SSL Report: example.net (192.168.172.182)
Assessed on:  Sun Jan 04 13:42:43 PST 2015 | HIDDEN | Clear cache
Scan Another »

Summary
Overall Rating
A+
0
20
40
60
80
100
Certificate
 
100
Protocol Support
 
95
Key Exchange
 
90
Cipher Strength
 
90

Visit our documentation page for more information, configuration guides, and books. Known issues are documented here.
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
This server supports HTTP Strict Transport Security with long duration. Grade set to A+.  MORE INFO »
Authentication
Server Key and Certificate #1
Common names example.net
Alternative names example.net www.example.net
Prefix handling Both (with and without WWW)
Valid from Thu Dec 25 02:25:38 PST 2014
Valid until Sun Dec 25 02:25:38 PST 2016 (expires in 1 year and 11 months)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Go Daddy Secure Certificate Authority - G2
Signature algorithm SHA256withRSA
Extended Validation No
Revocation information CRL, OCSP
Revocation status Good (not revoked)
Trusted Yes


Additional Certificates (if supplied)
Certificates provided 4 (4755 bytes)
Chain issues Contains anchor
#2
Subject Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
Valid until Sat May 03 00:00:00 PDT 2031 (expires in 16 years and 3 months)
Key RSA 2048 bits (e 65537)
Issuer Go Daddy Root Certificate Authority - G2
Signature algorithm SHA256withRSA
#3
Subject Go Daddy Root Certificate Authority - G2
Fingerprint: 340b2880f446fcc04e59ed33f52b3d08d6242964
Valid until Fri May 30 00:00:00 PDT 2031 (expires in 16 years and 4 months)
Key RSA 2048 bits (e 65537)
Issuer The Go Daddy Group / Go Daddy Class 2 Certification Authority
Signature algorithm SHA256withRSA
#4
Subject The Go Daddy Group / Go Daddy Class 2 Certification Authority   In trust store
Fingerprint: 2796bae63f1801e277261ba0d77770028f20eee4
Valid until Thu Jun 29 10:06:20 PDT 2034 (expires in 19 years and 5 months)
Key RSA 2048 bits (e 3)
Issuer The Go Daddy Group / Go Daddy Class 2 Certification Authority   Self-signed
Signature algorithm SHA1withRSA   Weak, but no impact on root certificate


Certification Paths
Path #1: Trusted
1 Sent by server example.net
Fingerprint: 3ed781f81992d336fccd59d06c1dbc93d11f8e24
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store Go Daddy Root Certificate Authority - G2   Self-signed
Fingerprint: 47beabc922eae80e78783462a79f45c254fde68b
RSA 2048 bits (e 65537) / SHA256withRSA
Path #2: Trusted
1 Sent by server example.net
Fingerprint: 3ed781f81992d336fccd59d06c1dbc93d11f8e24
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server Go Daddy Root Certificate Authority - G2
Fingerprint: 340b2880f446fcc04e59ed33f52b3d08d6242964
RSA 2048 bits (e 65537) / SHA256withRSA
4 Sent by server
In trust store
The Go Daddy Group / Go Daddy Class 2 Certification Authority   Self-signed
Fingerprint: 2796bae63f1801e277261ba0d77770028f20eee4
RSA 2048 bits (e 3) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Configuration
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No


Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 2048 bits (p: 256, g: 1, Ys: 256)   FS 112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112


Handshake Simulation
Android 2.3.7   No SNI 2 TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS 128
Android 4.0.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Android 4.1.1 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Android 4.2.2 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Android 4.3 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Android 4.4.2 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
BingBot Dec 2013   No SNI 2 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
BingPreview Jun 2014 TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   FS 256
Chrome 39 / OS X  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Firefox 31.3.0 ESR / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Firefox 34 / OS X  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Googlebot Jun 2014 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
IE 6 / XP   No FS 1   No SNI 2 Protocol or cipher suite mismatch Fail3
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
IE 8 / XP   No FS 1   No SNI 2 TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS 112
IE 8-10 / Win 7  R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
IE 11 / Win 7  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
IE 11 / Win 10 Preview  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
IE 11 / Win 8.1  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
IE Mobile 10 / Win Phone 8.0 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
IE Mobile 11 / Win Phone 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Java 6u45   No SNI 2 Client does not support DH parameters > 1024 bits Fail3
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Java 8b132 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   FS 256
OpenSSL 1.0.1h TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Safari 6 / iOS 6.0.1  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 7 / iOS 7.1  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 8 / iOS 8.0 Beta  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 6.0.4 / OS X 10.8.4  R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
Safari 7 / OS X 10.9  R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Yahoo Slurp Jun 2014   No SNI 2 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
YandexBot Sep 2014 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).


Protocol Details
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Not mitigated server-side (more info)   TLS 1.0: 0xc013
POODLE (SSLv3) No, SSL 3 not supported (more info)
POODLE (TLS) No (more info)
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info)
TLS compression No
RC4 No
Heartbeat (extension) Yes
Heartbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
Forward Secrecy Yes (with most browsers)   ROBUST (more info)
Next Protocol Negotiation (NPN) Yes   http/1.1
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling No
Strict Transport Security (HSTS) Yes   max-age=31536000; includeSubdomains;
Public Key Pinning (HPKP) No
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98 
SSL 2 handshake compatibility Yes


Miscellaneous
Test date Sun Jan 04 13:41:10 PST 2015
Test duration 92.205 seconds
HTTP status code 200
HTTP forwarding http://example.net
HTTP server signature nginx
Server hostname example.net


SSL Report v1.11.1