No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl.sh 3.0 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.0.2k-fips 26 Jan 2017" [~118 ciphers] on s1008:/usr/bin/openssl (built: "reproducible build, date unspecified", platform: "linux-x86_64") Start 2020-06-19 17:33:34 --\>\> 202.33.167.19:443 (ra.smbcnikko.co.jp) \<\<-- rDNS (202.33.167.19): 19.0.167.33.202.in-addr.arpa. Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) offered (NOT ok) Triple DES Ciphers / IDEA offered Obsolete: SEED + 128+256 Bit CBC cipher offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA Elliptic curves offered: prime256v1 DH group offered: RFC3526/Oakley Group 14 (2048 bits) Testing server preferences Has server cipher order? no (NOT ok) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-RC4-SHA, 256 bit ECDH (P-256) -- inconclusive test, matching cipher in list missing, better see below Negotiated cipher per proto (matching cipher in list missing) ECDHE-RSA-AES256-SHA: TLSv1, TLSv1.1 ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2 No further cipher order check has been done as order is determined by the client Testing server defaults (Server Hello) TLS extensions (standard) "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15" Session Ticket RFC 5077 hint 300 seconds, session tickets keys seems to be rotated < daily SSL Session ID support yes Session Resumption Tickets: yes, ID: yes TLS clock skew -1 sec from localtime Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Serial / Fingerprints 560029911FEA53D4D316968A5C15FFAB503641BE / SHA1 B9E57A3E788076F247ECB052ACD02E858D4D82DA SHA256 F9BF5E321BDC83F641ACEF74F048EB0B64F07BBA05F46E1736190D0C8CA9E635 Common Name (CN) ra.smbcnikko.co.jp subjectAltName (SAN) ra.smbcnikko.co.jp Issuer Cybertrust Japan EV CA G2 (Cybertrust Japan Co., Ltd. from JP) Trust (hostname) Ok via SAN (same w/o SNI) Chain of trust Ok EV cert (experimental) yes ETS/\"eTLS\", visibility info not present Certificate Validity (UTC) 284 \>= 60 days (2019-04-11 16:23 --> 2021-03-30 23:59) # of certificates provided 3 Certificate Revocation List http://sureseries-crl.cybertrust.ne.jp/SureServer/2021_ev/cdp.crl OCSP URI http://sureseries-ocsp.cybertrust.ne.jp/OcspServer OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) not offered Certificate Transparency yes (certificate extension) Testing HTTP header response @ \"/\" HTTP Status Code