From a0d6e1a29c424ef6a754676665ae478e51b62121ca8718da06d8b8d24cd866c0 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Mon, 2 Jun 2025 19:30:26 +0200 Subject: [PATCH] V8.03.256.2025.06.02 Signed-off-by: Marc S. Weidner --- README.md | 23 +++- docs/AUDIT_TLS.md | 316 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 333 insertions(+), 6 deletions(-) create mode 100644 docs/AUDIT_TLS.md diff --git a/README.md b/README.md index 353f631..7691c43 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ and service security. It integrates into your build pipeline to deliver an isola cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant changes and made publicly available for download. The latest generic ISO is available at: -[CISS.debian.live.ISO PUBLIC](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/DL_PUB_ISO.md) +**[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)** Check out more: * [CenturionNet Services](https://coresecret.eu/cnet/) @@ -49,14 +49,25 @@ Check out more: Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to move to a room-gapped environment. ^^ -### 1.1.2. HSTS and DNSSEC +### 1.1.2. DNSSEC, HSTS, TLS Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers: ````nginx configuration pro add_header Expect-CT "max-age=86400, enforce" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; ```` -Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md) + +* Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)** +* A comprehensive TLS audit of the `git.coresecret.dev` Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)** + +### 1.1.3. Gitea Action Runner Hardening + +The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely +dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using +non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own +separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a security +rating of 2.6). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use +of both UFW software firewalls and dedicated hardware firewall appliances. ## 1.2. Immutable Source-of-Truth System @@ -85,11 +96,11 @@ source-defined infrastructure logic.
After build and configuration, the following audit reports can be generated: * **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance. - Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md) + Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)** * **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline. - Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md) + Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)** * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. - Type `ssh-audit :`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md) + Type `ssh-audit :`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)** ## 1.3. Preview diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md new file mode 100644 index 0000000..77f44a5 --- /dev/null +++ b/docs/AUDIT_TLS.md @@ -0,0 +1,316 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.03
+**Build**: V8.03.256.2025.06.02
+ +# 2. TLS Audit: + +````text +##################################################################### + testssl.sh version 3.2rc4 from https://testssl.sh/dev/ + (6746fa5 2025-04-18 13:17:50) + + This program is free software. Distribution and modification under + GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! + + Please file bugs @ https://testssl.sh/bugs/ +##################################################################### + + Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers] + on kali:./bin/openssl.Linux.x86_64 + + Start 2025-06-02 18:04:19 -->> 152.53.110.40:443 (coresecret.dev) <<-- + + Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40 + rDNS (152.53.110.40): git.coresecret.dev. + Service detected: HTTP + + Testing protocols via sockets except NPN+ALPN + + SSLv2 not offered (OK) + SSLv3 not offered (OK) + TLS 1 not offered + TLS 1.1 not offered + TLS 1.2 offered (OK) + TLS 1.3 offered (OK): final + NPN/SPDY not offered + ALPN/HTTP2 h2, http/1.1 (offered) + + Testing for server implementation bugs + + No bugs found. + + Testing cipher categories + + NULL ciphers (no encryption) not offered (OK) + Anonymous NULL Ciphers (no authentication) not offered (OK) + Export ciphers (w/o ADH+NULL) not offered (OK) + LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) + Triple DES Ciphers / IDEA not offered + Obsoleted CBC ciphers (AES, ARIA etc.) not offered + Strong encryption (AEAD ciphers) with no FS not offered + Forward Secrecy strong encryption (AEAD ciphers) offered (OK) + + + Testing server's cipher preferences + +Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) +----------------------------------------------------------------------------------------------------------------------------- +SSLv2 + - +SSLv3 + - +TLSv1 + - +TLSv1.1 + - +TLSv1.2 (server order) + xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +TLSv1.3 (server order) + x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 + x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 + + Has server cipher order? yes (OK) -- TLS 1.3 and below + + + Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 + + FS is offered (OK) , ciphers follow (client/browser support is important here) + +Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) +----------------------------------------------------------------------------------------------------------------------------- + x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 available + x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available + xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v + xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v + xcc15 DHE-RSA-CHACHA20-POLY1305-OLD DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v + xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 available + xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not a/v + xc028 ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not a/v + xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 not a/v + xc014 ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not a/v + xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA not a/v + xa3 DHE-DSS-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 not a/v + x9f DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 not a/v + xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 not a/v + xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 available + xccaa DHE-RSA-CHACHA20-POLY1305 DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v + xc0af ECDHE-ECDSA-AES256-CCM8 ECDH AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 not a/v + xc0ad ECDHE-ECDSA-AES256-CCM ECDH AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM not a/v + xc0a3 DHE-RSA-AES256-CCM8 DH AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 not a/v + xc09f DHE-RSA-AES256-CCM DH AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM not a/v + x6b DHE-RSA-AES256-SHA256 DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 not a/v + x6a DHE-DSS-AES256-SHA256 DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 not a/v + x39 DHE-RSA-AES256-SHA DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA not a/v + x38 DHE-DSS-AES256-SHA DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA not a/v + xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v + xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v + xc4 DHE-RSA-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not a/v + xc3 DHE-DSS-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 not a/v + x88 DHE-RSA-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA not a/v + x87 DHE-DSS-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA not a/v + xc043 DHE-DSS-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 not a/v + xc045 DHE-RSA-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v + xc049 ECDHE-ECDSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 not a/v + xc04d ECDHE-RSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v + xc053 DHE-RSA-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v + xc057 DHE-DSS-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 not a/v + xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 not a/v + xc061 ECDHE-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v + xc07d - DH CamelliaGCM 256 TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v + xc081 - DH CamelliaGCM 256 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 not a/v + xc087 - ECDH CamelliaGCM 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v + xc08b - ECDH CamelliaGCM 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v + x1301 TLS_AES_128_GCM_SHA256 any AESGCM 128 TLS_AES_128_GCM_SHA256 not a/v + x1304 TLS_AES_128_CCM_SHA256 any AESCCM 128 TLS_AES_128_CCM_SHA256 not a/v + x1305 TLS_AES_128_CCM_8_SHA256 any AESCCM8 128 TLS_AES_128_CCM_8_SHA256 not a/v + xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not a/v + xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 not a/v + xc027 ECDHE-RSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not a/v + xc023 ECDHE-ECDSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 not a/v + xc013 ECDHE-RSA-AES128-SHA ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not a/v + xc009 ECDHE-ECDSA-AES128-SHA ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not a/v + xa2 DHE-DSS-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 not a/v + x9e DHE-RSA-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 not a/v + xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 not a/v + xc0ac ECDHE-ECDSA-AES128-CCM ECDH AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM not a/v + xc0a2 DHE-RSA-AES128-CCM8 DH AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 not a/v + xc09e DHE-RSA-AES128-CCM DH AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM not a/v + x67 DHE-RSA-AES128-SHA256 DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 not a/v + x40 DHE-DSS-AES128-SHA256 DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 not a/v + x33 DHE-RSA-AES128-SHA DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA not a/v + x32 DHE-DSS-AES128-SHA DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA not a/v + xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v + xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v + xbe DHE-RSA-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v + xbd DHE-DSS-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 not a/v + x9a DHE-RSA-SEED-SHA DH SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA not a/v + x99 DHE-DSS-SEED-SHA DH SEED 128 TLS_DHE_DSS_WITH_SEED_CBC_SHA not a/v + x45 DHE-RSA-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA not a/v + x44 DHE-DSS-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA not a/v + xc042 DHE-DSS-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 not a/v + xc044 DHE-RSA-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v + xc048 ECDHE-ECDSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 not a/v + xc04c ECDHE-RSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v + xc052 DHE-RSA-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v + xc056 DHE-DSS-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 not a/v + xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 not a/v + xc060 ECDHE-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v + xc07c - DH CamelliaGCM 128 TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v + xc080 - DH CamelliaGCM 128 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 not a/v + xc086 - ECDH CamelliaGCM 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v + xc08a - ECDH CamelliaGCM 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v + + Elliptic curves offered: secp384r1 secp521r1 X448 + TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224 + TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 + + Testing server defaults (Server Hello) + + TLS extensions (standard) "server name/#0" "max fragment length/#1" "status request/#5" "supported_groups/#10" "EC point formats/#11" + "application layer protocol negotiation/#16" "extended master secret/#23" "supported versions/#43" "key share/#51" + "renegotiation info/#65281" + Session Ticket RFC 5077 hint no -- no lifetime advertised + SSL Session ID support yes + Session Resumption Tickets no, ID: yes + TLS clock skew Random values, no fingerprinting possible + Certificate Compression none + Client Authentication none + Signature Algorithm SHA256 with RSA + Server key size RSA 4096 bits (exponent is 65537) + Server key usage Digital Signature, Key Encipherment + Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication + Serial 1230B34459C6F27FA9BCD2 (OK: length 11) + Fingerprints SHA1 1A8BD98862771602E7DD46B742FB66D6C03E622E + SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC + Common Name (CN) coresecret.dev + subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev + Trust (hostname) Ok via SAN and CN (same w/o SNI) + Chain of trust Ok + EV cert (experimental) no + Certificate Validity (UTC) 174 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59) + ETS/"eTLS", visibility info not present + In pwnedkeys.com DB not in database + Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked + OCSP URI http://ocsp.buypass.com, not revoked + OCSP stapling offered, not revoked + OCSP must staple extension -- + DNS CAA RR (experimental) not offered + Certificate Transparency yes (certificate extension) + Certificates provided 2 + Issuer Buypass Class 2 CA 5 (Buypass AS-983163327 from NO) + Intermediate cert validity #1: ok > 40 days (2027-05-23 12:57). Buypass Class 2 CA 5 <-- Buypass Class 2 Root CA + Intermediate Bad OCSP (exp.) Ok + + + Testing HTTP header response @ "/" + + HTTP Status Code 301 Moved Permanently, redirecting to "https://git.coresecret.dev" + HTTP clock skew 0 sec from localtime + Strict Transport Security 730 days=63072000 s, includeSubDomains, preload + Public Key Pinning -- + Server banner nginx + Application banner -- + Cookie(s) (none issued at "/") -- maybe better try target URL of 30x + Security headers X-Frame-Options: SAMEORIGIN + X-Content-Type-Options: nosniff + Expect-CT: max-age=86400, enforce + Permissions-Policy: interest-cohort=() + Cross-Origin-Opener-Policy: same-origin + Cross-Origin-Resource-Policy: same-origin + Cross-Origin-Embedder-Policy: require-corp + X-XSS-Protection: 1; mode=block + Permissions-Policy: interest-cohort=() + Referrer-Policy: same-origin + Cache-Control: no-cache + Reverse Proxy banner -- + + + Testing vulnerabilities + + Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension + CCS (CVE-2014-0224) not vulnerable (OK) + Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension + ROBOT Server does not support any cipher suites that use RSA key transport + Secure Renegotiation (RFC 5746) supported (OK) + Secure Client-Initiated Renegotiation not vulnerable (OK) + CRIME, TLS (CVE-2012-4929) not vulnerable (OK) + BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested + POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support + TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered + SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) + FREAK (CVE-2015-0204) not vulnerable (OK) + DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) + make sure you don't use this certificate elsewhere with SSLv2 enabled services, see + https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC + LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 + BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 + LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) + Winshock (CVE-2014-6321), experimental not vulnerable (OK) + RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) + + + Running client simulations (HTTP) via sockets + + Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy +------------------------------------------------------------------------------------------------ + Android 7.0 (native) No connection + Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384) + Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) + Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) + Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) + Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) + Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) + Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) + Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) + Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) + IE 8 Win 7 No connection + IE 11 Win 7 No connection + IE 11 Win 8.1 No connection + IE 11 Win Phone 8.1 No connection + IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384) + Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384) + Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) + Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) + Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) + Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) + Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) + Java 7u25 No connection + Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) + Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) + Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) + Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) + go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) + LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) + OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521) + OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) + OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) + OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) + Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521) + Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) + + + Rating (experimental) + + Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) + Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide + Protocol Support (weighted) 100 (30) + Key Exchange (weighted) 100 (30) + Cipher Strength (weighted) 100 (40) + Final Score 100 + Overall Grade A+ + + Done 2025-06-02 18:05:51 [ 95s] -->> 152.53.110.40:443 (coresecret.dev) <<-- +```` + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** +