Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Testssl results?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jimmy, Jun 27, 2016.

  1. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    6:20 PM
    1.13.x
    MariaDB 10.1.x
    I just did a clean install of centmin mod 09beta with php 7.0.8 Nginx 1.11.1 and got this result via testssl.

    Code:
    [root@localhost centminmod]# testssl https://sslspdy.com
    
    No engine or GOST support via engine with your /usr/bin/openssl
    
    ###########################################################
        testssl       2.6 from https://testssl.sh/
        (c7c259b 2016-06-26 15:44:23 -- 1.379B)
    
          This program is free software. Distribution and
                 modification under GPLv2 permitted.
          USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
           Please file bugs @ https://testssl.sh/bugs/
    
    ###########################################################
    
    Using "OpenSSL 1.0.1e-fips 11 Feb 2013" [~121 ciphers] on
    localhost.localdomain:/usr/bin/openssl
    (built: "May  9 08:07:32 2016", platform: "linux-x86_64")
    
    
    Testing now (2016-06-26 17:33) ---> 192.184.89.66:443 (sslspdy.com) <---
    
    further IP addresses:   2604:180:1::fd2c:e402
    rDNS (192.184.89.66):   sslspdy.com.
    Service detected:       HTTP
    
    
    --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   h2, spdy/3.1, http/1.1 (advertised)
    
    --> Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            not offered (OK)
    56 Bit encryption            Local problem: No 56 Bit encryption configured in /usr/bin/openssl
    Export Ciphers (general)     not offered (OK)
    Low (<=64 Bit)               not offered (OK)
    DES Ciphers                  not offered (OK)
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           not offered (OK)
    High grade encryption        offered (OK)
    
    --> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here
    
    PFS is offered (OK)  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA
    
    --> Testing server preferences
    
    Has server cipher order?     nope (NOT ok)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-ECDSA-AES256-GCM-SHA384,  (limited sense as client will pick)
    Negotiated cipher per proto  (limited sense as client will pick)
         ECDHE-ECDSA-AES128-SHA:        TLSv1, TLSv1.1
         ECDHE-ECDSA-AES256-GCM-SHA384: TLSv1.2, spdy/3.1
    No further cipher order check has been done as order is determined by the client
    
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        renegotiation info, EC point formats, session ticket, status request
    Session Tickets RFC 5077     600 seconds
    Server key size              EC 256 bit
    Signature Algorithm          ECDSA with SHA256
    Fingerprint / Serial         SHA1 155AA462E9EBFC2C608D18AB83DD32C17245C89A / 6F2CECA22E73F3FFA5266435705B5390
                                  SHA256 91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11
    Common Name (CN)             *.sslspdy.com (wildcard certificate match) (CN in response to request w/o SNI: *.sslspdy.com)
    subjectAltName (SAN)         *.sslspdy.com sslspdy.com
    Issuer                       COMODO ECC Domain Validation Secure Server CA (COMODO CA Limited from GB)
    EV cert (experimental)       no
    Certificate Expiration       >= 60 days (2014-10-24 00:00 --> 2016-10-23 23:59 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                offered
    TLS timestamp                random values, no fingerprinting possible
    
    
    --> Testing HTTP header response @ "/"
    
    HTTP Status Code             200 OK
    HTTP clock skew              -1464583849 sec from localtime
    Strict Transport Security    365 days=31536000 s, includeSubDomains
    Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                                  matching host key: QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE
    Server banner                nginx centminmod
    Application banner           X-Powered-By: centminmod
    Cookie(s)                    (none issued at "/")
    Security headers             --
    Reverse Proxy banner         --
    
    
    --> Testing vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK)
    CCS (CVE-2014-0224)                       not vulnerable (OK)
    Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587)                    NOT ok: uses gzip HTTP compression (only "/" tested)
    POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
    TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
    FREAK (CVE-2015-0204)                     not vulnerable (OK) (tested with 4/9 ciphers)
    LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK) (tested w/ 2/4 ciphers only!), common primes not checked.
    BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)
    RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
    
    
    --> Testing all locally available 121 ciphers against the server, ordered by encryption strength
        (Your /usr/bin/openssl cannot show DH/ECDH bits)
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
    -----------------------------------------------------------------------------------------------------------------------
    xc02c   ECDHE-ECDSA-AES256-GCM-SHA384  ECDH       AESGCM     256         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384    
    xc024   ECDHE-ECDSA-AES256-SHA384      ECDH       AES        256         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384    
    xc02b   ECDHE-ECDSA-AES128-GCM-SHA256  ECDH       AESGCM     128         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256    
    xc023   ECDHE-ECDSA-AES128-SHA256      ECDH       AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256    
    xc009   ECDHE-ECDSA-AES128-SHA         ECDH       AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA      
    
    
    Done now (2016-06-26 17:34) ---> 192.184.89.66:443 (sslspdy.com) <---
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    8:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    looks about right as you're using system OpenSSL 1.0.1e for testssl i think which only support NPN protocol and not ALPN in OpenSSL 1.0.2+

    centos 6/7 only has openssl 1.0.1e system package

    you can test with ssllabs too SSL Server Test: sslspdy.com (Powered by Qualys SSL Labs)

    with OpenSSL 1.02i system testssl via my ubuntu nghttp2 docker image
    Code (Text):
    testssl https://sslspdy.com
    
    ###########################################################
        testssl       2.7dev from https://testssl.sh/dev/
        (1.507 2016/06/24 17:00:58)
    
          This program is free software. Distribution and
                 modification under GPLv2 permitted.
          USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
           Please file bugs @ https://testssl.sh/bugs/
    
    ###########################################################
    
    Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
    on efba3ce3f543:/usr/local/http2-15/bin/openssl
    (built: "reproducible build, date unspecified", platform: "linux-x86_64")
    
    
    Start 2016-06-26 19:09:23    -->> 192.184.89.66:443 (sslspdy.com) <<--
    
    further IP addresses:   2604:180:1::fd2c:e402
    rDNS (192.184.89.66):   sslspdy.com.
    Service detected:       HTTP
    
    
    Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   h2, spdy/3.1, http/1.1 (advertised)
    HTTP2/ALPN h2, spdy/3.1, http/1.1 (offered)
    
    Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            not offered (OK)
    56 Bit encryption            not offered (OK)
    Export Ciphers (general)     not offered (OK)
    Low (<=64 Bit)               not offered (OK)
    DES Ciphers                  not offered (OK)
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           not offered (OK)
    High grade encryption        offered (OK)
    
    
    Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here
    
    PFS is offered (OK)  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA
    
    
    Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-ECDSA-CHACHA20-POLY1305-OLD, 256 bit ECDH
    Cipher order
        TLSv1:     ECDHE-ECDSA-AES128-SHA
        TLSv1.1:   ECDHE-ECDSA-AES128-SHA
        TLSv1.2:   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA
        h2:        ECDHE-ECDSA-CHACHA20-POLY1305-OLD
        spdy/3.1:  ECDHE-ECDSA-CHACHA20-POLY1305-OLD
        http/1.1:  ECDHE-ECDSA-CHACHA20-POLY1305-OLD
    
    
    Testing server defaults (Server Hello)
    
    TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "next protocol/#13172"
    Session Tickets RFC 5077     600 seconds (PFS requires session ticket keys to be rotated <= daily)
    SSL Session ID support       yes
    TLS clock skew               random values, no fingerprinting possible
    Signature Algorithm          ECDSA with SHA256
    Server key size              ECDSA 256 bits
    Fingerprint / Serial         SHA1 155AA462E9EBFC2C608D18AB83DD32C17245C89A / 6F2CECA22E73F3FFA5266435705B5390
                                  SHA256 91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11
    Common Name (CN)             "*.sslspdy.com" (wildcard certificate match) (works w/o SNI)
    subjectAltName (SAN)         "*.sslspdy.com" "sslspdy.com"
    Issuer                       "COMODO ECC Domain Validation Secure Server CA" ("COMODO CA Limited" from "GB")
    EV cert (experimental)       no
    Certificate Expiration       119 >= 60 days (2014-10-24 00:00 --> 2016-10-23 23:59 +0000)
    # of certificates provided   3
    Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
    Certificate Revocation List  http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                offered
    
    
    Testing HTTP header response @ "/"
    
    HTTP Status Code             200 OK
    HTTP clock skew              -1464583848 sec from localtime
    Strict Transport Security    365 days=31536000 s, includeSubDomains
    Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                                  matching host key: QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE
    Server banner                nginx centminmod
    Application banner           X-Powered-By: centminmod
    Cookie(s)                    (none issued at "/")
    Security headers             --
    Reverse Proxy banner         --
    
    
    Testing vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK) (no heartbeat extension)
    CCS (CVE-2014-0224)                       not vulnerable (OK)
    Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
                                               Can be ignored for static pages or if no secrets in the page
    POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
    TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
    FREAK (CVE-2015-0204)                     not vulnerable (OK)
    DROWN (2016-0800, CVE-2016-0703), exper.  not vulnerable on this port (OK)
                                               make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                               https://censys.io/ipv4?q=91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11 could help you to find out
    LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
    BEAST (CVE-2011-3389)                     TLS1: ECDHE-ECDSA-AES128-SHA
                                               VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
    RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
    
    
    Testing all 183 locally available ciphers against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits
    ------------------------------------------------------------------------
    xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 256   ChaCha20  256     
    xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM    256     
    xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 256   AES       256     
    xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM    128     
    xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 256   AES       128     
    xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES       128     
    
    
    Running browser simulations (experimental)
    
    Android 2.3.7                 No connection
    Android 4.0.4                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
    Android 4.1.1                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
    Android 4.2.2                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
    Android 4.3                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
    Android 4.4.2                 TLSv1.1 ECDHE-ECDSA-AES128-SHA
    Android 5.0.0                 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    Baidu Jan 2015                TLSv1.0 ECDHE-ECDSA-AES128-SHA
    BingPreview Jan 2015          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Chrome 47 / OSX               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    Firefox 42 / OSX              TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    GoogleBot Feb 2015            TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    IE6 / XP                      No connection
    IE7 / Vista                   TLSv1.0 ECDHE-ECDSA-AES128-SHA
    IE8 / XP                      No connection
    IE8-10 / Win7                 TLSv1.0 ECDHE-ECDSA-AES128-SHA
    IE11 / Win7                   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE11 / Win8.1                 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE10 / Win Phone 8.0          TLSv1.0 ECDHE-ECDSA-AES128-SHA
    IE11 / Win Phone 8.1          TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE11 / Win Phone 8.1 Update   TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    IE11 / Win10                  TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Edge 13 / Win10               TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Edge 12 / Win Phone 10        TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Java 6u45                     No connection
    Java 7u25                     TLSv1.0 ECDHE-ECDSA-AES128-SHA
    Java 8u31                     TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    OpenSSL 0.9.8y                No connection
    OpenSSL 1.0.1l                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    OpenSSL 1.0.2e                TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Safari 5.1.9/ OSX 10.6.8      TLSv1.0 ECDHE-ECDSA-AES128-SHA
    Safari 6 / iOS 6.0.1          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 6.0.4/ OS X 10.8.4     TLSv1.0 ECDHE-ECDSA-AES128-SHA
    Safari 7 / iOS 7.1            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 7 / OS X 10.9          TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 8 / iOS 8.4            TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 8 / OS X 10.10         TLSv1.2 ECDHE-ECDSA-AES128-SHA256
    Safari 9 / iOS 9              TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
    Safari 9 / OS X 10.11         TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
     
    Last edited: Jun 27, 2016
    • Informative Informative x 1
  3. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    6:20 PM
    1.13.x
    MariaDB 10.1.x
    I guess I should update openssl on my system. I wish CentOS would update their stock version of Openssl.
     
    • Agree Agree x 2
  4. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    6:20 PM
    1.13.x
    MariaDB 10.1.x
    I did an upgrade to 1.0.2h on the system and I was getting some "Local Problems" - do the local problems mean that there were issues with the install or that since the items are missing, that it passes the test because they're not there to begin with? I couldn't find anything while searching online for "Local Problems".

    Code:
    ###########################################################
        testssl       2.6 from https://testssl.sh/
        (1.379B 2015/09/25 12:35:41)
    
          This program is free software. Distribution and
                 modification under GPLv2 permitted.
          USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
           Please file bugs @ https://testssl.sh/bugs/
    
    ###########################################################
    
    Using "OpenSSL 1.0.2h  3 May 2016" [~125 ciphers] on
    localhost.localdomain:/usr/bin/openssl
    (built: "reproducible build, date unspecified", platform: "linux-x86_64")
    
    
    Testing now (2016-06-27 05:24) ---> 192.184.89.66:443 (sslspdy.com) <---
    
    further IP addresses:   2604:180:1::fd2c:e402
    rDNS (192.184.89.66):   sslspdy.com.
    Service detected:       HTTP
    
    
    --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   h2, spdy/3.1, http/1.1 (advertised)
    
    --> Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            Local problem: No 40 Bit encryption configured in /usr/bin/openssl
    56 Bit encryption            Local problem: No 56 Bit encryption configured in /usr/bin/openssl
    Export Ciphers (general)     Local problem: No Export Ciphers (general) configured in /usr/bin/openssl
    Low (<=64 Bit)               Local problem: No Low (<=64 Bit) configured in /usr/bin/openssl
    DES Ciphers                  Local problem: No DES Ciphers configured in /usr/bin/openssl
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           not offered (OK)
    High grade encryption        offered (OK)
    
    --> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here
    
    PFS is offered (OK)  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA
    
    --> Testing server preferences
    
    Has server cipher order?     nope (NOT ok)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit ECDH (limited sense as client will pick)
    Negotiated cipher per proto  (limited sense as client will pick)
    Local problem: /usr/bin/openssl doesn't support "s_client -ssl2"
         ECDHE-ECDSA-AES128-SHA:        TLSv1, TLSv1.1
         ECDHE-ECDSA-AES256-GCM-SHA384: TLSv1.2, spdy/3.1
    No further cipher order check has been done as order is determined by the client
    
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        renegotiation info, EC point formats, session ticket, status request
    Session Tickets RFC 5077     600 seconds
    Server key size              EC 256 bit
    Signature Algorithm          ECDSA with SHA256
    Fingerprint / Serial         SHA1 155AA462E9EBFC2C608D18AB83DD32C17245C89A / 6F2CECA22E73F3FFA5266435705B5390
                                  SHA256 91A3930E8F38C7B1EBBC265953B8773E888544BD7C45F5A6927AF50D80D31C11
    Common Name (CN)             *.sslspdy.com (wildcard certificate match) (CN in response to request w/o SNI: *.sslspdy.com)
    subjectAltName (SAN)         *.sslspdy.com sslspdy.com
    Issuer                       COMODO ECC Domain Validation Secure Server CA (COMODO CA Limited from GB)
    EV cert (experimental)       no
    Certificate Expiration       >= 60 days (2014-10-24 00:00 --> 2016-10-23 23:59 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                offered
    TLS timestamp                random values, no fingerprinting possible
    
    
    --> Testing HTTP header response @ "/"
    
    HTTP Status Code             200 OK
    HTTP clock skew              -1464583848 sec from localtime
    Strict Transport Security    365 days=31536000 s, includeSubDomains
    Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                                  matching host key: QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE
    Server banner                nginx centminmod
    Application banner           X-Powered-By: centminmod
    Cookie(s)                    (none issued at "/")
    Security headers             --
    Reverse Proxy banner         --
    
    
    --> Testing vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK)
    CCS (CVE-2014-0224)                       not vulnerable (OK)
    Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                Local problem: /usr/bin/openssl lacks zlib support
    BREACH (CVE-2013-3587)                    NOT ok: uses gzip HTTP compression (only "/" tested)
    POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
    TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
    FREAK (CVE-2015-0204)                     Local problem: /usr/bin/openssl doesn't have any EXPORT RSA ciphers configured
    LOGJAM (CVE-2015-4000), experimental      Local problem: /usr/bin/openssl doesn't have any DHE EXPORT ciphers configured
    BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)
    RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
    
    
    --> Testing all locally available 125 ciphers against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
    -----------------------------------------------------------------------------------------------------------------------
    xc02c   ECDHE-ECDSA-AES256-GCM-SHA384  ECDH 256   AESGCM     256         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    xc024   ECDHE-ECDSA-AES256-SHA384      ECDH 256   AES        256         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    xc02b   ECDHE-ECDSA-AES128-GCM-SHA256  ECDH 256   AESGCM     128         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    xc023   ECDHE-ECDSA-AES128-SHA256      ECDH 256   AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    xc009   ECDHE-ECDSA-AES128-SHA         ECDH 256   AES        128         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    
    
    Done now (2016-06-27 05:25) ---> 192.184.89.66:443 (sslspdy.com) <---
    
    Also, I was curious that the below was ok in your output but "nope" in both my stock install and the upgraded 1.0.2h tests? How did you get that to be ok on your end?

    Code:
    Has server cipher order?    nope (NOT ok)
     
    Last edited: Jun 27, 2016
  5. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    8:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    You're using 2.6 need to use 2.7 dev version GitHub - drwetter/testssl.sh: Testing TLS/SSL encryption
    or your updated openssl 1.0.2h version isn't compiled with right options ? or those options were removed from your openssl 1.0.2h build ? what system you running testssl from ? ubuntu 16 ?
     
    Last edited: Jun 27, 2016
  6. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    6:20 PM
    1.13.x
    MariaDB 10.1.x
    I was testing it out on CentOS 7.2 w/ 09beta. I installed testssl via yum. Didn't specify any specific config options when I built openssl.

    I was following a tut located here: How to Install the latest OpenSSL 1.0.2h Version on CentOS 6/7 | BIP media

    I also read some posts on stackexchange and serverfault where some people were saying not to upgrade openssl on Centos 7.2 that there were going to be issues.

    I was really just testing this to see if I could get a clean output from the testssl. Maybe I should just ditch upgrading and stick with the default 1.0.1.
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    8:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah improper upgrade of openssl system package on centos 6/7 will irreversibly break the entire server ! that tutorial will probably break things down the track due to other packages required dependencies for specific openssl 1.0.1e version stamped libraries etc. So i wouldn't do that way

    yeah testssl dev 2.7 needs to be source installed
     
  8. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    6:20 PM
    1.13.x
    MariaDB 10.1.x
    Do you have any suggestions about what I should use for the config? Or should I just leave it alone and run with the stock centos 7 openssl for my server? What are your recommendations?
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    8:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1