nice! http://mozilla.github.io/server-side-tls/ssl-config-generator/
did not tested all profiles, but intermediates gives A+ on ssllabs, supports every browser expect winxp/ie6 and has all the goodies enabled $ ./testssl.sh example.com ######################################################### testssl.sh v2.1alpha (https://testssl.sh) --> Testing Protocols SSLv2 Local problem: /usr/bin/openssl doesn't support "s_client -ssl2" SSLv3 not offered (OK) TLSv1 offered (OK) TLSv1.1 offered (OK) TLSv1.2 offered (OK) SPDY/NPN not offered --> Testing standard cipher lists Null Cipher not offered (OK) Anonymous NULL Cipher not offered (OK) Anonymous DH Cipher not offered (OK) 40 Bit encryption not offered (OK) 56 Bit encryption Local problem: No 56 Bit encryption configured in /usr/bin/openssl Export Cipher (general) not offered (OK) Low (<=64 Bit) not offered (OK) DES Cipher not offered (OK) Triple DES Cipher offered Medium grade encryption not offered High grade encryption offered (OK) --> Testing server defaults (Server Hello) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256 Server key size 2048 bit TLS server extensions server name, renegotiation info, EC point formats, session ticket, heartbeat Session Tickets RFC 5077 300 seconds OCSP stapling not offered --> Testing specific vulnerabilities Heartbleed (CVE-2014-0160), experimental not vulnerable (OK) , timed out CCS (CVE-2014-0224), experimental not vulnerable (OK) Renegotiation (CVE 2009-3555) not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH =HTTP Compression, experimental uses gzip compression (only "/" tested) --> Testing HTTP Header response HSTS 182 days (15768000 s) Server (None, interesting!) --> Checking RC4 Ciphers no RC4 ciphers detected (OK) --> Testing (Perfect) Forward Secrecy (P)FS) PFS seems generally available. Now testing specific ciphers ... Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) -------------------------------------------------------------------------------------------------------------------- [0xc030] ECDHE-RSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [0x9f] DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 [0x6b] DHE-RSA-AES256-SHA256 DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 [0x39] DHE-RSA-AES256-SHA DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA [0x88] DHE-RSA-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA [0xc028] ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [0xc014] ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [0xc02f] ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [0xc027] ECDHE-RSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [0x9e] DHE-RSA-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 [0x67] DHE-RSA-AES128-SHA256 DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 [0x33] DHE-RSA-AES128-SHA DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA [0x45] DHE-RSA-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA [0xc013] ECDHE-RSA-AES128-SHA ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Please note: detected PFS ciphers don't necessarily mean any client/browser will use them Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254221,254221#msg-254221 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
