--- gitea: none include_toc: true --- # 1. CISS.debian.live.builder **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
**Build**: V8.13.384.2025.11.06
# 2. TLS Audit: ````text ./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/ ##################################################################### testssl.sh version 3.2.2 from https://testssl.sh/ (2e77f5e 2025-09-22 19:35:27) This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ##################################################################### Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers] on kali:./bin/openssl.Linux.x86_64 Start 2025-09-28 16:12:17 -->> 152.53.110.40:443 (git.coresecret.dev) <<-- Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40 rDNS (152.53.110.40): git.coresecret.dev. Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 h2, http/1.1 (offered) Testing for server implementation bugs No bugs found. Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsoleted CBC ciphers (AES, ARIA etc.) not offered Strong encryption (AEAD ciphers) with no FS not offered Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Testing server's cipher preferences Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 - SSLv3 - TLSv1 - TLSv1.1 - TLSv1.2 (server order) xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.3 (server order) x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 Has server cipher order? yes (OK) -- TLS 1.3 and below Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 FS is offered (OK) , ciphers follow (client/browser support is important here) Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 available x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v xcc15 DHE-RSA-CHACHA20-POLY1305-OLD DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 available xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not a/v xc028 ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not a/v xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 not a/v xc014 ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not a/v xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA not a/v xa3 DHE-DSS-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 not a/v x9f DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 not a/v xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 not a/v xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 available xccaa DHE-RSA-CHACHA20-POLY1305 DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v xc0af ECDHE-ECDSA-AES256-CCM8 ECDH AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 not a/v xc0ad ECDHE-ECDSA-AES256-CCM ECDH AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM not a/v xc0a3 DHE-RSA-AES256-CCM8 DH AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 not a/v xc09f DHE-RSA-AES256-CCM DH AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM not a/v x6b DHE-RSA-AES256-SHA256 DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 not a/v x6a DHE-DSS-AES256-SHA256 DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 not a/v x39 DHE-RSA-AES256-SHA DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA not a/v x38 DHE-DSS-AES256-SHA DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA not a/v xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v xc4 DHE-RSA-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not a/v xc3 DHE-DSS-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 not a/v x88 DHE-RSA-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA not a/v x87 DHE-DSS-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA not a/v xc043 DHE-DSS-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 not a/v xc045 DHE-RSA-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v xc049 ECDHE-ECDSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 not a/v xc04d ECDHE-RSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v xc053 DHE-RSA-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v xc057 DHE-DSS-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 not a/v xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 not a/v xc061 ECDHE-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v xc07d - DH CamelliaGCM 256 TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v xc081 - DH CamelliaGCM 256 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 not a/v xc087 - ECDH CamelliaGCM 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v xc08b - ECDH CamelliaGCM 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v x1301 TLS_AES_128_GCM_SHA256 any AESGCM 128 TLS_AES_128_GCM_SHA256 not a/v x1304 TLS_AES_128_CCM_SHA256 any AESCCM 128 TLS_AES_128_CCM_SHA256 not a/v x1305 TLS_AES_128_CCM_8_SHA256 any AESCCM8 128 TLS_AES_128_CCM_8_SHA256 not a/v xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not a/v xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 not a/v xc027 ECDHE-RSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not a/v xc023 ECDHE-ECDSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 not a/v xc013 ECDHE-RSA-AES128-SHA ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not a/v xc009 ECDHE-ECDSA-AES128-SHA ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not a/v xa2 DHE-DSS-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 not a/v x9e DHE-RSA-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 not a/v xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 not a/v xc0ac ECDHE-ECDSA-AES128-CCM ECDH AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM not a/v xc0a2 DHE-RSA-AES128-CCM8 DH AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 not a/v xc09e DHE-RSA-AES128-CCM DH AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM not a/v x67 DHE-RSA-AES128-SHA256 DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 not a/v x40 DHE-DSS-AES128-SHA256 DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 not a/v x33 DHE-RSA-AES128-SHA DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA not a/v x32 DHE-DSS-AES128-SHA DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA not a/v xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v xbe DHE-RSA-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v xbd DHE-DSS-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 not a/v x9a DHE-RSA-SEED-SHA DH SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA not a/v x99 DHE-DSS-SEED-SHA DH SEED 128 TLS_DHE_DSS_WITH_SEED_CBC_SHA not a/v x45 DHE-RSA-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA not a/v x44 DHE-DSS-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA not a/v xc042 DHE-DSS-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 not a/v xc044 DHE-RSA-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v xc048 ECDHE-ECDSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 not a/v xc04c ECDHE-RSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v xc052 DHE-RSA-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v xc056 DHE-DSS-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 not a/v xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 not a/v xc060 ECDHE-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v xc07c - DH CamelliaGCM 128 TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v xc080 - DH CamelliaGCM 128 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 not a/v xc086 - ECDH CamelliaGCM 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v xc08a - ECDH CamelliaGCM 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v Elliptic curves offered: secp384r1 secp521r1 X448 TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224 TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 Testing server defaults (Server Hello) TLS extensions (standard) "server name/#0" "max fragment length/#1" "status request/#5" "supported_groups/#10" "EC point formats/#11" "application layer protocol negotiation/#16" "extended master secret/#23" "supported versions/#43" "key share/#51" "renegotiation info/#65281" Session Ticket RFC 5077 hint no -- no lifetime advertised SSL Session ID support yes Session Resumption Tickets no, ID: yes TLS clock skew Random values, no fingerprinting possible Certificate Compression none Client Authentication none Signature Algorithm SHA256 with RSA Server key size RSA 4096 bits (exponent is 65537) Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Serial 13292523EB168BD226CE46 (OK: length 11) Fingerprints SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8 SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B Common Name (CN) coresecret.dev subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev Trust (hostname) Ok via SAN (same w/o SNI) Chain of trust Ok EV cert (experimental) no Certificate Validity (UTC) 178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59) ETS/"eTLS", visibility info not present In pwnedkeys.com DB not in database Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked OCSP URI http://ocsp.buypass.com, not revoked OCSP stapling offered, not revoked OCSP must staple extension -- DNS CAA RR (experimental) available - please check for match with "Issuer" below communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl, issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=; Certificate Transparency yes (certificate extension) Certificates provided 2 Issuer Buypass Class 2 CA 5 (Buypass AS-983163327 from NO) Intermediate cert validity #1: ok > 40 days (2027-05-23 12:57). Buypass Class 2 CA 5 <-- Buypass Class 2 Root CA Intermediate Bad OCSP (exp.) Ok Testing HTTP header response @ "/" HTTP Status Code 200 OK HTTP clock skew 0 sec from localtime Strict Transport Security 730 days=63072000 s, includeSubDomains, preload Public Key Pinning -- Server banner nginx Application banner -- Cookie(s) 2 issued: 2/2 secure, 2/2 HttpOnly Security headers X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self' git.coresecret.dev; frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev https://uml.coresecret.dev; manifest-src 'self' data:; media-src 'self' data: https://badges.coresecret.dev https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; Expect-CT: max-age=86400, enforce Permissions-Policy: interest-cohort=() Cross-Origin-Opener-Policy: cross-origin Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Embedder-Policy: unsafe-none X-XSS-Protection: 1; mode=block Permissions-Policy: interest-cohort=() Referrer-Policy: no-referrer Cache-Control: no-cache Reverse Proxy banner -- Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension ROBOT Server does not support any cipher suites that use RSA key transport Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) Winshock (CVE-2014-6321), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Running client simulations (HTTP) via sockets Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy ------------------------------------------------------------------------------------------------ Android 7.0 (native) No connection Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384) Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) IE 8 Win 7 No connection IE 11 Win 7 No connection IE 11 Win 8.1 No connection IE 11 Win Phone 8.1 No connection IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384) Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) Java 7u25 No connection Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448) Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521) Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) Rating (experimental) Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16) Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide Protocol Support (weighted) 100 (30) Key Exchange (weighted) 100 (30) Cipher Strength (weighted) 100 (40) Final Score 100 Overall Grade A+ Done 2025-09-28 16:13:50 [ 95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<-- ```` --- **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**