pop.gmail.com, [2a00:1450:4013:c03::6c]:995

TLS Test Results from January 31 2024 04:55:11 UTC. Scan took 73 seconds.

Summary

Finding	Severity	Result
OCSP Revoked	WARN
TLS 1.2	OK	offered
TLS 1.3	OK	offered with final
Perfect Forward Secrecy	OK	offered
Common Name (CN)	OK	pop.gmail.com
Subject Alternative Name (SAN)	INFO	pop.gmail.com
CA Issuers	INFO	GTS CA 1C3 (Google Trust Services LLC from US)
Valid Not After	MEDIUM	2024-03-26 13:08

Protocols

Version	Status
SSL v2	not offered
SSL v3	not offered
TLS 1.0	offered (deprecated)
TLS 1.1	offered (deprecated)
TLS 1.2	offered
TLS 1.3	offered with final
ALPN / HTTP2	not offered

How do you like TestTLS?

Seriously? All five?!

I’m flattered, thanks a lot! Your hair looks beautiful!

While we're both riding this wave of joy, would you to give @testtls_com a shoutout on Twitter?

Not too bad, but not perfect.

Thanks a lot, I’m glad that you liked this website!

If you like, follow @testtls_com on Twitter to hear about new features as they are added.

Honest feedback, much appreciated!

So you think that this site could be better, understood.

Would you tell us what’s missing? Reach out either via @testtls_com or e-mail.

Almost 2.5 stars. Oh, boy!

So you think this website is shit, I get it.

Note to self: do not encourage users who rated below 3 stars to comment at @testtls_com.

Ouch, that hurts.

Father? Is that you? What can I do so that you will finally be proud of me?

Let me guess... you would have chosen zero stars if it were available, right? Let it all out via e-mail.

Cipher Categories

Category	Status
NULL ciphers (no encryption)	not offered
Anonymous NULL Ciphers (no authentication)	not offered
Export ciphers (excluding ADH+NULL)	not offered
LOW: 64 Bit + DES, RC[2,4] (excluding export)	not offered
Triple DES Ciphers / IDEA	offered
Obsolete CBC ciphers (AES, ARIA etc.)	offered
Strong encryption (AEAD ciphers)	offered

Perfect Forward Secrecy

Category	Status
Perfect Forward Secrecy	offered
PFS Ciphers	ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA
PFS ECDHE Curves	prime256v1

Server Preferences

Category	Finding
Cipher Order	server -- TLS 1.3 client determined
Protocol Negotiated	Default protocol TLS1.3
Cipher Negotiated	TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Cipher Order TLS v1.0	ECDHE-ECDSA-AES128-SHA
Cipher Order TLS v1.1	ECDHE-ECDSA-AES128-SHA
Cipher Order TLS v1.2	ECDHE-ECDSA-AES128-GCM-SHA256

Server Defaults

Category	Finding
TLS Extensions	renegotiation info/#65281 EC point formats/#11 session ticket/#35 key share/#51 supported versions/#43 extended master secret/#23
TLS Session Ticket	valid for 100800 seconds (>daily)
SSL Session-ID Support	yes
Session Resumption Ticket	supported
Session Resumption ID	supported
TLS Timestamp	off by 0 seconds from your localtime
Number of Certificates	2

Certificate #1

Category	Finding
Signature Algorithm	SHA256 with RSA
Key Size	RSA 2048 bits
Key Usage	Digital Signature, Key Encipherment
Extended Key Usage	TLS Web Server Authentication
Serial Number	2BC2CECBBA31CB6112CAE477B1A6E4AF
SHA1 Fingerprint	10E70000A4ED08B13037CB0ACD2EDEF4A4DB7E71
SHA256 Fingerprint	C414B1E7D98D2B9ECB02098BB5CC8E34A4F3D4013DD56DBAB85C0C6D9C3108FA
X.509 Certificate	Download pop.gmail.com_995_10E70000.pem
Common Name (CN)	pop.gmail.com
Common Name w/o SNI	pop.gmail.com
Subject Alternative Name (SAN)	pop.gmail.com
CA Issuers	GTS CA 1C3 (Google Trust Services LLC from US)
Certificate Trust	Ok via SAN (same w/o SNI)
Chain Of Trust	passed.
Extended-Validation Policies	no
ETS (prev. "eTLS")	not present
Expiration Status	expires < 60 days (55)
Valid Not Before	2024-01-02 13:08
Valid Not After	2024-03-26 13:08
Validity Period	No finding
Certificate Count Server	3
Certs List Ordering Problem	no
Leaked Key (pwnedkeys)	not in database
CRL Revoked	not revoked
CRL Distribution Points	http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl
OCSP Revoked
OCSP URL	http://ocsp.pki.goog/gts1c3
OCSP Stapling	not offered
OCSP Must Staple Extension	--
DNS CAA Record	issue=pki.goog
Certificate Transparency	yes (certificate extension)

Certificate #2

Category	Finding
Signature Algorithm	SHA256 with RSA
Key Size	EC 256 bits
Key Usage	Digital Signature
Extended Key Usage	TLS Web Server Authentication
Serial Number	FA37FA107BD1A32209A903A6C6139080
SHA1 Fingerprint	6BC6AA0DED7825B45CDE3E868D0C74786BB7BA78
SHA256 Fingerprint	AFB6FAC6EBD008707BF08D38290242B3638A9116DBA6FF914761791D54B691B1
X.509 Certificate	Download pop.gmail.com_995_6BC6AA0D.pem
Common Name (CN)	pop.gmail.com
Common Name w/o SNI	pop.gmail.com
Subject Alternative Name (SAN)	pop.gmail.com
CA Issuers	GTS CA 1C3 (Google Trust Services LLC from US)
Certificate Trust	Ok via SAN (same w/o SNI)
Chain Of Trust	passed.
Extended-Validation Policies	no
ETS (prev. "eTLS")	not present
Expiration Status	expires < 60 days (55)
Valid Not Before	2024-01-02 13:08
Valid Not After	2024-03-26 13:08
Validity Period	No finding
Certificate Count Server	3
Certs List Ordering Problem	no
Leaked Key (pwnedkeys)	not in database
CRL Revoked	not revoked
CRL Distribution Points	http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl
OCSP Revoked
OCSP URL	http://ocsp.pki.goog/gts1c3
OCSP Stapling	not offered
OCSP Must Staple Extension	--
DNS CAA Record	issue=pki.goog
Certificate Transparency	yes (certificate extension)

Vulnerabilities

Category	Finding
Heartbleed	not vulnerable, no heartbeat extension
CCS	not vulnerable
Ticketbleed	not applicable, not HTTP
ROBOT	not vulnerable
Secure Renegotiation	supported
Secure Client Renegotiation	not vulnerable
CRIME TLS	not vulnerable (not using HTTP anyway)
POODLE SSL	not vulnerable, no SSLv3
Fallback SCSV	supported
SWEET32	uses 64 bit block ciphers
FREAK	not vulnerable
DROWN	not vulnerable on this host and port
DROWN Hint	Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see censys.io
LOGJAM	not vulnerable, no DH EXPORT ciphers,
LOGJAM Common Primes	no DH key with <= TLS 1.2
BEAST CBC TLS1	ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA
BEAST	VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated)
LUCKY13	potentially vulnerable, uses TLS CBC ciphers
RC4	not vulnerable

Ciphers

Name	Key Exchange	Encryption	Key Length	IANA ID
ECDHE-RSA-AES256-GCM-SHA384	ECDH 256	AESGCM	256	xc030
ECDHE-ECDSA-AES256-GCM-SHA384	ECDH 256	AESGCM	256	xc02c
ECDHE-RSA-AES256-SHA	ECDH 256	AES	256	xc014
ECDHE-ECDSA-AES256-SHA	ECDH 256	AES	256	xc00a
AES256-GCM-SHA384	RSA	AESGCM	256	x9d
AES256-SHA	RSA	AES	256	x35
ECDHE-RSA-AES128-GCM-SHA256	ECDH 256	AESGCM	128	xc02f
ECDHE-ECDSA-AES128-GCM-SHA256	ECDH 256	AESGCM	128	xc02b
ECDHE-RSA-AES128-SHA	ECDH 256	AES	128	xc013
ECDHE-ECDSA-AES128-SHA	ECDH 256	AES	128	xc009
AES128-GCM-SHA256	RSA	AESGCM	128	x9c
AES128-SHA	RSA	AES	128	x2f
DES-CBC3-SHA	RSA	3DES	168	x0a

Client Simulation

Category	Connection via
Android 8.1	TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Android 9.0	TLSv1.3 TLS_AES_128_GCM_SHA256
Android X	TLSv1.3 TLS_AES_128_GCM_SHA256
Java 6u45	TLSv1.0 AES128-SHA
Java 7u25	TLSv1.0 ECDHE-ECDSA-AES128-SHA
Java 8u161	TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Java 11.0.2 (OpenJDK)	TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Java 12.0.1 (OpenJDK)	TLSv1.3 TLS_AES_128_GCM_SHA256
OpenSSL 1.02e	TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
OpenSSL 1.10l (Debian)	TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
OpenSSL 1.11d (Debian)	TLSv1.3 TLS_AES_256_GCM_SHA384
Thunderbird 68.3	TLSv1.3 TLS_AES_128_GCM_SHA256

About

Contact