Marc S. Weidner
83fa76d4aa
Some checks failed
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m23s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m27s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
326 lines
24 KiB
Markdown
326 lines
24 KiB
Markdown
---
|
|
gitea: none
|
|
include_toc: true
|
|
---
|
|
|
|
# 1. CISS.debian.live.builder
|
|
|
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
|
**Master Version**: 8.13<br>
|
|
**Build**: V8.13.132.2025.10.11<br>
|
|
|
|
# 2. TLS Audit:
|
|
````text
|
|
./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
|
|
|
|
#####################################################################
|
|
testssl.sh version 3.2.2 from https://testssl.sh/
|
|
(2e77f5e 2025-09-22 19:35:27)
|
|
|
|
This program is free software. Distribution and modification under
|
|
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
|
|
|
|
Please file bugs @ https://testssl.sh/bugs/
|
|
#####################################################################
|
|
|
|
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
|
|
on kali:./bin/openssl.Linux.x86_64
|
|
|
|
Start 2025-09-28 16:12:17 -->> 152.53.110.40:443 (git.coresecret.dev) <<--
|
|
|
|
Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40
|
|
rDNS (152.53.110.40): git.coresecret.dev.
|
|
Service detected: HTTP
|
|
|
|
Testing protocols via sockets except NPN+ALPN
|
|
|
|
SSLv2 not offered (OK)
|
|
SSLv3 not offered (OK)
|
|
TLS 1 not offered
|
|
TLS 1.1 not offered
|
|
TLS 1.2 offered (OK)
|
|
TLS 1.3 offered (OK): final
|
|
NPN/SPDY not offered
|
|
ALPN/HTTP2 h2, http/1.1 (offered)
|
|
|
|
Testing for server implementation bugs
|
|
|
|
No bugs found.
|
|
|
|
Testing cipher categories
|
|
|
|
NULL ciphers (no encryption) not offered (OK)
|
|
Anonymous NULL Ciphers (no authentication) not offered (OK)
|
|
Export ciphers (w/o ADH+NULL) not offered (OK)
|
|
LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
|
|
Triple DES Ciphers / IDEA not offered
|
|
Obsoleted CBC ciphers (AES, ARIA etc.) not offered
|
|
Strong encryption (AEAD ciphers) with no FS not offered
|
|
Forward Secrecy strong encryption (AEAD ciphers) offered (OK)
|
|
|
|
|
|
Testing server's cipher preferences
|
|
|
|
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
|
|
-----------------------------------------------------------------------------------------------------------------------------
|
|
SSLv2
|
|
-
|
|
SSLv3
|
|
-
|
|
TLSv1
|
|
-
|
|
TLSv1.1
|
|
-
|
|
TLSv1.2 (server order)
|
|
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
|
TLSv1.3 (server order)
|
|
x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384
|
|
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
|
|
|
|
Has server cipher order? yes (OK) -- TLS 1.3 and below
|
|
|
|
|
|
Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
|
|
|
|
FS is offered (OK) , ciphers follow (client/browser support is important here)
|
|
|
|
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
|
|
-----------------------------------------------------------------------------------------------------------------------------
|
|
x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 available
|
|
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available
|
|
xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
|
|
xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
|
|
xcc15 DHE-RSA-CHACHA20-POLY1305-OLD DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
|
|
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 available
|
|
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not a/v
|
|
xc028 ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not a/v
|
|
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 not a/v
|
|
xc014 ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not a/v
|
|
xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA not a/v
|
|
xa3 DHE-DSS-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 not a/v
|
|
x9f DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 not a/v
|
|
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
|
|
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 available
|
|
xccaa DHE-RSA-CHACHA20-POLY1305 DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
|
|
xc0af ECDHE-ECDSA-AES256-CCM8 ECDH AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 not a/v
|
|
xc0ad ECDHE-ECDSA-AES256-CCM ECDH AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM not a/v
|
|
xc0a3 DHE-RSA-AES256-CCM8 DH AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 not a/v
|
|
xc09f DHE-RSA-AES256-CCM DH AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM not a/v
|
|
x6b DHE-RSA-AES256-SHA256 DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 not a/v
|
|
x6a DHE-DSS-AES256-SHA256 DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 not a/v
|
|
x39 DHE-RSA-AES256-SHA DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA not a/v
|
|
x38 DHE-DSS-AES256-SHA DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA not a/v
|
|
xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v
|
|
xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v
|
|
xc4 DHE-RSA-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not a/v
|
|
xc3 DHE-DSS-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 not a/v
|
|
x88 DHE-RSA-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA not a/v
|
|
x87 DHE-DSS-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA not a/v
|
|
xc043 DHE-DSS-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 not a/v
|
|
xc045 DHE-RSA-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v
|
|
xc049 ECDHE-ECDSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 not a/v
|
|
xc04d ECDHE-RSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v
|
|
xc053 DHE-RSA-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v
|
|
xc057 DHE-DSS-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 not a/v
|
|
xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 not a/v
|
|
xc061 ECDHE-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v
|
|
xc07d - DH CamelliaGCM 256 TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v
|
|
xc081 - DH CamelliaGCM 256 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 not a/v
|
|
xc087 - ECDH CamelliaGCM 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v
|
|
xc08b - ECDH CamelliaGCM 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v
|
|
x1301 TLS_AES_128_GCM_SHA256 any AESGCM 128 TLS_AES_128_GCM_SHA256 not a/v
|
|
x1304 TLS_AES_128_CCM_SHA256 any AESCCM 128 TLS_AES_128_CCM_SHA256 not a/v
|
|
x1305 TLS_AES_128_CCM_8_SHA256 any AESCCM8 128 TLS_AES_128_CCM_8_SHA256 not a/v
|
|
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not a/v
|
|
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 not a/v
|
|
xc027 ECDHE-RSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not a/v
|
|
xc023 ECDHE-ECDSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 not a/v
|
|
xc013 ECDHE-RSA-AES128-SHA ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not a/v
|
|
xc009 ECDHE-ECDSA-AES128-SHA ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not a/v
|
|
xa2 DHE-DSS-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 not a/v
|
|
x9e DHE-RSA-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 not a/v
|
|
xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 not a/v
|
|
xc0ac ECDHE-ECDSA-AES128-CCM ECDH AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM not a/v
|
|
xc0a2 DHE-RSA-AES128-CCM8 DH AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 not a/v
|
|
xc09e DHE-RSA-AES128-CCM DH AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM not a/v
|
|
x67 DHE-RSA-AES128-SHA256 DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 not a/v
|
|
x40 DHE-DSS-AES128-SHA256 DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 not a/v
|
|
x33 DHE-RSA-AES128-SHA DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA not a/v
|
|
x32 DHE-DSS-AES128-SHA DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA not a/v
|
|
xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v
|
|
xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v
|
|
xbe DHE-RSA-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v
|
|
xbd DHE-DSS-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 not a/v
|
|
x9a DHE-RSA-SEED-SHA DH SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA not a/v
|
|
x99 DHE-DSS-SEED-SHA DH SEED 128 TLS_DHE_DSS_WITH_SEED_CBC_SHA not a/v
|
|
x45 DHE-RSA-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA not a/v
|
|
x44 DHE-DSS-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA not a/v
|
|
xc042 DHE-DSS-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 not a/v
|
|
xc044 DHE-RSA-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v
|
|
xc048 ECDHE-ECDSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 not a/v
|
|
xc04c ECDHE-RSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v
|
|
xc052 DHE-RSA-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v
|
|
xc056 DHE-DSS-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 not a/v
|
|
xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 not a/v
|
|
xc060 ECDHE-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v
|
|
xc07c - DH CamelliaGCM 128 TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
|
|
xc080 - DH CamelliaGCM 128 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 not a/v
|
|
xc086 - ECDH CamelliaGCM 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
|
|
xc08a - ECDH CamelliaGCM 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
|
|
|
|
Elliptic curves offered: secp384r1 secp521r1 X448
|
|
TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
|
|
TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
|
|
|
|
Testing server defaults (Server Hello)
|
|
|
|
TLS extensions (standard) "server name/#0" "max fragment length/#1" "status request/#5" "supported_groups/#10" "EC point formats/#11"
|
|
"application layer protocol negotiation/#16" "extended master secret/#23" "supported versions/#43" "key share/#51"
|
|
"renegotiation info/#65281"
|
|
Session Ticket RFC 5077 hint no -- no lifetime advertised
|
|
SSL Session ID support yes
|
|
Session Resumption Tickets no, ID: yes
|
|
TLS clock skew Random values, no fingerprinting possible
|
|
Certificate Compression none
|
|
Client Authentication none
|
|
Signature Algorithm SHA256 with RSA
|
|
Server key size RSA 4096 bits (exponent is 65537)
|
|
Server key usage Digital Signature, Key Encipherment
|
|
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
|
|
Serial 13292523EB168BD226CE46 (OK: length 11)
|
|
Fingerprints SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
|
|
SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
|
|
Common Name (CN) coresecret.dev
|
|
subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
|
|
Trust (hostname) Ok via SAN (same w/o SNI)
|
|
Chain of trust Ok
|
|
EV cert (experimental) no
|
|
Certificate Validity (UTC) 178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
|
|
ETS/"eTLS", visibility info not present
|
|
In pwnedkeys.com DB not in database Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
|
|
OCSP URI http://ocsp.buypass.com, not revoked
|
|
OCSP stapling offered, not revoked
|
|
OCSP must staple extension --
|
|
DNS CAA RR (experimental) available - please check for match with "Issuer" below
|
|
communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
|
|
issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
|
|
issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
|
|
issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
|
|
Certificate Transparency yes (certificate extension)
|
|
Certificates provided 2
|
|
Issuer Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
|
|
Intermediate cert validity #1: ok > 40 days (2027-05-23 12:57). Buypass Class 2 CA 5 <-- Buypass Class 2 Root CA
|
|
Intermediate Bad OCSP (exp.) Ok
|
|
|
|
|
|
Testing HTTP header response @ "/"
|
|
|
|
HTTP Status Code 200 OK
|
|
HTTP clock skew 0 sec from localtime
|
|
Strict Transport Security 730 days=63072000 s, includeSubDomains, preload
|
|
Public Key Pinning --
|
|
Server banner nginx
|
|
Application banner --
|
|
Cookie(s) 2 issued: 2/2 secure, 2/2 HttpOnly
|
|
Security headers X-Frame-Options: SAMEORIGIN
|
|
X-Content-Type-Options: nosniff
|
|
Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
|
|
git.coresecret.dev; frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
|
|
https://uml.coresecret.dev; manifest-src 'self' data:; media-src 'self' data: https://badges.coresecret.dev
|
|
https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
|
|
Expect-CT: max-age=86400, enforce
|
|
Permissions-Policy: interest-cohort=()
|
|
Cross-Origin-Opener-Policy: cross-origin
|
|
Cross-Origin-Resource-Policy: cross-origin
|
|
Cross-Origin-Embedder-Policy: unsafe-none
|
|
X-XSS-Protection: 1; mode=block
|
|
Permissions-Policy: interest-cohort=()
|
|
Referrer-Policy: no-referrer
|
|
Cache-Control: no-cache
|
|
Reverse Proxy banner --
|
|
|
|
|
|
Testing vulnerabilities
|
|
|
|
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
|
|
CCS (CVE-2014-0224) not vulnerable (OK)
|
|
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension
|
|
ROBOT Server does not support any cipher suites that use RSA key transport
|
|
Secure Renegotiation (RFC 5746) supported (OK)
|
|
Secure Client-Initiated Renegotiation not vulnerable (OK)
|
|
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
|
|
BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested
|
|
POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
|
|
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered
|
|
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
|
|
FREAK (CVE-2015-0204) not vulnerable (OK)
|
|
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
|
|
make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
|
|
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
|
|
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
|
|
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
|
|
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
|
|
Winshock (CVE-2014-6321), experimental not vulnerable (OK)
|
|
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
|
|
|
|
|
|
Running client simulations (HTTP) via sockets
|
|
|
|
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy
|
|
------------------------------------------------------------------------------------------------
|
|
Android 7.0 (native) No connection
|
|
Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
|
|
Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
|
|
Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
|
|
Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
|
|
Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
|
|
Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
|
|
Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
|
|
Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
|
|
Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
|
|
Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
|
|
IE 8 Win 7 No connection
|
|
IE 11 Win 7 No connection
|
|
IE 11 Win 8.1 No connection
|
|
IE 11 Win Phone 8.1 No connection
|
|
IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
|
|
Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
|
|
Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
|
|
Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
|
|
Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
|
|
Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
|
|
Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
|
|
Java 7u25 No connection
|
|
Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
|
|
Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
|
|
Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
|
|
Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
|
|
go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
|
|
LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
|
|
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
|
|
OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
|
|
OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
|
|
OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
|
|
Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
|
|
Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
|
|
|
|
|
|
Rating (experimental)
|
|
|
|
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
|
|
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
|
|
Protocol Support (weighted) 100 (30)
|
|
Key Exchange (weighted) 100 (30)
|
|
Cipher Strength (weighted) 100 (40)
|
|
Final Score 100
|
|
Overall Grade A+
|
|
|
|
Done 2025-09-28 16:13:50 [ 95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
|
|
````
|
|
|
|
---
|
|
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
|
|
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
|