SSL Report:
example.net
(192.168.172.182)
Assessed on: Sun Jan 04 14:27:19 PST 2015
| HIDDEN | Clear cache
Summary
0
20
40
60
80
100
Certificate
100
Protocol Support
70
Key Exchange
80
Cipher Strength
90
Visit our documentation page
for more information, configuration guides, and books. Known issues are documented
here.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.
MORE INFO »
Authentication
| Server Key and Certificate #1 | |
| Common names | example.net |
| Alternative names | example.net www.example.net |
| Prefix handling | Both (with and without WWW) |
| Valid from | Thu Dec 25 02:25:38 PST 2014 |
| Valid until | Sun Dec 25 02:25:38 PST 2016 (expires in 1 year and 11 months) |
| Key | RSA 2048 bits (e 65537) |
| Weak key (Debian) | No |
| Issuer | Go Daddy Secure Certificate Authority - G2 |
| Signature algorithm | SHA256withRSA |
| Extended Validation | No |
| Revocation information | CRL, OCSP |
| Revocation status | Good (not revoked) |
| Trusted | Yes |
| Additional Certificates (if supplied) | |
| Certificates provided | 4 (4802 bytes) |
| Chain issues | Extra certs, Contains anchor |
| #2 | |
| Subject | Go Daddy Secure Certificate Authority - G2 Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8 |
| Valid until | Sat May 03 00:00:00 PDT 2031 (expires in 16 years and 3 months) |
| Key | RSA 2048 bits (e 65537) |
| Issuer | Go Daddy Root Certificate Authority - G2 |
| Signature algorithm | SHA256withRSA |
| #3 | |
| Subject | Go Daddy Root Certificate Authority - G2 Fingerprint: 841d4a9fc9d3b2f0ca5fab95525ab2066acf8322 |
| Valid until | Sat May 03 00:00:00 PDT 2031 (expires in 16 years and 3 months) |
| Key | RSA 2048 bits (e 65537) |
| Issuer | The Go Daddy Group / Go Daddy Class 2 Certification Authority |
| Signature algorithm | SHA256withRSA |
| #4 | |
| Subject | The Go Daddy Group / Go Daddy Class 2 Certification Authority In trust store Fingerprint: 2796bae63f1801e277261ba0d77770028f20eee4 |
| Valid until | Thu Jun 29 10:06:20 PDT 2034 (expires in 19 years and 5 months) |
| Key | RSA 2048 bits (e 3) |
| Issuer | The Go Daddy Group / Go Daddy Class 2 Certification Authority Self-signed |
| Signature algorithm | SHA1withRSA Weak, but no impact on root certificate |
| Certification Paths | ||
| Path #1: Trusted | ||
| 1 | Sent by server | example.net
Fingerprint: 3ed781f81992d336fccd59d06c1dbc93d11f8e24 RSA 2048 bits (e 65537) / SHA256withRSA |
| 2 | Sent by server | Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8 RSA 2048 bits (e 65537) / SHA256withRSA |
| 3 | In trust store | Go Daddy Root Certificate Authority - G2
Self-signed Fingerprint: 47beabc922eae80e78783462a79f45c254fde68b RSA 2048 bits (e 65537) / SHA256withRSA |
Configuration
| Protocols | |
| TLS 1.2 | No |
| TLS 1.1 | No |
| TLS 1.0 | Yes |
| SSL 3 | No |
| SSL 2 | No |
| Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) | ||
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
DH 1024 bits (p: 128, g: 1, Ys: 128) FS
|
256 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
DH 1024 bits (p: 128, g: 1, Ys: 128) FS
|
128 | |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)
DH 1024 bits (p: 128, g: 1, Ys: 128) FS
|
112 | |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
|
112 | |
| Handshake Simulation | |||
| Android 2.3.7 No SNI 2 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
FS
|
128 |
| Android 4.0.4 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Android 4.1.1 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Android 4.2.2 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Android 4.3 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Android 4.4.2 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| BingBot Dec 2013 No SNI 2 | TLS 1.0 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
No FS
|
112 |
| BingPreview Jun 2014 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Chrome 39 / OS X R | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Firefox 31.3.0 ESR / Win 7 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Firefox 34 / OS X R | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Googlebot Jun 2014 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| IE 6 / XP No FS 1 No SNI 2 | Protocol or cipher suite mismatch | Fail3 | |
| IE 7 / Vista | TLS 1.0 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
No FS
|
112 |
| IE 8 / XP No FS 1 No SNI 2 | TLS 1.0 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
No FS
|
112 |
| IE 8-10 / Win 7 R | TLS 1.0 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
No FS
|
112 |
| IE 11 / Win 7 R | TLS 1.0 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
No FS
|
112 |
| IE 11 / Win 10 Preview R | TLS 1.0 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
No FS
|
112 |
| IE 11 / Win 8.1 R | TLS 1.0 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
No FS
|
112 |
| IE Mobile 10 / Win Phone 8.0 | TLS 1.0 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
No FS
|
112 |
| IE Mobile 11 / Win Phone 8.1 | TLS 1.0 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
No FS
|
112 |
| Java 6u45 No SNI 2 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
FS
|
128 |
| Java 7u25 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
FS
|
128 |
| Java 8b132 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
FS
|
128 |
| OpenSSL 0.9.8y | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| OpenSSL 1.0.1h | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Safari 5.1.9 / OS X 10.6.8 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Safari 6 / iOS 6.0.1 R | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Safari 7 / iOS 7.1 R | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Safari 8 / iOS 8.0 Beta R | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Safari 6.0.4 / OS X 10.8.4 R | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Safari 7 / OS X 10.9 R | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| Yahoo Slurp Jun 2014 No SNI 2 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| YandexBot Sep 2014 | TLS 1.0 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
FS
|
256 |
| (1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it. | |||
| (2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI. | |||
| (3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version. | |||
| (R) Denotes a reference browser or client, with which we expect better effective security. | |||
| (All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE). | |||
| Protocol Details | |
| Secure Renegotiation | Supported |
| Secure Client-Initiated Renegotiation | No |
| Insecure Client-Initiated Renegotiation | No |
| BEAST attack |
Not mitigated server-side (more info)
TLS 1.0: 0x39
|
| POODLE (SSLv3) | No, SSL 3 not supported (more info) |
| POODLE (TLS) | No (more info) |
| Downgrade attack prevention | Unknown (requires support for at least two protocols) |
| TLS compression | No |
| RC4 | No |
| Heartbeat (extension) | No |
| Heartbleed (vulnerability) | No (more info) |
| OpenSSL CCS vuln. (CVE-2014-0224) | No (more info) |
| Forward Secrecy | With some browsers (more info) |
| Next Protocol Negotiation (NPN) | No |
| Session resumption (caching) | Yes |
| Session resumption (tickets) | No |
| OCSP stapling | No |
| Strict Transport Security (HSTS) | No |
| Public Key Pinning (HPKP) | No |
| Long handshake intolerance | No |
| TLS extension intolerance | No |
| TLS version intolerance | TLS 2.98 |
| SSL 2 handshake compatibility | Yes |
| Miscellaneous | |
| Test date | Sun Jan 04 14:26:29 PST 2015 |
| Test duration | 49.470 seconds |
| HTTP status code | 200 |
| HTTP forwarding | http://example.net |
| HTTP server signature | Apache/2.2.3 (CentOS) |
| Server hostname | example.net |
SSL Report v1.11.1