nice! Redirecting to ssl-config.mozilla.org...
did not tested all profiles, but intermediates gives A+ on ssllabs,
supports every browser expect winxp/ie6
and has all the goodies enabled
$ ./testssl.sh example.com
#########################################################
testssl.sh v2.1alpha (https://testssl.sh)
→ Testing Protocols
SSLv2 Local problem: /usr/bin/openssl doesn’t support “s_client
-ssl2”
SSLv3 not offered (OK)
TLSv1 offered (OK)
TLSv1.1 offered (OK)
TLSv1.2 offered (OK)
SPDY/NPN not offered
→ Testing standard cipher lists
Null Cipher not offered (OK)
Anonymous NULL Cipher not offered (OK)
Anonymous DH Cipher not offered (OK)
40 Bit encryption not offered (OK)
56 Bit encryption Local problem: No 56 Bit encryption
configured in /usr/bin/openssl
Export Cipher (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Cipher not offered (OK)
Triple DES Cipher offered
Medium grade encryption not offered
High grade encryption offered (OK)
→ Testing server defaults (Server Hello)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256
Server key size 2048 bit
TLS server extensions server name, renegotiation info, EC point
formats, session ticket, heartbeat
Session Tickets RFC 5077 300 seconds
OCSP stapling not offered
→ Testing specific vulnerabilities
Heartbleed (CVE-2014-0160), experimental not vulnerable (OK) , timed
out
CCS (CVE-2014-0224), experimental not vulnerable (OK)
Renegotiation (CVE 2009-3555) not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH =HTTP Compression, experimental uses gzip compression (only
“/”
tested)
→ Testing HTTP Header response
HSTS 182 days (15768000 s)
Server (None, interesting!)
→ Checking RC4 Ciphers
no RC4 ciphers detected (OK)
→ Testing (Perfect) Forward Secrecy (P)FS)
PFS seems generally available. Now testing specific ciphers …
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits
Cipher Suite Name (RFC)
[0xc030] ECDHE-RSA-AES256-GCM-SHA384 ECDH AESGCM 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[0x9f] DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
[0x6b] DHE-RSA-AES256-SHA256 DH AES 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
[0x39] DHE-RSA-AES256-SHA DH AES 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
[0x88] DHE-RSA-CAMELLIA256-SHA DH Camellia 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
[0xc028] ECDHE-RSA-AES256-SHA384 ECDH AES 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
[0xc014] ECDHE-RSA-AES256-SHA ECDH AES 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[0xc02f] ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[0xc027] ECDHE-RSA-AES128-SHA256 ECDH AES 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[0x9e] DHE-RSA-AES128-GCM-SHA256 DH AESGCM 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
[0x67] DHE-RSA-AES128-SHA256 DH AES 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
[0x33] DHE-RSA-AES128-SHA DH AES 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
[0x45] DHE-RSA-CAMELLIA128-SHA DH Camellia 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
[0xc013] ECDHE-RSA-AES128-SHA ECDH AES 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Please note: detected PFS ciphers don’t necessarily mean any
client/browser
will use them
Posted at Nginx Forum: