Hi, I have run the below tests
./testssl.sh gsmasslciphers.digitalapicraft.com > ########################################################### > testssl.sh 3.1dev from https://testssl.sh/dev/ > (e0c83b2 2020-02-24 14:21:28 -- ) > This program is free software. Distribution and > modification under GPLv2 permitted. > USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! > Please file bugs @ https://testssl.sh/bugs/ > ########################################################### > Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] > on Kaushals-MacBook-Pro:./bin/openssl.Darwin.x86_64 > (built: "Feb 22 09:55:43 2019", platform: "darwin64-x86_64-cc") > > Start 2020-03-10 21:50:25 -->> 13.234.216.57:443 ( > gsmasslciphers.digitalapicraft.com) <<-- > rDNS (13.234.216.57): -- > Service detected: HTTP > > Testing protocols via sockets except NPN+ALPN > SSLv2 not offered (OK) > SSLv3 not offered (OK) > TLS 1 not offered > TLS 1.1 not offered > TLS 1.2 offered (OK) > TLS 1.3 not offered and downgraded to a weaker protocol > NPN/SPDY h2, http/1.1 (advertised) > ALPN/HTTP2 h2, http/1.1 (offered) > Testing cipher categories > NULL ciphers (no encryption) not offered (OK) > Anonymous NULL Ciphers (no authentication) not offered (OK) > Export ciphers (w/o ADH+NULL) not offered (OK) > LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) > Triple DES Ciphers / IDEA not offered > Obsolete: SEED + 128+256 Bit CBC cipher not offered > Strong encryption (AEAD ciphers) offered (OK) > > Testing robust (perfect) forward secrecy, (P)FS -- omitting Null > Authentication/Encryption, 3DES, RC4 > PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 > ECDHE-RSA-AES128-GCM-SHA256 > Elliptic curves offered: secp256k1 prime256v1 secp384r1 secp521r1 > > Testing server preferences > Has server cipher order? no (NOT ok) > Negotiated protocol TLSv1.2 > Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256, 521 bit ECDH > (P-521) -- inconclusive test, matching cipher in list missing, better see > below > Negotiated cipher per proto (matching cipher in list missing) > ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2 > No further cipher order check has been done as order is determined by the > client > > Testing server defaults (Server Hello) > TLS extensions (standard) "server name/#0" "renegotiation info/#65281" > "EC point formats/#11" "session ticket/#35" "heartbeat/#15" "next > protocol/#13172" "application layer protocol negotiation/#16" > Session Ticket RFC 5077 hint 86400 seconds, session tickets keys seems to > be rotated < daily > SSL Session ID support yes > Session Resumption Tickets: yes, ID: yes > TLS clock skew Random values, no fingerprinting possible > Signature Algorithm SHA256 with RSA > Server key size RSA 2048 bits > Server key usage Digital Signature, Key Encipherment > Server extended key usage TLS Web Server Authentication, TLS Web > Client Authentication > Serial / Fingerprints 03C871BF68E569B4330E4AFCFA7752AAB5D7 / SHA1 > 8874D965CB96F4A4B8B4CCAE149B6F1999399BF8 > SHA256 > BB56659442E2ED18778F7BB210823F3A81DA88F3AF79D0EE2104CE82DBB03C65 > Common Name (CN) gsmasslciphers.digitalapicraft.com > subjectAltName (SAN) gsmasslciphers.digitalapicraft.com > Issuer Let's Encrypt Authority X3 (Let's Encrypt > from US) > Trust (hostname) Ok via SAN (same w/o SNI) > Chain of trust Ok > EV cert (experimental) no > ETS/"eTLS", visibility info not present > Certificate Validity (UTC) 89 >= 30 days (2020-03-10 09:40 --> > 2020-06-08 09:40) > # of certificates provided 2 > Certificate Revocation List -- > OCSP URI http://ocsp.int-x3.letsencrypt.org > OCSP stapling not offered > OCSP must staple extension -- > DNS CAA RR (experimental) not offered > Certificate Transparency yes (certificate extension) > > Testing HTTP header response @ "/" > HTTP Status Code 200 OK > HTTP clock skew 0 sec from localtime > Strict Transport Security 730 days=63072000 s, just this domain > Public Key Pinning -- > Server banner nginx/1.16.1 > Application banner -- > Cookie(s) (none issued at "/") > Security headers -- > Reverse Proxy banner -- > > Testing vulnerabilities > Heartbleed (CVE-2014-0160) not vulnerable (OK), timed out > CCS (CVE-2014-0224) not vulnerable (OK) > Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) > ROBOT Server does not support any > cipher suites that use RSA key transport > Secure Renegotiation (RFC 5746) supported (OK) > Secure Client-Initiated Renegotiation not vulnerable (OK) > CRIME, TLS (CVE-2012-4929) not vulnerable (OK) > BREACH (CVE-2013-3587) no HTTP compression (OK) - > only supplied "/" tested > POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 > support > TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no > protocol below TLS 1.2 offered > SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) > FREAK (CVE-2015-0204) not vulnerable (OK) > DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and > port (OK) > make sure you don't use this > certificate elsewhere with SSLv2 enabled services > > https://censys.io/ipv4?q=BB56659442E2ED18778F7BB210823F3A81DA88F3AF79D0EE2104CE82DBB03C65 > could help you to find out > LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH > EXPORT ciphers, no DH key detected with <= TLS 1.2 > BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or > TLS1 > LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) > RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) > > Testing 370 ciphers via OpenSSL plus sockets against the server, ordered > by encryption strength > Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits > Cipher Suite Name (IANA/RFC) > > ----------------------------------------------------------------------------------------------------------------------------- > xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > Running client simulations (HTTP) via sockets > Android 4.4.2 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 521 bit > ECDH (P-521) > Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 521 bit > ECDH (P-521) > Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Android 7.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Android 9.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Android 10.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Chrome 74 (Win 10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Chrome 79 (Win 10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Firefox 66 (Win 8.1/10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Firefox 71 (Win 10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > IE 6 XP No connection > IE 8 Win 7 No connection > IE 8 XP No connection > IE 11 Win 7 No connection > IE 11 Win 8.1 No connection > IE 11 Win Phone 8.1 No connection > IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Edge 17 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Opera 66 (Win 10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Safari 12.1 (iOS 12.2) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Safari 13.0 (macOS 10.14.6) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Java 6u45 No connection > Java 7u25 No connection > Java 8u161 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Java 12.0.1 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > OpenSSL 1.1.1d (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit > ECDH (P-256) > Thunderbird (68.3) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit > ECDH (P-256) > Done 2020-03-10 21:52:13 [0130s] -->> 13.234.216.57:443 ( > gsmasslciphers.digitalapicraft.com) <<-- I am not sure about the below explanation as seen in the above output. Testing server preferences > Has server cipher order? no (NOT ok) > Negotiated protocol TLSv1.2 > Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256, 521 bit ECDH > (P-521) -- inconclusive test, matching cipher in list missing, better see > below > Negotiated cipher per proto (matching cipher in list missing) > ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2 > No further cipher order check has been done as order is determined by the > client I will appreciate if someone can help me understand it. Does it mean there is some issue? Thanks in advance and I look forward to hearing from you. Best Regards, Kaushal
