Untitled

###########################################################
    testssl.sh       2.8rc1 from https://testssl.sh/dev/
    (424cf23 2016-08-09 10:35:58 -- 1.531)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on a006:./bin/openssl.Linux.x86_64
 (built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")


 Start 2016-08-17 21:32:36    -->> 192.168.1.1:443 (r7) <<--

 rDNS (192.168.1.1):
 Service detected:       HTTP


 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

 SSLv2               not offered (OK)
 SSLv3               not offered (OK)
 TLS 1               offered
 TLS 1.1             offered
 TLS 1.2             offered (OK)
 Version tolerance   downgraded to TLSv1.2 (OK)
 SPDY/NPN            not offered
 HTTP2/ALPN          not offered

 Testing ~standard cipher lists

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here

 PFS is offered (OK)          ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA
 Elliptic curves offered:     prime256v1


 Testing server preferences

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH
 Cipher order
    TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA
    TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA
    TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA


 Testing server defaults (Server Hello)

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15"
 Session Tickets RFC 5077     300 seconds (PFS requires session ticket keys to be rotated <= daily)
 SSL Session ID support       yes
 TLS clock skew               random values, no fingerprinting possible
 Signature Algorithm          SHA1 with RSA
 Server key size              RSA 2048 bits
 Fingerprint / Serial         SHA1 8CA67181742164606AF4130C1CAD2800DB811C05 / ADE768238EFA7326
                              SHA256 185D3F08D1F6EF23E9B5447995D7311253B60F48B202CBC547E022FCCB60A788
 Common Name (CN)             "NewMedia-NET GmbH"
 subjectAltName (SAN)         --
 Issuer                       self-signed (NOT ok)
 Trust (hostname)             certificate does not match supplied URI
 Chain of trust               NOT ok (self signed)
 EV cert (experimental)       no
 Certificate Expiration       3648 >= 60 days (2016-08-16 03:35 --> 2026-08-14 03:35 -0700)
 # of certificates provided   1
 Certificate Revocation List  --
 OCSP URI                     --
 OCSP stapling                --


 Testing HTTP header response @ "/"

 HTTP Status Code             401 Unauthorized  WWW-Authenticate: Basic realm="r7"
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    --
 Public Key Pinning           --
 Server banner                httpd
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             --
 Reverse Proxy banner         --


 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK)
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok), DoS threat
 CRIME, TLS (CVE-2012-4929)                VULNERABLE (NOT ok)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (2016-0800, CVE-2016-0703), exper.  not vulnerable on this port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=185D3F08D1F6EF23E9B5447995D7311253B60F48B202CBC547E022FCCB60A788 could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
 BEAST (CVE-2011-3389)                     TLS1: DES-CBC3-SHA AES128-SHA
                                                 AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing all 183 locally available ciphers against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits     Cipher Suite Name (RFC)
---------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM    256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES       256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES       256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x9d     AES256-GCM-SHA384                 RSA        AESGCM    256      TLS_RSA_WITH_AES_256_GCM_SHA384
 x3d     AES256-SHA256                     RSA        AES       256      TLS_RSA_WITH_AES_256_CBC_SHA256
 x35     AES256-SHA                        RSA        AES       256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM    128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES       128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES       128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x9c     AES128-GCM-SHA256                 RSA        AESGCM    128      TLS_RSA_WITH_AES_128_GCM_SHA256
 x3c     AES128-SHA256                     RSA        AES       128      TLS_RSA_WITH_AES_128_CBC_SHA256
 x2f     AES128-SHA                        RSA        AES       128      TLS_RSA_WITH_AES_128_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES      168      TLS_RSA_WITH_3DES_EDE_CBC_SHA


 Running browser simulations via sockets (experimental)

 Android 2.3.7                 TLSv1.0 AES128-SHA
 Android 4.0.4                 TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.1.1                 TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.2.2                 TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.3                   TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.4.2                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Android 5.0.0                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Baidu Jan 2015                TLSv1.0 ECDHE-RSA-AES128-SHA
 BingPreview Jan 2015          TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Chrome 47 / OSX               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Firefox 42 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 GoogleBot Feb 2015            TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 IE 6 XP                       No connection
 IE 7 Vista                    TLSv1.0 ECDHE-RSA-AES128-SHA
 IE 8 XP                       TLSv1.0 DES-CBC3-SHA
 IE 8-10 Win 7                 TLSv1.0 ECDHE-RSA-AES128-SHA
 IE 11 Win 7                   TLSv1.2 ECDHE-RSA-AES128-SHA256
 IE 11 Win 8.1                 TLSv1.2 ECDHE-RSA-AES128-SHA256
 IE 10 Win Phone 8.0           TLSv1.0 ECDHE-RSA-AES128-SHA
 IE 11 Win Phone 8.1           TLSv1.2 ECDHE-RSA-AES128-SHA256
 IE 11 Win Phone 8.1 Update    TLSv1.2 ECDHE-RSA-AES128-SHA256
 IE 11 Win 10                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Edge 13 Win 10                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Edge 13 Win Phone 10          TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Java 6u45                     TLSv1.0 AES128-SHA
 Java 7u25                     TLSv1.0 ECDHE-RSA-AES128-SHA
 Java 8u31                     TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 OpenSSL 0.9.8y                TLSv1.0 AES128-SHA
 OpenSSL 1.0.1l                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 OpenSSL 1.0.2e                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Safari 5.1.9 OS X 10.6.8      TLSv1.0 ECDHE-RSA-AES128-SHA
 Safari 6 iOS 6.0.1            TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 6.0.4 OS X 10.8.4      TLSv1.0 ECDHE-RSA-AES128-SHA
 Safari 7 iOS 7.1              TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 7 OS X 10.9            TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 8 iOS 8.4              TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 8 OS X 10.10           TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 9 iOS 9                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Safari 9 OS X 10.11           TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256