########################################################### testssl.sh 3.0rc5 from https://testssl.sh/dev/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] on s1008:/virtual/sslcheck/testssl/testssl.sh-3.0rc5/bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64") Start 2019-09-14 02:48:01 --\>\> 210.197.64.173:443 (direct.tos.hirogin.co.jp) \<\<-- rDNS (210.197.64.173): 210197064173.cidr.odn.ne.jp. Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) TLS 1.3 not offered NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) offered (NOT ok) Triple DES Ciphers / IDEA offered (NOT ok) Average: SEED + 128+256 Bit CBC ciphers offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 No ciphers supporting Forward Secrecy offered Testing server preferences Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher AES128-GCM-SHA256 Cipher order SSLv3: AES128-SHA AES256-SHA RC4-SHA RC4-MD5 DES-CBC3-SHA TLSv1: AES128-SHA AES256-SHA RC4-SHA RC4-MD5 DES-CBC3-SHA TLSv1.1: AES128-SHA AES256-SHA RC4-SHA RC4-MD5 DES-CBC3-SHA TLSv1.2: AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA Testing server defaults (Server Hello) TLS extensions (standard) "renegotiation info/#65281" "max fragment length/#1" Session Ticket RFC 5077 hint no -- no lifetime advertised SSL Session ID support yes Session Resumption Tickets no, ID: yes TLS clock skew Random values, no fingerprinting possible Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Serial / Fingerprints 02F9E092C373C37489AD827BAFD46F99 / SHA1 97A3EC4DD7ADB3967A40F6559DFC12CB0774779D SHA256 D1EECD8D43A926B39CC39E43F03CA5FE1DB2BA3F19AD5D84439940A1CCBAA306 Common Name (CN) direct.tos.hirogin.co.jp subjectAltName (SAN) direct.tos.hirogin.co.jp Issuer DigiCert SHA2 Extended Validation Server CA (DigiCert Inc from US) Trust (hostname) Ok via SAN and CN (same w/o SNI) Chain of trust Ok EV cert (experimental) yes \"eTLS\" (visibility info) not present Certificate Validity (UTC) 161 \>= 60 days (2019-09-11 09:00 --> 2020-02-22 21:00) # of certificates provided 4 Certificate Revocation List http://crl3.digicert.com/sha2-ev-server-g2.crl http://crl4.digicert.com/sha2-ev-server-g2.crl OCSP URI http://ocsp.digicert.com OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) not offered Certificate Transparency yes (certificate extension) Testing HTTP header response @ \"/\" HTTP Status Code 302 Found, redirecting to "/index.html" HTTP clock skew 0 sec from localtime Strict Transport Security not offered Public Key Pinning -- Server banner (no "Server" line in header, interesting!) Application banner -- Cookie(s) (none issued at "/") -- maybe better try target URL of 30x Security headers -- Reverse Proxy banner -- Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension ROBOT not vulnerable (OK)