SSL Report: ebfl.srpskabanka.rs ( )

Transcription

1 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > SSL Report: ( ) Assessed on: Sun, 03 Jan :46:07 UTC HIDDEN Clear cache Scan Another» Summary Overall Rating Certificate F Protocol Support Key Exchange Cipher Strength Visit our documentation page for more information, configuration guides, and books. Known issues are documented here. This server's certificate is not trusted, see below for details. This server supports SSL 2, which is obsolete and insecure. Grade set to F. This server is vulnerable to the POODLE TLS attack. Patching required. Grade set to F. MORE INFO» This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO» Certificate has a weak signature and expires after Upgrade to SHA2 to avoid browser warnings. MORE INFO» The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO» This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B. MORE INFO» The server does not support Forward Secrecy with the reference browsers. MORE INFO» This server's certificate chain is incomplete. Grade capped to B. Authentication Server Key and Certificate #1 Subject Fingerprint SHA1: a512a0be93b898f41b8c2e7fcf06b3590b1f6f91 Pin SHA256: HUetAkYutGc1ya9eJUlyZ25r+QjeXEj5KhYLK5gEdFw= Common names Alternative names - Prefix handling Valid from Valid until t required for subdomains Thu, 30 Aug :56:27 UTC Wed, 30 Aug :26:27 UTC (expires in 1 year and 7 months) Key RSA 2048 bits (e 65537) Weak key (Debian) Issuer Signature algorithm Configuration SHA1withRSA WEAK 1 of 5 03/01/16 16:50

2 Server Key and Certificate #1 Extended Validation Certificate Transparency Revocation information Trusted ne NOT TRUSTED (Why?) Additional Certificates (if supplied) Certificates provided Chain issues 2 (3552 bytes) Incomplete #2 Subject Valid until Configuration Services Public Key Services AIA Posta CA 1 Fingerprint SHA1: f04178c05cf7c0f2d130bb906e8ef99b26c520ef Pin SHA256: R5J+GkqpsVWDbX4KNuBHsNqg1lqr1uQJHokq1mHHrmQ= Sat, 14 Oct :00:00 UTC (expires in 12 years and 9 months) Key RSA 2048 bits (e 65537) Issuer Signature algorithm Configuration Services Public Key Services AIA Posta CA Root SHA1withRSA WEAK Certification Paths trust paths available Issuer unknown, or intermediate certificate(s) missing. Configuration Protocols TLS 1.2 TLS 1.1 TLS 1.0 SSL 3 INSECURE SSL 2 INSECURE Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq bits RSA) FS 256 TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0) INSECURE 112 SSL_CK_RC4_128_WITH_MD5 (0x10080) INSECURE 128 Handshake Simulation Android SNI 2 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Android TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Android TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Android TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Android 4.3 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Android TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS 2 of 5 03/01/16 16:50

3 Handshake Simulation Android TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Baidu Jan 2015 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS BingPreview Jan 2015 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Chrome 47 / OS X R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Firefox ESR / Win 7 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Firefox 42 / OS X R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Googlebot Feb 2015 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS IE 6 / XP FS 1 SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_SHA RC4 IE 7 / Vista TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS IE 8 / XP FS 1 SNI 2 TLS 1.0 TLS_RSA_WITH_RC4_128_SHA RC4 IE 8-10 / Win 7 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS IE 11 / Win 7 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS IE 11 / Win 8.1 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS IE 10 / Win Phone 8.0 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS IE 11 / Win Phone 8.1 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS IE 11 / Win Phone 8.1 Update R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS IE 11 / Win 10 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Edge 13 / Win 10 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Edge 13 / Win Phone 10 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Java 6u45 SNI 2 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Java 7u25 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Java 8u31 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS OpenSSL 0.9.8y TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS OpenSSL 1.0.1l R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS OpenSSL R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Safari / OS X TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Safari 6 / ios R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Safari / OS X R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Safari 7 / ios 7.1 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Safari 7 / OS X 10.9 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Safari 8 / ios 8.4 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Safari 8 / OS X R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Safari 9 / ios 9 R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Safari 9 / OS X R TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS Apple ATS 9 / ios 9 R Protocol or cipher suite mismatch TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 Yahoo Slurp Jan 2015 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS YandexBot Jan 2015 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA FS (1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it. (2) support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI. (3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version. (R) Denotes a reference browser or client, with which we expect better effective security. (All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE). Protocol Details Secure Renegotiation Secure Client-Initiated Renegotiation Insecure Client-Initiated Renegotiation BEAST attack POODLE (SSLv3) POODLE (TLS) Supported t mitigated server-side (more info) SSL 3: 0x5, TLS 1.0: 0x2f, mitigated (more info) SSL 3: 0x5 Vulnerable INSECURE (more info) 3 of 5 03/01/16 16:50

4 Protocol Details Downgrade attack prevention SSL/TLS compression, TLS_FALLBACK_SCSV not supported (more info) RC4 INSECURE (more info) Heartbeat (extension) Heartbleed (vulnerability) OpenSSL CCS vuln. (CVE ) (more info) (more info) Forward Secrecy WEAK (more info) Application-Layer Protocol Negotiation (ALPN) Next Protocol Negotiation (NPN) Session resumption (caching) Session resumption (tickets) OCSP stapling Strict Transport Security (HSTS) HSTS Preloading t in: Chrome Edge Firefox IE Tor Public Key Pinning (HPKP) Public Key Pinning Report-Only Long handshake intolerance TLS extension intolerance TLS version intolerance Incorrect SNI alerts Uses common DH primes DH public server param (Ys) reuse SSL 2 handshake compatibility, DHE suites not supported, DHE suites not supported Miscellaneous Test date Test duration Sun, 03 Jan :44:02 UTC seconds HTTP status code 200 HTTP server signature Server hostname Microsoft-IIS/7.5 Why is my certificate not trusted? There are many reasons why a certificate may not be trusted. The exact problem is indicated on the report card in bright red. The problems fall into three categories: 1. Invalid certificate 2. Invalid configuration 3. Unknown Certificate Authority 1. Invalid certificate A certificate is invalid if: It is used before its activation date It is used after its expiry date Certificate hostnames don't match the site hostname It has been revoked 2. Invalid configuration In some cases, the certificate chain does not contain all the necessary certificates to connect the web server certificate to one of the root certificates in our trust store. Less commonly, one of the certificates in the chain (other than the web server certificate) will have expired, and that invalidates the entire chain. 3. Unknown Certificate Authority In order for trust to be established, we must have the root certificate of the signing Certificate Authority in our trust store. SSL Labs does not maintain its own trust store; instead we use the store maintained by Mozilla. 4 of 5 03/01/16 16:50

5 If we mark a web site as not trusted, that means that the average web user's browser will not trust it either. For certain special groups of users, such web sites can still be secure. For example, if you can securely verify that a self-signed web site is operated by a person you trust, then you can trust that self-signed web site too. Or, if you work for an organisation that manages its own trust, and you have their own root certificate already embedded in your browser. Such special cases do not work for the general public, however, and this is what we indicate on our report card. 4. Interoperability issues In some rare cases trust cannot be established because of interoperability issues between our code and the code or configuration running on the server. We manually review such cases, but if you encounter such an issue please feel free to contact us. Such problems are very difficult to troubleshoot and you may be able to provide us with information that might help us determine the root cause. SSL Report v Copyright Qualys, Inc. All Rights Reserved. Terms and Conditions 5 of 5 03/01/16 16:50