From 4b70ca70566e933ce20382e1cc8cdad272052a35e201ef2dd1552fc75b188b2a Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Mon, 23 Jun 2025 19:03:39 +0200 Subject: [PATCH] V8.03.768.2025.06.23 Signed-off-by: Marc S. Weidner --- docs/AUDIT_TLS.md | 314 +------------------------------------- docs/CHANGELOG.md | 2 +- lib/lib_guard_sourcing.sh | 2 +- 3 files changed, 6 insertions(+), 312 deletions(-) diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index faff7aa..a574dcd 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -26,313 +26,7 @@ include_toc: true Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers] on kali:./bin/openssl.Linux.x86_64 - Start 2025-06-23 06:37:04 -->> 135.181.207.105:443 (dns01.eddns.eu) <<-- - - Further IP addresses: 2a01:4f9:c012:a813:135:181:207:105 - rDNS (135.181.207.105): dns01.eddns.eu. - Service detected: HTTP - - Testing protocols via sockets except NPN+ALPN - - SSLv2 not offered (OK) - SSLv3 not offered (OK) - TLS 1 not offered - TLS 1.1 not offered - TLS 1.2 offered (OK) - TLS 1.3 offered (OK): final - NPN/SPDY not offered - ALPN/HTTP2 h2, http/1.1 (offered) - - Testing for server implementation bugs - - No bugs found. - - Testing cipher categories - - NULL ciphers (no encryption) not offered (OK) - Anonymous NULL Ciphers (no authentication) not offered (OK) - Export ciphers (w/o ADH+NULL) not offered (OK) - LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) - Triple DES Ciphers / IDEA not offered - Obsoleted CBC ciphers (AES, ARIA etc.) not offered - Strong encryption (AEAD ciphers) with no FS not offered - Forward Secrecy strong encryption (AEAD ciphers) offered (OK) - - - Testing server's cipher preferences - -Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ------------------------------------------------------------------------------------------------------------------------------ -SSLv2 - - -SSLv3 - - -TLSv1 - - -TLSv1.1 - - -TLSv1.2 (server order) - xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -TLSv1.3 (server order) - x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 - x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 - - Has server cipher order? yes (OK) -- TLS 1.3 and below - - - Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 - - FS is offered (OK) , ciphers follow (client/browser support is important here) - -Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ------------------------------------------------------------------------------------------------------------------------------ - x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 available - x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available - xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v - xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v - xcc15 DHE-RSA-CHACHA20-POLY1305-OLD DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v - xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 available - xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not a/v - xc028 ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not a/v - xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 not a/v - xc014 ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not a/v - xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA not a/v - xa3 DHE-DSS-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 not a/v - x9f DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 not a/v - xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 not a/v - xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 available - xccaa DHE-RSA-CHACHA20-POLY1305 DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v - xc0af ECDHE-ECDSA-AES256-CCM8 ECDH AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 not a/v - xc0ad ECDHE-ECDSA-AES256-CCM ECDH AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM not a/v - xc0a3 DHE-RSA-AES256-CCM8 DH AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 not a/v - xc09f DHE-RSA-AES256-CCM DH AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM not a/v - x6b DHE-RSA-AES256-SHA256 DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 not a/v - x6a DHE-DSS-AES256-SHA256 DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 not a/v - x39 DHE-RSA-AES256-SHA DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA not a/v - x38 DHE-DSS-AES256-SHA DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA not a/v - xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v - xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v - xc4 DHE-RSA-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not a/v - xc3 DHE-DSS-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 not a/v - x88 DHE-RSA-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA not a/v - x87 DHE-DSS-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA not a/v - xc043 DHE-DSS-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 not a/v - xc045 DHE-RSA-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v - xc049 ECDHE-ECDSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 not a/v - xc04d ECDHE-RSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v - xc053 DHE-RSA-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v - xc057 DHE-DSS-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 not a/v - xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 not a/v - xc061 ECDHE-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v - xc07d - DH CamelliaGCM 256 TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v - xc081 - DH CamelliaGCM 256 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 not a/v - xc087 - ECDH CamelliaGCM 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v - xc08b - ECDH CamelliaGCM 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v - x1301 TLS_AES_128_GCM_SHA256 any AESGCM 128 TLS_AES_128_GCM_SHA256 not a/v - x1304 TLS_AES_128_CCM_SHA256 any AESCCM 128 TLS_AES_128_CCM_SHA256 not a/v - x1305 TLS_AES_128_CCM_8_SHA256 any AESCCM8 128 TLS_AES_128_CCM_8_SHA256 not a/v - xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not a/v - xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 not a/v - xc027 ECDHE-RSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not a/v - xc023 ECDHE-ECDSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 not a/v - xc013 ECDHE-RSA-AES128-SHA ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not a/v - xc009 ECDHE-ECDSA-AES128-SHA ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not a/v - xa2 DHE-DSS-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 not a/v - x9e DHE-RSA-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 not a/v - xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 not a/v - xc0ac ECDHE-ECDSA-AES128-CCM ECDH AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM not a/v - xc0a2 DHE-RSA-AES128-CCM8 DH AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 not a/v - xc09e DHE-RSA-AES128-CCM DH AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM not a/v - x67 DHE-RSA-AES128-SHA256 DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 not a/v - x40 DHE-DSS-AES128-SHA256 DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 not a/v - x33 DHE-RSA-AES128-SHA DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA not a/v - x32 DHE-DSS-AES128-SHA DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA not a/v - xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v - xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v - xbe DHE-RSA-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v - xbd DHE-DSS-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 not a/v - x9a DHE-RSA-SEED-SHA DH SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA not a/v - x99 DHE-DSS-SEED-SHA DH SEED 128 TLS_DHE_DSS_WITH_SEED_CBC_SHA not a/v - x45 DHE-RSA-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA not a/v - x44 DHE-DSS-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA not a/v - xc042 DHE-DSS-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 not a/v - xc044 DHE-RSA-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v - xc048 ECDHE-ECDSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 not a/v - xc04c ECDHE-RSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v - xc052 DHE-RSA-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v - xc056 DHE-DSS-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 not a/v - xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 not a/v - xc060 ECDHE-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v - xc07c - DH CamelliaGCM 128 TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v - xc080 - DH CamelliaGCM 128 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 not a/v - xc086 - ECDH CamelliaGCM 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v - xc08a - ECDH CamelliaGCM 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v - - Elliptic curves offered: secp384r1 secp521r1 X448 - TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224 - TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 - - Testing server defaults (Server Hello) - - TLS extensions (standard) "server name/#0" "max fragment length/#1" "status request/#5" "supported_groups/#10" "EC point formats/#11" - "application layer protocol negotiation/#16" "extended master secret/#23" "supported versions/#43" "key share/#51" - "renegotiation info/#65281" - Session Ticket RFC 5077 hint no -- no lifetime advertised - SSL Session ID support yes - Session Resumption Tickets no, ID: yes - TLS clock skew Random values, no fingerprinting possible - Certificate Compression none - Client Authentication none - Signature Algorithm SHA384 with RSA - Server key size RSA 4096 bits (exponent is 262147) - Server key usage Digital Signature, Key Encipherment - Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication - Serial A39CFE0064280D467269C012636F9EE8 (OK: length 16) - Fingerprints SHA1 9E19BE00A07E50CC5DB94A51419D431E845F810A - SHA256 92D01842FB6275890EF74AAD742990EFD76ABA0604203B327F3270E805B6F356 - Common Name (CN) eddns.eu - subjectAltName (SAN) eddns.eu dns01.eddns.eu dns02.eddns.de dns03.eddns.eu eddns.de - Trust (hostname) Ok via SAN (same w/o SNI) - Chain of trust Ok - EV cert (experimental) no - Certificate Validity (UTC) 358 >= 60 days (2025-06-16 00:00 --> 2026-06-16 23:59) - ETS/"eTLS", visibility info not present - In pwnedkeys.com DB not in database - Certificate Revocation List -- - OCSP URI http://zerossl.ocsp.sectigo.com, not revoked - OCSP stapling offered, not revoked - OCSP must staple extension supported - DNS CAA RR (experimental) available - please check for match with "Issuer" below - communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl, - issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;, - issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, - issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=; - Certificate Transparency yes (certificate extension) - Certificates provided 2 - Issuer ZeroSSL RSA Domain Secure Site CA (ZeroSSL from AT) - Intermediate cert validity #1: ok > 40 days (2030-01-29 23:59). ZeroSSL RSA Domain Secure Site CA <-- USERTrust RSA Certification Authority - Intermediate Bad OCSP (exp.) Ok - - - Testing HTTP header response @ "/" - - HTTP Status Code 200 OK - HTTP clock skew 0 sec from localtime - Strict Transport Security 730 days=63072000 s, includeSubDomains, preload - Public Key Pinning -- - Server banner nginx - Application banner -- - Cookie(s) (none issued at "/") - Security headers X-Frame-Options: SAMEORIGIN - X-Content-Type-Options: nosniff - Expect-CT: max-age=86400, enforce - Permissions-Policy: interest-cohort=() - Cross-Origin-Opener-Policy: same-origin - Cross-Origin-Resource-Policy: cross-origin - Cross-Origin-Embedder-Policy: credentialless - X-XSS-Protection: 1; mode=block - Access-Control-Allow-Origin: https://dns01.eddns.eu - Permissions-Policy: interest-cohort=() - Referrer-Policy: same-origin - Cache-Control: no-cache - Reverse Proxy banner -- - - - Testing vulnerabilities - - Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension - CCS (CVE-2014-0224) not vulnerable (OK) - Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension - ROBOT Server does not support any cipher suites that use RSA key transport - Secure Renegotiation (RFC 5746) supported (OK) - Secure Client-Initiated Renegotiation not vulnerable (OK) - CRIME, TLS (CVE-2012-4929) not vulnerable (OK) - BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested - POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support - TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered - SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) - FREAK (CVE-2015-0204) not vulnerable (OK) - DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) - make sure you don't use this certificate elsewhere with SSLv2 enabled services, see - https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=92D01842FB6275890EF74AAD742990EFD76ABA0604203B327F3270E805B6F356 - LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 - BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 - LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) - Winshock (CVE-2014-6321), experimental not vulnerable (OK) - RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) - - - Running client simulations (HTTP) via sockets - - Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy ------------------------------------------------------------------------------------------------- - Android 7.0 (native) No connection - Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384) - Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) - Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) - Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) - Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) - Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) - Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) - Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) - Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) - Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) - IE 8 Win 7 No connection - IE 11 Win 7 No connection - IE 11 Win 8.1 No connection - IE 11 Win Phone 8.1 No connection - IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384) - Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384) - Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) - Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) - Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) - Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) - Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) - Java 7u25 No connection - Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) - Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) - Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) - Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) - go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) - LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) - OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521) - OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) - OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) - OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) - Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521) - Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) - - - Rating (experimental) - - Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) - Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide - Protocol Support (weighted) 100 (30) - Key Exchange (weighted) 100 (30) - Cipher Strength (weighted) 100 (40) - Final Score 100 - Overall Grade A+ - - Done 2025-06-23 06:38:43 [ 102s] -->> 135.181.207.105:443 (dns01.eddns.eu) <<-- - - -25-06-23|root@kali.ed448.eu:/root/gitea/testssl.sh/>>1|~#> ./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/ - -##################################################################### - testssl.sh version 3.2.1 from https://testssl.sh/ - (81471c3 2025-06-15 09:48:31) - - This program is free software. Distribution and modification under - GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! - - Please file bugs @ https://testssl.sh/bugs/ -##################################################################### - - Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers] - on kali:./bin/openssl.Linux.x86_64 - - Start 2025-06-23 06:55:40 -->> 152.53.110.40:443 (git.coresecret.dev) <<-- + Start 2025-06-23 17:58:48 -->> 152.53.110.40:443 (git.coresecret.dev) <<-- Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40 rDNS (152.53.110.40): git.coresecret.dev. @@ -510,8 +204,8 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe OCSP stapling offered, not revoked OCSP must staple extension -- DNS CAA RR (experimental) available - please check for match with "Issuer" below - iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl, issue=letsencrypt.org;, - issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;, + communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl, + issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=; Certificate Transparency yes (certificate extension) @@ -623,7 +317,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe Final Score 100 Overall Grade A+ - Done 2025-06-23 06:57:01 [ 86s] -->> 152.53.110.40:443 (git.coresecret.dev) <<-- + Done 2025-06-23 18:00:16 [ 99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<-- ```` --- diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 348b5c6..c96cb5e 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -14,7 +14,7 @@ include_toc: true ## V8.03.768.2025.06.23 -* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Lock FD and Artifacts. +* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts. * Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh) * Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh) * Added Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_debug_var_git.sh) diff --git a/lib/lib_guard_sourcing.sh b/lib/lib_guard_sourcing.sh index 584ee8d..ce48c83 100644 --- a/lib/lib_guard_sourcing.sh +++ b/lib/lib_guard_sourcing.sh @@ -16,7 +16,7 @@ # Globals: # BASH_SOURCE # Arguments: -# $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically. +# $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.) # Returns: # 0: Returns '0' in both cases as they are intended to be successful. #######################################