                     TLS1: ECDHE-ECDSA-AES128-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


Testing all 183 locally available ciphers against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits
------------------------------------------------------------------------
xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 256   ChaCha20  256     
xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM    256     
xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 256   AES       256     
xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM    128     
xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 256   AES       128     
xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES       128     


Running browser simulations (experimental)

Android 2.3.7                 No connection
Android 4.0.4                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
Android 4.1.1                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
Android 4.2.2                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
Android 4.3                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
Android 4.4.2                 TLSv1.1 ECDHE-ECDSA-AES128-SHA
Android 5.0.0                 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Baidu Jan 2015                TLSv1.0 ECDHE-ECDSA-AES128-SHA
BingPreview Jan 2015          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Chrome 47 / OSX               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Firefox 42 / OSX              TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
GoogleBot Feb 2015            TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
IE6 / XP                      No connection
IE7 / Vista                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
IE8 / XP                      No connection
IE8-10 / Win7                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
IE11 / Win7                   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
IE11 / Win8.1                 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
IE10 / Win Phone 8.0          TLSv1.0 ECDHE-ECDSA-AES128-SHA
IE11 / Win Phone 8.1          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
IE11 / Win Phone 8.1 Update   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
IE11 / Win10                  TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Edge 13 / Win10               TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Edge 12 / Win Phone 10        TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Java 6u45                     No connection
Java 7u25                     TLSv1.0 ECDHE-ECDSA-AES128-SHA
Java 8u31                     TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
OpenSSL 0.9.8y                No connection
OpenSSL 1.0.1l                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
OpenSSL 1.0.2e                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Safari 5.1.9/ OSX 10.6.8      TLSv1.0 ECDHE-ECDSA-AES128-SHA
Safari 6 / iOS 6.0.1          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 6.0.4/ OS X 10.8.4     TLSv1.0 ECDHE-ECDSA-AES128-SHA
Safari 7 / iOS 7.1            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 7 / OS X 10.9          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 8 / iOS 8.4            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 8 / OS X 10.10         TLSv1.2 ECDHE-ECDSA-AES128-SHA256
Safari 9 / iOS 9              TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Safari 9 / OS X 10.11         TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
     
    Last edited: Jun 27, 2016
  3. Jun 27, 2016 #3
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    11:39 PM
    I guess I should update openssl on my system. I wish CentOS would update their stock version of Openssl.
     
  4. Jun 27, 2016 #4
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    11:39 PM
    I did an upgrade to 1.0.2h on the system and I was getting some "Local Problems" - do the local problems mean that there were issues with the install or that since the items are missing, that it passes the test because they're not there to begin with? I couldn't find anything while searching online for "Local Problems".

    Code:
    ###########################################################
    testssl       2.6 from https://testssl.sh/
    (1.379B 2015/09/25 12:35:41)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2h  3 May 2016" [~125 ciphers] on
localhost.localdomain:/usr/bin/openssl
(built: "reproducible build, date unspecified", platform: "linux-x86_64")


Testing now (2016-06-27 05:24) ---> 192.184.89.66:443 (sslspdy.com) <---

further IP addresses:   2604:180:1::fd2c:e402
rDNS (192.184.89.66):   sslspdy.com.
Service detected:       HTTP


--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)

SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLS 1      offered
TLS 1.1    offered
TLS 1.2    offered (OK)
SPDY/NPN   h2, spdy/3.1, http/1.1 (advertised)

--> Testing ~standard cipher lists

Null Ciphers                 not offered (OK)
Anonymous NULL Ciphers       not offered (OK)
Anonymous DH Ciphers         not offered (OK)
40 Bit encryption            Local problem: No 40 Bit encryption configured in /usr/bin/openssl
56 Bit encryption            Local problem: No 56 Bit encryption configured in /usr/bin/openssl
Export Ciphers (general)     Local problem: No Export Ciphers (general) configured in /usr/bin/openssl
Low (<=64 Bit)               Local problem: No Low (<=64 Bit) configured in /usr/bin/openssl
DES Ciphers                  Local problem: No DES Ciphers configured in /usr/bin/openssl
Medium grade encryption      not offered (OK)
Triple DES Ciphers           not offered (OK)
High grade encryption        offered (OK)

--> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here

PFS is offered (OK)  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA

--> Testing server preferences

Has server cipher order?     nope (NOT ok)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (limited sense as client will pick)
Negotiated cipher per proto  (limited sense as client will pick)
Local problem: /usr/bin/openssl doesn't support "s_client -ssl2"
     ECDHE-ECDSA-AES128-SHA:        TLSv1, TLSv1.1
     ECDHE-ECDSA-AES256-GCM-SHA384: TLSv1.2, spdy/3.1
No further cipher order check has been done as order is determined by the client

--> Testing server defaults (Server Hello)

TLS server extensions        renegotiation info, EC point formats, session ticket, status request
Session Tickets RFC 5077     600 seconds
Server key size              EC 256 bit
Signature Algorithm          ECDSA with SHA256
Fingerprint / Serial         SHA1 155AA462E9EBFC2C608D18AB83DD32C17245C89A / 6F2CECA22E73F3FFA5266435705B5390
                              SHA256 91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11
Common Name (CN)             *.sslspdy.com (wildcard certificate match) (CN in response to request w/o SNI: *.sslspdy.com)
subjectAltName (SAN)         *.sslspdy.com sslspdy.com
Issuer                       COMODO ECC Domain Validation Secure Server CA (COMODO CA Limited from GB)
EV cert (experimental)       no
Certificate Expiration       >= 60 days (2014-10-24 00:00 --> 2016-10-23 23:59 +0000)
# of certificates provided   3
Certificate Revocation List  http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
OCSP URI                     http://ocsp.comodoca.com
OCSP stapling                offered
TLS timestamp                random values, no fingerprinting possible


--> Testing HTTP header response @ "/"

HTTP Status Code             200 OK
HTTP clock skew              -1464583848 sec from localtime
Strict Transport Security    365 days=31536000 s, includeSubDomains
Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                              matching host key: QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE
Server banner                nginx centminmod
Application banner           X-Powered-By: centminmod
Cookie(s)                    (none issued at "/")
Security headers             --
Reverse Proxy banner         --


--> Testing vulnerabilities

Heartbleed (CVE-2014-0160)                not vulnerable (OK)
CCS (CVE-2014-0224)                       not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
Secure Client-Initiated Renegotiation     not vulnerable (OK)
CRIME, TLS (CVE-2012-4929)                Local problem: /usr/bin/openssl lacks zlib support
BREACH (CVE-2013-3587)                    NOT ok: uses gzip HTTP compression (only "/" tested)
POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
FREAK (CVE-2015-0204)                     Local problem: /usr/bin/openssl doesn't have any EXPORT RSA ciphers configured
LOGJAM (CVE-2015-4000), experimental      Local problem: /usr/bin/openssl doesn't have any DHE EXPORT ciphers configured
BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)
RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


--> Testing all locally available 125 ciphers against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------
xc02c   ECDHE-ECDSA-AES256-GCM-SHA384  ECDH 256   AESGCM     256         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc024   ECDHE-ECDSA-AES256-SHA384      ECDH 256   AES        256         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
xc02b   ECDHE-ECDSA-AES128-GCM-SHA256  ECDH 256   AESGCM     128         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
xc023   ECDHE-ECDSA-AES128-SHA256      ECDH 256   AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
xc009   ECDHE-ECDSA-AES128-SHA         ECDH 256   AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA


Done now (2016-06-27 05:25) ---> 192.184.89.66:443 (sslspdy.com) <---
    Also, I was curious that the below was ok in your output but "nope" in both my stock install and the upgraded 1.0.2h tests? How did you get that to be ok on your end?

    Code:
    Has server cipher order?    nope (NOT ok)
     
    Last edited: Jun 27, 2016
  5. Jun 27, 2016 #5
    eva2000

    eva2000 Administrator Staff Member

    55,445
    12,257
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,841
    Local Time:
    1:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You're using 2.6 need to use 2.7 dev version GitHub - drwetter/testssl.sh: Testing TLS/SSL encryption
    or your updated openssl 1.0.2h version isn't compiled with right options ? or those options were removed from your openssl 1.0.2h build ? what system you running testssl from ? ubuntu 16 ?
     
    Last edited: Jun 27, 2016
  6. Jun 28, 2016 #6
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    11:39 PM
    I was testing it out on CentOS 7.2 w/ 09beta. I installed testssl via yum. Didn't specify any specific config options when I built openssl.

    I was following a tut located here: How to Install the latest OpenSSL 1.0.2h Version on CentOS 6/7 | BIP media

    I also read some posts on stackexchange and serverfault where some people were saying not to upgrade openssl on Centos 7.2 that there were going to be issues.

    I was really just testing this to see if I could get a clean output from the testssl. Maybe I should just ditch upgrading and stick with the default 1.0.1.
     
  7. Jun 28, 2016 #7
    eva2000

    eva2000 Administrator Staff Member

    55,445
    12,257
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,841
    Local Time:
    1:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah improper upgrade of openssl system package on centos 6/7 will irreversibly break the entire server ! that tutorial will probably break things down the track due to other packages required dependencies for specific openssl 1.0.1e version stamped libraries etc. So i wouldn't do that way

    yeah testssl dev 2.7 needs to be source installed
     
  8. Jun 28, 2016 #8
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    11:39 PM
    Do you have any suggestions about what I should use for the config? Or should I just leave it alone and run with the stock centos 7 openssl for my server? What are your recommendations?
     
  9. Jun 28, 2016 #9
    eva2000

    eva2000 Administrator Staff Member

    55,445
    12,257
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,841
    Local Time:
    1:39 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
Previous Thread Next Thread
Loading...

.