plugins.traefik.io, [2606:4700:20::ac43:4b08]:443
TLS Test Results from April 21 2023 06:44:30 UTC. Scan took 75 seconds.
Summary
Finding | Severity | Result |
---|---|---|
Secure Renegotiation | WARN | OpenSSL handshake didn't succeed |
TLS 1.2 | OK | offered |
TLS 1.3 | OK | offered with final |
Perfect Forward Secrecy | OK | offered |
Common Name (CN) | OK | sni.cloudflaressl.com |
Subject Alternative Name (SAN) | INFO |
|
CA Issuers | INFO | Cloudflare Inc RSA CA-2 (Cloudflare, Inc. from US) |
Valid Not After | OK | 2024-04-09 23:59 |
Protocols
Version | Status |
---|---|
SSL v2 | not offered |
SSL v3 | not offered |
TLS 1.0 | not offered |
TLS 1.1 | not offered |
TLS 1.2 | offered |
TLS 1.3 | offered with final |
ALPN HTTP2 | h2 |
ALPN / HTTP2 | http/1.1 |
Cipher Categories
Category | Status |
---|---|
NULL ciphers (no encryption) | not offered |
Anonymous NULL Ciphers (no authentication) | not offered |
Export ciphers (excluding ADH+NULL) | not offered |
LOW: 64 Bit + DES, RC[2,4] (excluding export) | not offered |
Triple DES Ciphers / IDEA | not offered |
Obsolete CBC ciphers (AES, ARIA etc.) | offered |
Strong encryption (AEAD ciphers) | offered |
Perfect Forward Secrecy
Category | Status |
---|---|
Perfect Forward Secrecy | offered |
PFS Ciphers |
|
PFS ECDHE Curves |
|
Server Preferences
Category | Finding |
---|---|
Cipher Order | server -- TLS 1.3 client determined |
Protocol Negotiated | Default protocol TLS1.3 |
Cipher Negotiated | TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) |
Cipher Order TLS v1.2 | ECDHE-ECDSA-CHACHA20-POLY1305-OLD |
Server Defaults
Category | Finding |
---|---|
TLS Extensions |
|
TLS Session Ticket | valid for 64800 seconds only (<daily) |
SSL Session-ID Support | yes |
Session Resumption Ticket | supported |
Session Resumption ID | not supported |
TLS Timestamp | off by -2 seconds from your localtime |
Number of Certificates | 2 |
Certificate #1
Category | Finding |
---|---|
Signature Algorithm | SHA256 with RSA |
Key Size | RSA 2048 bits |
Key Usage | Digital Signature, Key Encipherment |
Extended Key Usage | TLS Web Server Authentication, TLS Web Client Authentication |
Serial Number | 0F3E5694A7095FCFB414ED03DC3705DF |
SHA1 Fingerprint | 63B082898E72B55BB40E2CEA9713684F51F88B05 |
SHA256 Fingerprint | 7CB7534EF5D064D83548026B5C06091912228E04329F81B290AA925274D38079 |
X.509 Certificate | Download plugins.traefik.io_443_63B08289.pem |
Common Name (CN) | sni.cloudflaressl.com |
Common Name w/o SNI | request w/o SNI didn't succeed |
Subject Alternative Name (SAN) |
|
CA Issuers | Cloudflare Inc RSA CA-2 (Cloudflare, Inc. from US) |
Certificate Trust | Ok via SAN wildcard (SNI mandatory) |
Chain Of Trust | passed. |
Extended-Validation Policies | no |
ETS (prev. "eTLS") | not present |
Expiration Status | 354 >= 60 days |
Valid Not Before | 2023-04-10 00:00 |
Valid Not After | 2024-04-09 23:59 |
Validity Period | No finding |
Certificate Count Server | 2 |
Certs List Ordering Problem | no |
Leaked Key (pwnedkeys) | not in database |
CRL Revoked | not revoked |
CRL Distribution Points |
|
OCSP Revoked | not revoked |
OCSP URL | http://ocsp.digicert.com |
OCSP Stapling | offered |
OCSP Must Staple Extension | -- |
DNS CAA Record | issue=comodoca.com, issue=digicert.com;, issue=letsencrypt.org, issue=pki.goog;, issuewild=comodoca.com, issuewild=digicert.com;, issuewild=letsencrypt.org, issuewild=pki.goog; |
Certificate Transparency | yes (certificate extension) |
Certificate #2
Category | Finding |
---|---|
Signature Algorithm | ECDSA with SHA256 |
Key Size | EC 256 bits |
Key Usage | Digital Signature |
Extended Key Usage | TLS Web Server Authentication, TLS Web Client Authentication |
Serial Number | 0BE06C3AD1BB4983F8E7F155F1270AB2 |
SHA1 Fingerprint | E77E458CEA9F05E3E06B14CDEB621A3CC36BFAEE |
SHA256 Fingerprint | 1AD26AC11FC78FB617460826EAECB87D71CD5F242FDDCD949235A31CAB0F10D9 |
X.509 Certificate | Download plugins.traefik.io_443_E77E458C.pem |
Common Name (CN) | sni.cloudflaressl.com |
Common Name w/o SNI | request w/o SNI didn't succeed, usual for EC certificates |
Subject Alternative Name (SAN) |
|
CA Issuers | Cloudflare Inc ECC CA-3 (Cloudflare, Inc. from US) |
Certificate Trust | Ok via SAN wildcard (SNI mandatory) |
Chain Of Trust | passed. |
Extended-Validation Policies | no |
ETS (prev. "eTLS") | not present |
Expiration Status | 354 >= 60 days |
Valid Not Before | 2023-04-10 00:00 |
Valid Not After | 2024-04-09 23:59 |
Validity Period | No finding |
Certificate Count Server | 2 |
Certs List Ordering Problem | no |
Leaked Key (pwnedkeys) | not in database |
CRL Revoked | not revoked |
CRL Distribution Points |
|
OCSP Revoked | not revoked |
OCSP URL | http://ocsp.digicert.com |
OCSP Stapling | offered |
OCSP Must Staple Extension | -- |
DNS CAA Record | issue=comodoca.com, issue=digicert.com;, issue=letsencrypt.org, issue=pki.goog;, issuewild=comodoca.com, issuewild=digicert.com;, issuewild=letsencrypt.org, issuewild=pki.goog; |
Certificate Transparency | yes (certificate extension) |
HTTP response
Category | Finding |
---|---|
HTTP Status Code | 308 Permanent Redirect ('/') |
HTTP Clock Skew | 0 seconds from localtime |
HSTS Expiration Time | 365 days (=31536000 seconds) > 15552000 seconds |
HSTS Subdomains | includes subdomains |
HSTS Preload | domain IS marked for preloading |
Server Banner | cloudflare |
Banner Application | No application banner found |
Cookie Count | 0 at '/' (30x detected, better try target URL of 30x) |
Reverse Proxy Banner | -- |
Vulnerabilities
Category | Finding |
---|---|
Heartbleed | not vulnerable, no heartbeat extension |
CCS | not vulnerable |
Ticketbleed | not vulnerable |
ROBOT | not vulnerable |
Secure Renegotiation | OpenSSL handshake didn't succeed |
Secure Client Renegotiation | not vulnerable |
CRIME TLS | not vulnerable |
BREACH | not vulnerable, no HTTP compression - only supplied '/' tested |
POODLE SSL | not vulnerable, no SSLv3 |
Fallback SCSV | no protocol below TLS 1.2 offered |
SWEET32 | not vulnerable |
FREAK | not vulnerable |
DROWN | not vulnerable on this host and port |
DROWN Hint | Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see censys.io |
LOGJAM | not vulnerable, no DH EXPORT ciphers, |
LOGJAM Common Primes | no DH key with <= TLS 1.2 |
BEAST | not vulnerable, no SSL3 or TLS1 |
LUCKY13 | potentially vulnerable, uses TLS CBC ciphers |
RC4 | not vulnerable |
Ciphers
Name | Key Exchange | Encryption | Key Length | IANA ID |
---|---|---|---|---|
ECDHE-ECDSA-CHACHA20-POLY1305-OLD | ECDH 256 | ChaCha20 | 256 | xcc14 |
ECDHE-RSA-CHACHA20-POLY1305-OLD | ECDH 256 | ChaCha20 | 256 | xcc13 |
ECDHE-RSA-AES256-GCM-SHA384 | ECDH 256 | AESGCM | 256 | xc030 |
ECDHE-ECDSA-AES256-GCM-SHA384 | ECDH 256 | AESGCM | 256 | xc02c |
ECDHE-RSA-AES256-SHA384 | ECDH 256 | AES | 256 | xc028 |
ECDHE-ECDSA-AES256-SHA384 | ECDH 256 | AES | 256 | xc024 |
ECDHE-RSA-AES256-SHA | ECDH 256 | AES | 256 | xc014 |
ECDHE-ECDSA-AES256-SHA | ECDH 256 | AES | 256 | xc00a |
AES256-GCM-SHA384 | RSA | AESGCM | 256 | x9d |
AES256-SHA256 | RSA | AES | 256 | x3d |
AES256-SHA | RSA | AES | 256 | x35 |
ECDHE-RSA-AES128-GCM-SHA256 | ECDH 256 | AESGCM | 128 | xc02f |
ECDHE-ECDSA-AES128-GCM-SHA256 | ECDH 256 | AESGCM | 128 | xc02b |
ECDHE-RSA-AES128-SHA256 | ECDH 256 | AES | 128 | xc027 |
ECDHE-ECDSA-AES128-SHA256 | ECDH 256 | AES | 128 | xc023 |
ECDHE-RSA-AES128-SHA | ECDH 256 | AES | 128 | xc013 |
ECDHE-ECDSA-AES128-SHA | ECDH 256 | AES | 128 | xc009 |
AES128-GCM-SHA256 | RSA | AESGCM | 128 | x9c |
AES128-SHA256 | RSA | AES | 128 | x3c |
AES128-SHA | RSA | AES | 128 | x2f |
Client Simulation
Category | Connection via |
---|---|
Android 4.4.2 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Android 5.0 | TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD |
Android 6.0 | TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD |
Android 7.0 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Android 8.1 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Android 9.0 | TLSv1.3 TLS_AES_128_GCM_SHA256 |
Android X | TLSv1.3 TLS_AES_128_GCM_SHA256 |
Chrome 74 Windows 10 | TLSv1.3 TLS_AES_128_GCM_SHA256 |
Chrome 79 Windows 10 | TLSv1.3 TLS_AES_128_GCM_SHA256 |
Firefox 66 Windows 8.1/10 | TLSv1.3 TLS_AES_128_GCM_SHA256 |
Firefox 71 Windows 10 | TLSv1.3 TLS_AES_128_GCM_SHA256 |
IE 6 Windows XP | No connection |
IE 8 Windows 7 | No connection |
IE 8 Windows XP | No connection |
IE 11 Windows 7 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
IE 11 Windows 8.1 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
IE 11 Windows Phone 8.1 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
IE 11 Windows 10 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Edge 15 Windows 10 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Edge 17 Windows 10 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Opera 66 Windows 10 | TLSv1.3 TLS_AES_128_GCM_SHA256 |
Safari 9 IOS9 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Safari 9 OSX 10.11 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Safari 10 OSX 10.12 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Safari 12.1 iOS 12.2 | TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 |
Safari 13.0 OSX 10.14.6 | TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 |
Apple ATS 9 IOS9 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Java 6u45 | No connection |
Java 7u25 | No connection |
Java 8u161 | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
Java 11.0.2 (OpenJDK) | TLSv1.3 TLS_AES_128_GCM_SHA256 |
Java 12.0.1 (OpenJDK) | TLSv1.3 TLS_AES_128_GCM_SHA256 |
OpenSSL 1.02e | TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 |
OpenSSL 1.10l (Debian) | TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 |
OpenSSL 1.11d (Debian) | TLSv1.3 TLS_AES_256_GCM_SHA384 |
Thunderbird 68.3 | TLSv1.3 TLS_AES_128_GCM_SHA256 |