SSL Report: okidirect.co.uk ( )

Transcription

1 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > okidirect.co.uk SSL Report: okidirect.co.uk ( ) Assessed on: Fri, 26 Jun :51:45 UTC HIDDEN Clear cache Scan Another» Summary Overall Rating Certificate 100 Protocol Support 95 Key Exchange 90 Cipher Strength Visit our documentation page for more information, configuration guides, and books. Known issues are documented here. Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-sha2 chain. MORE INFO» This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO» The server does not support Forward Secrecy with the reference browsers. MORE INFO» This site works only in browsers with SNI support. This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. Authentication Server Key and Certificate #1 Common names Alternative names Prefix handling Valid from okidirect.co.uk Both (with and without WWW) Mon, 05 Jan :16:16 UTC Sat, 09 Jan :51:44 UTC (expires in 6 months and 13 days) Weak key (Debian) Extended Validation Certificate Transparency Revocation information Revocation status Trusted SHA256withRSA CRL, OCSP Good (not revoked) Additional Certificates (if supplied) Certificates provided Chain issues 3 (3180 bytes) ne

2 Additional Certificates (if supplied) #2 Subject Fri, 20 May :39:32 UTC (expires in 6 years and 10 months) SHA256withRSA #3 Subject Fingerprint: c6df9a0abc3060bce369564c8ec4542a3 Tue, 21 Aug :00:00 UTC (expires in 3 years and 1 month) Equifax / Equifax Secure Certificate Authority SHA1withRSA WEAK Certification Paths Path #1: Trusted 1 Sent by server 2 Sent by server 3 In trust store Fingerprint: a329ae77e13c60c29bf28c0858eb75e93a Self-signed Fingerprint: de28f4a4ffe5b92fa3c503d1a349a7f9962a8212 RSA 2048 bits (e 65537) / SHA1withRSA Weak or insecure signature, but no impact on root certificate Path #2: Trusted 1 Sent by server 2 Sent by server 3 Sent by server 4 In trust store Fingerprint: a329ae77e13c60c29bf28c0858eb75e93a Fingerprint: c6df9a0abc3060bce369564c8ec4542a3 RSA 2048 bits (e 65537) / SHA1withRSA WEAK SIGNATURE Equifax / Equifax Secure Certificate Authority Self-signed Fingerprint: d23209ad23d e40d7f9d a RSA 1024 bits (e 65537) / SHA1withRSA WEAK KEY IN MOZILLA'S TRUST STORE MORE INFO» Weak or insecure signature, but no impact on root certificate Configuration Protocols TLS 1.2 TLS 1.1 TLS 1.0 SSL 3 SSL 2

3 Cipher Suites (sorted by strength; the server has no preference) TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128 TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128 TLS_RSA_WITH_IDEA_CBC_SHA (0x7) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128 TLS_RSA_WITH_SEED_CBC_SHA (0x96) 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) WEAK 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq bits RSA) FS 128 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq bits RSA) FS 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq bits RSA) FS 112 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq bits RSA) FS 256 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq bits RSA) FS 256 Handshake Simulation Android SNI 2 Incorrect certificate because this client doesn't support SNI Fail 2 Android TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Android TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Android TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Android 4.3 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Android TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 Android TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Baidu Jan 2015 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 BingPreview Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 Chrome 42 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 Firefox ESR / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 Firefox 37 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 Googlebot Feb 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128 IE 6 / XP FS 1 SNI 2 Protocol or cipher suite mismatch Fail 3 IE 7 / Vista TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) FS 128 IE 8 / XP FS 1 SNI 2 Incorrect certificate because this client doesn't support SNI Fail 2 IE 8-10 / Win 7 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) FS 128 IE 11 / Win 7 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 IE 11 / Win 8.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 IE Mobile 10 / Win Phone 8.0 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) FS 128 IE Mobile 11 / Win Phone 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Java 6u45 SNI 2 Incorrect certificate because this client doesn't support SNI Fail 2 Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128 Java 8u31 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128 OpenSSL 0.9.8y TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) FS 256 OpenSSL 1.0.1l R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 OpenSSL R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256

4 Handshake Simulation Safari / OS X TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) FS 128 Safari 6 / ios R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Safari / OS X R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256 Safari 7 / ios 7.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Safari 7 / OS X 10.9 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Safari 8 / ios R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Safari 8 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256 Yahoo Slurp Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 YandexBot Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256 (1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it. (2) support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI. (3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version. (R) Denotes a reference browser or client, with which we expect better effective security. (All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE). Protocol Details Secure Renegotiation Secure Client-Initiated Renegotiation Supported Insecure Client-Initiated Renegotiation BEAST attack POODLE (SSLv3) POODLE (TLS) Downgrade attack prevention TLS compression RC4 Heartbeat (extension) Heartbleed (vulnerability) OpenSSL CCS vuln. (CVE ) Forward Secrecy Next Protocol Negotiation (NPN) Session resumption (caching) Session resumption (tickets) OCSP stapling Strict Transport Security (HSTS) Public Key Pinning (HPKP) Long handshake intolerance TLS extension intolerance TLS version intolerance t mitigated server-side (more info) TLS 1.0: 0x7, SSL 3 not supported (more info) (more info), TLS_FALLBACK_SCSV supported (more info) WEAK (more info) (more info) (more info) With some browsers (more info) Incorrect SNI alerts - Uses common DH prime SSL 2 handshake compatibility Miscellaneous Test date Test duration Fri, 26 Jun :49:36 UTC seconds HTTP status code 200 HTTP server signature Server hostname Apache durian.active-ns.com SSL Report v1.18.1

5 Copyright Qualys, Inc. All Rights Reserved. Terms and Conditions