testssl.sh


No engine or GOST support via engine with your /usr/bin/openssl

Fatal error: non-empty \"/virtual/sslcheck/public_html/sslcheck.tksk.org/out//nba.smbcnikko.co.jp_p443-20191120-1044.html\" exists. Either use \"--append\" or (re)move it

########################################################### testssl.sh 3.0rc5 from https://testssl.sh/dev/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.0.2k-fips 26 Jan 2017" [~118 ciphers] on s1008:/usr/bin/openssl (built: "reproducible build, date unspecified", platform: "linux-x86_64") Start 2019-11-20 10:44:53 --\>\> 202.33.167.60:443 (nba.smbcnikko.co.jp) \<\<-- rDNS (202.33.167.60): 60.32.167.33.202.in-addr.arpa. Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 not offered TLS 1.2 not offered TLS 1.3 not offered NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered (OK) Average: SEED + 128+256 Bit CBC ciphers offered Strong encryption (AEAD ciphers) not offered Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA DH group offered: mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus (1024 bits) Testing server preferences Has server cipher order? yes (OK) Negotiated protocol TLSv1 Negotiated cipher DHE-RSA-AES256-SHA, 1024 bit DH Cipher order TLSv1: DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA CAMELLIA128-SHA DHE-RSA-SEED-SHA SEED-SHA Testing server defaults (Server Hello) TLS extensions (standard) "server name/#0" "renegotiation info/#65281" "session ticket/#35" Session Ticket RFC 5077 hint no -- no lifetime advertised SSL Session ID support yes Session Resumption Tickets no, ID: no TLS clock skew -1 sec from localtime Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Serial / Fingerprints 7A87E30971B59581CFB29E70B4E90BC9D9A91602 / SHA1 E9EA1E676A16E5F39199BF5FE61F1F343E709405 SHA256 4FBE08AA0A38425C058076C7C0379334A2CB2159AF0025DC0305081BBAA4EEA1 Common Name (CN) nba.smbcnikko.co.jp subjectAltName (SAN) nba.smbcnikko.co.jp Issuer Cybertrust Japan EV CA G2 (Cybertrust Japan Co., Ltd. from JP) Trust (hostname) Ok via SAN and CN (same w/o SNI) Chain of trust Ok EV cert (experimental) yes ETS/\"eTLS\", visibility info not present Certificate Validity (UTC) 315 \>= 60 days (2019-01-15 18:25 --> 2020-09-30 23:59) # of certificates provided 3 Certificate Revocation List http://sureseries-crl.cybertrust.ne.jp/SureServer/2021_ev/cdp.crl OCSP URI http://sureseries-ocsp.cybertrust.ne.jp/OcspServer OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) not offered Certificate Transparency yes (certificate extension) Testing HTTP header response @ \"/\" HTTP Status Code 200 OK HTTP clock skew 0 sec from localtime Strict Transport Security not offered Public Key Pinning -- Server banner (no "Server" line in header, interesting!) Application banner -- Cookie(s) 1 issued: 1/1 secure, NOT HttpOnly Security headers -- Reverse Proxy banner -- Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), session IDs were returned but potential memory fragments do not differ ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, no protocol below TLS 1 offered (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=4FBE08AA0A38425C058076C7C0379334A2CB2159AF0025DC0305081BBAA4EEA1 could help you to find out LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok): common prime: mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus (1024 bits), but no DH EXPORT ciphers BEAST (CVE-2011-3389) TLS1: DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA CAMELLIA128-SHA DHE-RSA-SEED-SHA SEED-SHA VULNERABLE -- and no higher protocols as mitigation supported LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- x39 DHE-RSA-AES256-SHA DH 1024 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x88 DHE-RSA-CAMELLIA256-SHA DH 1024 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA x33 DHE-RSA-AES128-SHA DH 1024 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9a DHE-RSA-SEED-SHA DH 1024 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA x45 DHE-RSA-CAMELLIA128-SHA DH 1024 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Running client simulations (HTTP) via sockets Android 4.2.2 TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH Android 4.4.2 TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH Android 5.0.0 TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH Android 6.0 TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH Android 7.0 TLSv1.0 AES256-SHA, No FS Android 8.1 (native) TLSv1.0 AES256-SHA, No FS Android 9.0 (native) TLSv1.0 AES256-SHA, No FS Chrome 65 Win 7 TLSv1.0 AES256-SHA, No FS Chrome 74 (Win 10) TLSv1.0 AES256-SHA, No FS Firefox 62 Win 7 TLSv1.0 AES256-SHA, No FS Firefox 66 (Win 8.1/10) TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH IE 6 XP No connection IE 7 Vista TLSv1.0 AES256-SHA, No FS IE 8 Win 7 TLSv1.0 AES256-SHA, No FS IE 8 XP No connection IE 11 Win 7 TLSv1.0 AES256-SHA, No FS IE 11 Win 8.1 TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH IE 11 Win Phone 8.1 TLSv1.0 AES256-SHA, No FS IE 11 Win 10 TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH Edge 15 Win 10 TLSv1.0 AES256-SHA, No FS Edge 17 (Win 10) TLSv1.0 AES256-SHA, No FS Opera 60 (Win 10) TLSv1.0 AES256-SHA, No FS Safari 9 iOS 9 TLSv1.0 AES256-SHA, No FS Safari 9 OS X 10.11 TLSv1.0 AES256-SHA, No FS Safari 10 OS X 10.12 TLSv1.0 AES256-SHA, No FS Apple ATS 9 iOS 9 No connection Tor 17.0.9 Win 7 TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH Java 6u45 TLSv1.0 DHE-RSA-AES128-SHA, 1024 bit DH Java 7u25 TLSv1.0 DHE-RSA-AES128-SHA, 1024 bit DH Java 8u161 TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH Java 9.0.4 TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH OpenSSL 1.0.1l TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH OpenSSL 1.0.2e TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH OpenSSL 1.1.0j (Debian) TLSv1.0 DHE-RSA-AES256-SHA, 1024 bit DH OpenSSL 1.1.1b (Debian) No connection Thunderbird (60.6) TLSv1.0 AES256-SHA, No FS Done 2019-11-20 10:46:26 [ 95s] --\>\> 202.33.167.60:443 (nba.smbcnikko.co.jp) \<\<--