Prüfung via testssl.sh:
,----
| Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
|
| SSLv2 offered (NOT ok), also VULNERABLE to DROWN
attack -- 7 ciphers
| SSLv3 offered (NOT ok)
| TLS 1 offered
| TLS 1.1 not offered
| TLS 1.2 not offered
| Version tolerance downgraded to TLSv1.0 (OK)
`----
Autsch.
,----
| Testing server preferences
|
| Has server cipher order? nope (NOT ok)
| Negotiated protocol TLSv1
| Negotiated cipher RC4-SHA (limited sense as client will
pick)
| Negotiated cipher per proto (limited sense as client will pick)
| RC2-CBC-MD5: SSLv2
| RC4-SHA: SSLv3, TLSv1
| No further cipher order check has been done as order is determined
by the client
`----
Oh Gott.
,----
| Testing vulnerabilities
|
| Heartbleed (CVE-2014-0160) not vulnerable (OK), no
heartbeat extension
| CCS (CVE-2014-0224) VULNERABLE (NOT ok)
| Secure Renegotiation (CVE-2009-3555) VULNERABLE (NOT ok)
| Secure Client-Initiated Renegotiation VULNERABLE (NOT ok),
potential DoS threat
| CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not
using HTTP anyway)
| POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok),
uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
| TLS_FALLBACK_SCSV (RFC 7507), Downgrade attack
prevention NOT supported
| FREAK (CVE-2015-0204) VULNERABLE (NOT ok),
uses EXPORT RSA ciphers
| DROWN (2016-0800, CVE-2016-0703) VULNERABLE (NOT ok),
SSLv2 offered with 7 ciphers
| LOGJAM (CVE-2015-4000), experimental not vulnerable (OK),
common primes not checked. See below for any DH ciphers + bit size
| BEAST (CVE-2011-3389) SSL3: DES-CBC-SHA
DES-CBC3-SHA
| EXP1024-DES-CBC-SHA
| TLS1: DES-CBC-SHA
DES-CBC3-SHA
| EXP1024-DES-CBC-SHA
| VULNERABLE -- and no
higher protocols as mitigation supported
| RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok):
RC4-SHA RC4-MD5 RC4-MD5 RC4-64-MD5 EXP1024-RC4-SHA EXP-RC4-MD5
`----
Himmel.
,----
| Testing all 183 locally available ciphers against the server,
ordered by encryption strength
|
| Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption
Bits Cipher Suite Name (RFC)
|
---------------------------------------------------------------------------------------------------------------------------
| x030080 RC2-CBC-MD5 RSA RC2 128
SSL_CK_RC2_128_CBC_WITH_MD5
| x05 RC4-SHA RSA RC4 128
TLS_RSA_WITH_RC4_128_SHA
| x04 RC4-MD5 RSA RC4 128
TLS_RSA_WITH_RC4_128_MD5
| x010080 RC4-MD5 RSA RC4 128
SSL_CK_RC4_128_WITH_MD5
| x0a DES-CBC3-SHA RSA 3DES 168
TLS_RSA_WITH_3DES_EDE_CBC_SHA
| x0700c0 DES-CBC3-MD5 RSA 3DES 168
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
| x080080 RC4-64-MD5 RSA RC4 64
SSL_CK_RC4_64_WITH_MD5
| x62 EXP1024-DES-CBC-SHA RSA(1024) DES
56,exp TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| x09 DES-CBC-SHA RSA DES 56
TLS_RSA_WITH_DES_CBC_SHA
| x61 EXP1024-RC2-CBC-MD5 RSA(1024) RC2
56,exp TLS_RSA_EXPORT1024_WITH_RC2_56_MD5
| x060040 DES-CBC-MD5 RSA DES 56
SSL_CK_DES_64_CBC_WITH_MD5
| x64 EXP1024-RC4-SHA RSA(1024) RC4
56,exp TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| x60 EXP1024-RC4-MD5 RSA(1024) RC4
56,exp TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
| x040080 EXP-RC2-CBC-MD5 RSA(512) RC2
40,exp SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
| x020080 EXP-RC4-MD5 RSA(512) RC4
40,exp SSL_CK_RC4_128_EXPORT40_WITH_MD5
`----
Lediglich "DES-CBC3-SHA" ist halbwegs modern (aber eigentlich auch schon
Jahre veraltet), der Rest ist schon fast mit einem RasPi3 in 2 Stunden
knackbar.