imap.proximus.be, 195.13.7.92:993
TLS Test Results from November 30 2023 13:48:58 UTC. Scan took 42 seconds.
Summary
| Finding | Severity | Result |
|---|---|---|
| Cipher Order | HIGH | NOT a cipher order configured |
| OCSP Revoked | WARN | |
| TLS 1.2 | OK | offered |
| TLS 1.3 | OK | offered with final |
| Perfect Forward Secrecy | OK | offered |
| Common Name (CN) | OK | imap.proximus.be |
| Subject Alternative Name (SAN) | INFO |
|
| CA Issuers | INFO | GlobalSign RSA OV SSL CA 2018 (GlobalSign nv-sa from BE) |
| Valid Not After | OK | 2024-05-06 06:36 |
Protocols
| Version | Status |
|---|---|
| SSL v2 | not offered |
| SSL v3 | not offered |
| TLS 1.0 | not offered |
| TLS 1.1 | offered (deprecated) |
| TLS 1.2 | offered |
| TLS 1.3 | offered with final |
| ALPN / HTTP2 | not offered |
Cipher Categories
| Category | Status |
|---|---|
| NULL ciphers (no encryption) | not offered |
| Anonymous NULL Ciphers (no authentication) | not offered |
| Export ciphers (excluding ADH+NULL) | not offered |
| LOW: 64 Bit + DES, RC[2,4] (excluding export) | not offered |
| Triple DES Ciphers / IDEA | not offered |
| Obsolete CBC ciphers (AES, ARIA etc.) | offered |
| Strong encryption (AEAD ciphers) | offered |
Perfect Forward Secrecy
| Category | Status |
|---|---|
| Perfect Forward Secrecy | offered |
| PFS Ciphers |
|
| PFS ECDHE Curves |
|
Server Preferences
| Category | Finding |
|---|---|
| Cipher Order | NOT a cipher order configured |
| Protocol Negotiated | Default protocol TLS1.3 |
| Cipher Negotiated | TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) (limited sense as client will pick) |
| Cipher Order TLS v1.1 | ECDHE-RSA-AES256-SHA at TLSv1.1 (limited sense as client will pick) |
| Cipher Order TLS v1.2 | ECDHE-RSA-AES256-GCM-SHA384 at TLSv1.2 (limited sense as client will pick) |
| Cipher Order TLS v1.3 | TLS_AES_128_GCM_SHA256 at TLSv1.3 (limited sense as client will pick) |
Server Defaults
| Category | Finding |
|---|---|
| TLS Extensions |
|
| TLS Session Ticket | valid for 86400 seconds only (<daily) |
| SSL Session-ID Support | yes |
| Session Resumption Ticket | supported |
| Session Resumption ID | not supported |
| TLS Timestamp | random |
| Number of Certificates | 1 |
Certificate
| Category | Finding |
|---|---|
| Signature Algorithm | SHA256 with RSA |
| Key Size | RSA 2048 bits |
| Key Usage |
|
| Extended Key Usage |
|
| Serial Number | 19147F34CE60E9E59B3D5ECE |
| SHA1 Fingerprint | ADB180539C4C1EBF7A6F3B8F4A154136FFB1EDC3 |
| SHA256 Fingerprint | 65F12D740266E0B921834B30A9D7B4E5B69711B421E1C2AFBC72645F40FBE4C5 |
| X.509 Certificate | Download imap.proximus.be_993_ADB18053.pem |
| Common Name (CN) | imap.proximus.be |
| Common Name w/o SNI | imap.proximus.be |
| Subject Alternative Name (SAN) |
|
| CA Issuers | GlobalSign RSA OV SSL CA 2018 (GlobalSign nv-sa from BE) |
| Certificate Trust | Ok via SAN (same w/o SNI) |
| Chain Of Trust | passed. |
| Extended-Validation Policies | no |
| ETS (prev. "eTLS") | not present |
| Expiration Status | 157 >= 60 days |
| Valid Not Before | 2023-04-05 06:36 |
| Valid Not After | 2024-05-06 06:36 |
| Validity Period | No finding |
| Certificate Count Server | 3 |
| Certs List Ordering Problem | no |
| Leaked Key (pwnedkeys) | not in database |
| CRL Revoked | not revoked |
| CRL Distribution Points |
|
| OCSP Revoked | |
| OCSP URL | ocsp.globalsign.com |
| OCSP Stapling | not offered |
| OCSP Must Staple Extension | -- |
| DNS CAA Record |
|
| Certificate Transparency | yes (certificate extension) |
Vulnerabilities
| Category | Finding |
|---|---|
| Heartbleed | not vulnerable, no heartbeat extension |
| CCS | not vulnerable |
| Ticketbleed | not applicable, not HTTP |
| ROBOT | not vulnerable, no RSA key transport cipher |
| Secure Renegotiation | supported |
| Secure Client Renegotiation | not vulnerable |
| CRIME TLS | not vulnerable (not using HTTP anyway) |
| POODLE SSL | not vulnerable, no SSLv3 |
| Fallback SCSV | supported |
| SWEET32 | not vulnerable |
| FREAK | not vulnerable |
| DROWN | not vulnerable on this host and port |
| DROWN Hint | Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see censys.io |
| LOGJAM | not vulnerable, no DH EXPORT ciphers, |
| LOGJAM Common Primes | no DH key with <= TLS 1.2 |
| BEAST | not vulnerable, no SSL3 or TLS1 |
| LUCKY13 | potentially vulnerable, uses TLS CBC ciphers |
| RC4 | not vulnerable |
Ciphers
| Name | Key Exchange | Encryption | Key Length | IANA ID |
|---|---|---|---|---|
| ECDHE-RSA-AES256-GCM-SHA384 | ECDH 521 | AESGCM | 256 | xc030 |
| ECDHE-RSA-AES256-SHA384 | ECDH 521 | AES | 256 | xc028 |
| ECDHE-RSA-AES256-SHA | ECDH 521 | AES | 256 | xc014 |
| ECDHE-RSA-AES128-GCM-SHA256 | ECDH 521 | AESGCM | 128 | xc02f |
| ECDHE-RSA-AES128-SHA256 | ECDH 521 | AES | 128 | xc027 |
| ECDHE-RSA-AES128-SHA | ECDH 521 | AES | 128 | xc013 |
Client Simulation
| Category | Connection via |
|---|---|
| Android 8.1 | TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 |
| Android 9.0 | TLSv1.3 TLS_AES_128_GCM_SHA256 |
| Android X | TLSv1.3 TLS_AES_128_GCM_SHA256 |
| Java 6u45 | No connection |
| Java 7u25 | No connection |
| Java 8u161 | TLSv1.2 ECDHE-RSA-AES256-SHA384 |
| Java 11.0.2 (OpenJDK) | TLSv1.3 TLS_AES_128_GCM_SHA256 |
| Java 12.0.1 (OpenJDK) | TLSv1.3 TLS_AES_128_GCM_SHA256 |
| OpenSSL 1.02e | TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 |
| OpenSSL 1.10l (Debian) | TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 |
| OpenSSL 1.11d (Debian) | TLSv1.3 TLS_AES_256_GCM_SHA384 |
| Thunderbird 68.3 | TLSv1.3 TLS_AES_128_GCM_SHA256 |