LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2025-04-21 01:03:39 +02:00
Code Issues Releases Wiki Activity

Merge 07157f02cf into 5866911b62

Browse Source
This commit is contained in:
Jan Brasna 2024-11-19 13:13:13 +01:00 committed by GitHub
commit fcfb4b7582
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 212 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
analyze.py
View File

@ -63,7 +63,7 @@ def is_fubar(results):
pubkey_bits = int(conn['pubkey'][0]) pubkey_bits = int(conn['pubkey'][0])
ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher']) ec_kex = re.match(r"(ECDHE|EECDH|ECDH)-", conn['cipher'])
if conn['cipher'] not in (set(old["openssl_ciphers"]) | set(inter["openssl_ciphers"]) | set(modern["openssl_ciphers"])): if conn['cipher'] not in (set(old["ciphers"]["openssl"]) | set(inter["ciphers"]["openssl"]) | set(modern["ciphers"]["openssl"])):
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
logging.debug(conn['cipher'] + ' is in the list of fubar ciphers') logging.debug(conn['cipher'] + ' is in the list of fubar ciphers')
fubar = True fubar = True
@ -114,14 +114,14 @@ def is_old(results):
lvl = 'old' lvl = 'old'
isold = True isold = True
has_3des = False has_3des = False
has_sha1 = True has_sigalg = True
has_pfs = True has_pfs = True
has_ocsp = True has_ocsp = True
all_proto = [] all_proto = []
for conn in results['ciphersuite']: for conn in results['ciphersuite']:
logging.debug('testing connection %s' % conn) logging.debug('testing connection %s' % conn)
# flag unwanted ciphers # flag unwanted ciphers
if conn['cipher'] not in old["openssl_ciphers"]: if conn['cipher'] not in old["ciphers"]["openssl"]:
logging.debug(conn['cipher'] + ' is not in the list of old ciphers') logging.debug(conn['cipher'] + ' is not in the list of old ciphers')
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
isold = False isold = False
@ -131,11 +131,9 @@ def is_old(results):
for proto in conn['protocols']: for proto in conn['protocols']:
if proto not in all_proto: if proto not in all_proto:
all_proto.append(proto) all_proto.append(proto)
# verify required sha1 signature is used if conn['sigalg'][0] not in old["certificate_signatures"]:
if 'sha1WithRSAEncryption' not in conn['sigalg']:
logging.debug(conn['sigalg'][0] + ' is a not an old signature') logging.debug(conn['sigalg'][0] + ' is a not an old signature')
has_sha1 = False has_sigalg = False
# verify required pfs parameter is used
if conn['pfs'] != 'None': if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], old["dh_param_size"], old["ecdh_param_size"], True): if not has_good_pfs(conn['pfs'], old["dh_param_size"], old["ecdh_param_size"], True):
logging.debug(conn['pfs']+ ' is not a good PFS parameter for the old configuration') logging.debug(conn['pfs']+ ' is not a good PFS parameter for the old configuration')
@ -150,14 +148,13 @@ def is_old(results):
missing_proto = set(old["tls_versions"]) - set(all_proto) missing_proto = set(old["tls_versions"]) - set(all_proto)
for proto in missing_proto: for proto in missing_proto:
logging.debug("missing protocol wanted in the old configuration:" + proto) logging.debug("missing protocol wanted in the old configuration:" + proto)
failures[lvl].append('enable ' + proto) failures[lvl].append('consider enabling ' + proto)
isold = False
if not has_3des: if not has_3des:
logging.debug("DES-CBC3-SHA is not supported and required by the old configuration") logging.debug("DES-CBC3-SHA is not supported and required by the old configuration")
failures[lvl].append("add cipher DES-CBC3-SHA") failures[lvl].append("add cipher DES-CBC3-SHA")
isold = False isold = False
if not has_sha1: if not has_sigalg:
failures[lvl].append("use a certificate with sha1WithRSAEncryption signature") failures[lvl].append("use a certificate signed with %s" % " or ".join(old["certificate_signatures"]))
isold = False isold = False
if not has_pfs: if not has_pfs:
failures[lvl].append("use DHE of {dhe}bits and ECC of {ecdhe}bits".format( failures[lvl].append("use DHE of {dhe}bits and ECC of {ecdhe}bits".format(
@ -166,12 +163,12 @@ def is_old(results):
if not has_ocsp: if not has_ocsp:
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != ('True' if old['server_preferred_order'] else 'False'): if results['serverside'] != ('True' if old['server_preferred_order'] else 'False'):
failures[lvl].append("enforce server side ordering" if old['server_preferred_order'] else "enforce client side ordering") failures[lvl].append("enforce server side ordering" if old['server_preferred_order'] else "allow client preference")
isold = False isold = False
return isold return isold
# is_intermediate is similar to is_old but for intermediate configuration from # is_intermediate is similar to is_old but for intermediate configuration from
# https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 # https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
def is_intermediate(results): def is_intermediate(results):
logging.debug('entering intermediate evaluation') logging.debug('entering intermediate evaluation')
lvl = 'intermediate' lvl = 'intermediate'
@ -183,7 +180,7 @@ def is_intermediate(results):
all_proto = [] all_proto = []
for conn in results['ciphersuite']: for conn in results['ciphersuite']:
logging.debug('testing connection %s' % conn) logging.debug('testing connection %s' % conn)
if conn['cipher'] not in inter["openssl_ciphers"]: if conn['cipher'] not in inter["ciphers"]["openssl"]:
logging.debug(conn['cipher'] + ' is not in the list of intermediate ciphers') logging.debug(conn['cipher'] + ' is not in the list of intermediate ciphers')
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
isinter = False isinter = False
@ -214,12 +211,13 @@ def is_intermediate(results):
failures[lvl].append("use a certificate signed with %s" % " or ".join(inter["certificate_signatures"])) failures[lvl].append("use a certificate signed with %s" % " or ".join(inter["certificate_signatures"]))
isinter = False isinter = False
if not has_pfs: if not has_pfs:
failures[lvl].append("consider using DHE of at least 2048bits and ECC 256bit and greater") failures[lvl].append("use DHE of at least {dhe}bits and ECC of {ecdhe}bits and greater".format(
dhe=inter["dh_param_size"], ecdhe=inter["ecdh_param_size"]))
isinter = False
if not has_ocsp: if not has_ocsp:
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != ('True' if inter['server_preferred_order'] else 'False'): if results['serverside'] != ('True' if inter['server_preferred_order'] else 'False'):
failures[lvl].append("enforce server side ordering" if inter['server_preferred_order'] else "enforce client side ordering") failures[lvl].append("enforce server side ordering" if inter['server_preferred_order'] else "allow client preference")
isinter = False
return isinter return isinter
# is_modern is similar to is_old but for modern configuration from # is_modern is similar to is_old but for modern configuration from
@ -234,7 +232,7 @@ def is_modern(results):
all_proto = [] all_proto = []
for conn in results['ciphersuite']: for conn in results['ciphersuite']:
logging.debug('testing connection %s' % conn) logging.debug('testing connection %s' % conn)
if conn['cipher'] not in modern["openssl_ciphers"]: if conn['cipher'] not in modern["ciphers"]["openssl"]:
logging.debug(conn['cipher'] + ' is not in the list of modern ciphers') logging.debug(conn['cipher'] + ' is not in the list of modern ciphers')
failures[lvl].append("remove cipher " + conn['cipher']) failures[lvl].append("remove cipher " + conn['cipher'])
ismodern = False ismodern = False
@ -247,7 +245,6 @@ def is_modern(results):
if conn['pfs'] != 'None': if conn['pfs'] != 'None':
if not has_good_pfs(conn['pfs'], modern["dh_param_size"], modern["ecdh_param_size"], True): if not has_good_pfs(conn['pfs'], modern["dh_param_size"], modern["ecdh_param_size"], True):
logging.debug(conn['pfs']+ ' is not a good PFS parameter for the modern configuration') logging.debug(conn['pfs']+ ' is not a good PFS parameter for the modern configuration')
ismodern = False
has_pfs = False has_pfs = False
if conn['ocsp_stapling'] == 'False': if conn['ocsp_stapling'] == 'False':
has_ocsp = False has_ocsp = False
@ -269,8 +266,7 @@ def is_modern(results):
if not has_ocsp: if not has_ocsp:
failures[lvl].append("consider enabling OCSP Stapling") failures[lvl].append("consider enabling OCSP Stapling")
if results['serverside'] != ('True' if modern['server_preferred_order'] else 'False'): if results['serverside'] != ('True' if modern['server_preferred_order'] else 'False'):
failures[lvl].append("enforce server side ordering" if modern['server_preferred_order'] else "enforce client side ordering") failures[lvl].append("enforce server side ordering" if modern['server_preferred_order'] else "allow client preference")
ismodern = False
return ismodern return ismodern
def is_ordered(results, ref_ciphersuite, lvl): def is_ordered(results, ref_ciphersuite, lvl):
@ -304,17 +300,17 @@ def evaluate_all(results):
if is_old(results): if is_old(results):
status = "old" status = "old"
if old["server_preferred_order"] and not is_ordered(results, old["openssl_ciphers"], "old"): if old["server_preferred_order"] and not is_ordered(results, old["ciphers"]["openssl"], "old"):
status = "old with bad ordering" status = "old with bad ordering"
if is_intermediate(results): if is_intermediate(results):
status = "intermediate" status = "intermediate"
if inter["server_preferred_order"] and not is_ordered(results, inter["openssl_ciphers"], "intermediate"): if inter["server_preferred_order"] and not is_ordered(results, inter["ciphers"]["openssl"], "intermediate"):
status = "intermediate with bad ordering" status = "intermediate with bad ordering"
if is_modern(results): if is_modern(results):
status = "modern" status = "modern"
if modern["server_preferred_order"] and not is_ordered(results, modern["openssl_ciphers"], "modern"): if modern["server_preferred_order"] and not is_ordered(results, modern["ciphers"]["openssl"], "modern"):
status = "modern with bad ordering" status = "modern with bad ordering"
if is_fubar(results): if is_fubar(results):
@ -396,7 +392,7 @@ def process_results(data, level=None, do_json=False, do_nagios=False):
return exit_status return exit_status
def build_ciphers_lists(): def build_ciphers_lists():
sstlsurl = "https://statics.tls.security.mozilla.org/server-side-tls-conf.json" sstlsurl = "https://ssl-config.mozilla.org/guidelines/5.7.json"
conf = dict() conf = dict()
try: try:
raw = urlopen(sstlsurl).read() raw = urlopen(sstlsurl).read()

284
server-side-tls-conf.json
View File

@ -1,57 +1,184 @@
{ {
"href": "https://statics.tls.security.mozilla.org/server-side-tls-conf.json", "version": 5.7,
"href": "https://ssl-config.mozilla.org/guidelines/5.7.json",
"configurations": { "configurations": {
"modern": { "modern": {
"openssl_ciphersuites": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", "certificate_curves": ["prime256v1", "secp384r1"],
"ciphersuites": [ "certificate_signatures": ["ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"],
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256"
],
"tls_versions": ["TLSv1.2" ],
"tls_curves": [ "prime256v1", "secp384r1", "secp521r1" ],
"certificate_types": ["ecdsa"], "certificate_types": ["ecdsa"],
"certificate_curves": ["prime256v1", "secp384r1", "secp521r1"], "ciphers": {
"certificate_signatures": ["sha256WithRSAEncryption", "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"], "caddy": [],
"rsa_key_size": 2048, "go": [],
"iana": [],
"openssl": []
},
"ciphersuites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
],
"dh_param_size": null, "dh_param_size": null,
"ecdh_param_size": 256, "ecdh_param_size": 256,
"hsts_min_age": 15768000, "hsts_min_age": 63072000,
"oldest_clients": [ "Firefox 27", "Chrome 30", "IE 11 on Windows 7", "Edge 1", "Opera 17", "Safari 9", "Android 5.0", "Java 8"] "maximum_certificate_lifespan": 90,
"ocsp_staple": true,
"oldest_clients": ["Firefox 63", "Android 10.0", "Chrome 70", "Edge 75", "Java 11", "OpenSSL 1.1.1", "Opera 57", "Safari 12.1"],
"recommended_certificate_lifespan": 90,
"rsa_key_size": null,
"server_preferred_order": false,
"tls_curves": ["X25519", "prime256v1", "secp384r1"],
"tls_versions": ["TLSv1.3"]
}, },
"intermediate": { "intermediate": {
"openssl_ciphersuites": "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS", "certificate_curves": ["prime256v1", "secp384r1"],
"ciphersuites": [ "certificate_signatures": ["sha256WithRSAEncryption", "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"],
"ECDHE-ECDSA-CHACHA20-POLY1305", "certificate_types": ["ecdsa", "rsa"],
"ECDHE-RSA-CHACHA20-POLY1305", "ciphers": {
"caddy": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"go": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
],
"iana": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"openssl": [
"ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-AES256-GCM-SHA384",
"DHE-RSA-CHACHA20-POLY1305"
]
},
"ciphersuites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
],
"dh_param_size": 2048,
"ecdh_param_size": 256,
"hsts_min_age": 63072000,
"maximum_certificate_lifespan": 366,
"ocsp_staple": true,
"oldest_clients": ["Firefox 27", "Android 4.4.2", "Chrome 31", "Edge", "IE 11 on Windows 7", "Java 8u31", "OpenSSL 1.0.1", "Opera 20", "Safari 9"],
"recommended_certificate_lifespan": 90,
"rsa_key_size": 2048,
"server_preferred_order": false,
"tls_curves": ["X25519", "prime256v1", "secp384r1"],
"tls_versions": ["TLSv1.2", "TLSv1.3"]
},
"old": {
"certificate_curves": ["prime256v1", "secp384r1"],
"certificate_signatures": ["sha256WithRSAEncryption"],
"certificate_types": ["rsa"],
"ciphers": {
"caddy": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"go": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"iana": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"openssl": [
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES256-GCM-SHA384",
"DHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256",
"ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES128-SHA",
"ECDHE-ECDSA-AES256-SHA384", "ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES256-SHA", "ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES256-SHA",
"DHE-RSA-AES128-SHA256", "DHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA",
"DHE-RSA-AES256-SHA256", "DHE-RSA-AES256-SHA256",
"DHE-RSA-AES256-SHA",
"ECDHE-ECDSA-DES-CBC3-SHA",
"ECDHE-RSA-DES-CBC3-SHA",
"EDH-RSA-DES-CBC3-SHA",
"AES128-GCM-SHA256", "AES128-GCM-SHA256",
"AES256-GCM-SHA384", "AES256-GCM-SHA384",
"AES128-SHA256", "AES128-SHA256",
@ -59,89 +186,24 @@
"AES128-SHA", "AES128-SHA",
"AES256-SHA", "AES256-SHA",
"DES-CBC3-SHA" "DES-CBC3-SHA"
], ]
"tls_versions": ["TLSv1.2", "TLSv1.1", "TLSv1" ],
"tls_curves": [ "secp256r1", "secp384r1", "secp521r1" ],
"certificate_types": ["rsa"],
"certificate_curves": null,
"certificate_signatures": ["sha256WithRSAEncryption"],
"rsa_key_size": 2048,
"dh_param_size": 2048,
"ecdh_param_size": 256,
"hsts_min_age": 15768000,
"oldest_clients": [ "Firefox 1", "Chrome 1", "IE 7", "Opera 5", "Safari 1", "Windows XP IE8", "Android 2.3", "Java 7" ]
}, },
"old": {
"openssl_ciphersuites": "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP",
"ciphersuites": [ "ciphersuites": [
"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS_AES_128_GCM_SHA256",
"ECDHE-RSA-CHACHA20-POLY1305", "TLS_AES_256_GCM_SHA384",
"ECDHE-RSA-AES128-GCM-SHA256", "TLS_CHACHA20_POLY1305_SHA256"
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-DSS-AES128-GCM-SHA256",
"DHE-DSS-AES256-GCM-SHA384",
"DHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA",
"ECDHE-ECDSA-AES256-SHA",
"DHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA",
"DHE-DSS-AES128-SHA256",
"DHE-RSA-AES256-SHA256",
"DHE-DSS-AES256-SHA",
"DHE-RSA-AES256-SHA",
"ECDHE-RSA-DES-CBC3-SHA",
"ECDHE-ECDSA-DES-CBC3-SHA",
"EDH-RSA-DES-CBC3-SHA",
"AES128-GCM-SHA256",
"AES256-GCM-SHA384",
"AES128-SHA256",
"AES256-SHA256",
"AES128-SHA",
"AES256-SHA",
"DHE-DSS-AES256-SHA256",
"DHE-DSS-AES128-SHA",
"DES-CBC3-SHA",
"DHE-RSA-CHACHA20-POLY1305",
"ECDHE-RSA-CAMELLIA256-SHA384",
"ECDHE-ECDSA-CAMELLIA256-SHA384",
"DHE-RSA-CAMELLIA256-SHA256",
"DHE-DSS-CAMELLIA256-SHA256",
"DHE-RSA-CAMELLIA256-SHA",
"DHE-DSS-CAMELLIA256-SHA",
"CAMELLIA256-SHA256",
"CAMELLIA256-SHA",
"ECDHE-RSA-CAMELLIA128-SHA256",
"ECDHE-ECDSA-CAMELLIA128-SHA256",
"DHE-RSA-CAMELLIA128-SHA256",
"DHE-DSS-CAMELLIA128-SHA256",
"DHE-RSA-CAMELLIA128-SHA",
"DHE-DSS-CAMELLIA128-SHA",
"CAMELLIA128-SHA256",
"CAMELLIA128-SHA",
"DHE-RSA-SEED-SHA",
"DHE-DSS-SEED-SHA",
"SEED-SHA"
], ],
"tls_versions": ["TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3" ],
"tls_curves": [ "secp256r1", "secp384r1", "secp521r1" ],
"certificate_types": ["rsa"],
"certificate_curves": null,
"certificate_signatures": ["sha1WithRSAEncryption"],
"rsa_key_size": 2048,
"dh_param_size": 1024, "dh_param_size": 1024,
"ecdh_param_size": 160, "ecdh_param_size": 256,
"hsts_min_age": 15768000, "hsts_min_age": 63072000,
"oldest_clients": [ "Firefox 1", "Chrome 1", "Windows XP IE 6", "Opera 4", "Safari 1", "Java 6" ] "maximum_certificate_lifespan": 366,
"ocsp_staple": true,
"oldest_clients": ["Firefox 1", "Android 2.3", "Chrome 1", "Edge 12", "IE8 on Windows XP", "Java 6", "OpenSSL 0.9.8", "Opera 5", "Safari 1"],
"recommended_certificate_lifespan": 90,
"rsa_key_size": 2048,
"server_preferred_order": true,
"tls_curves": ["X25519", "prime256v1", "secp384r1"],
"tls_versions": ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
}
} }
},
"version": 4.0
} }