U03

U03

Vers le Pont arc-en-ciel et au-delà

InformatiqueSSL

sslscan

Pour vérifier la bonne configuration d’un serveur (web ou autre) utilisant SSL il y a bien sûr le site Qualys SSL Labs, cependant il n’est utilisable que si le serveur est accessible d’une façon ou d’une autre depuis internet.

sslscan permet de faire cette vérification en local, et de façon plus rapide (car on n’a pas nécessairement besoin de toutes informations fournies par le test de SSL Labs).

sslscan utilise une librairie openssl customisée afin de pouvoir continuer à utiliser des protocoles et algorithmes obsolètes pour de pouvoir réaliser ses tests. C’est pourquoi il est compilé habituellement en static, ce qui le rend de surcroît facilement transportable (puisqu’il n’y a qu’un exécutable). Ainsi il est facile de le compiler sur une machine ayant un accès internet et les outils de compilation (ce qui n’est normalement pas le cas des machines de production) et de l’utiliser ensuite ailleurs.

Compilation de sslscan:

git clone https://github.com/rbsec/sslscan
cd sslscan
make static

Ci dessous un test de sslscan sur le serveur u03.fr, sur ce test on voit que seuls TLSv1.0, TLSv1.1 et TLSv1.2 sont disponibles (c’est bien), et seulement des algorithmes de chiffrement de niveau élevé, tous les algorithmes utilisent DHE ou ECDHE et permettent donc de faire du PFS, c’est qui permet d’obtenir un A su test de Qualys SSL Labs (voir aussi mon billet « A+ »):

./sslscan u03.fr
Version: 1.11.10-rbsec-7-g3fe5d00-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)

Testing SSL server u03.fr on port 443 using SNI name u03.fr

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 4096 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 4096 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 4096 bits
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 4096 bits
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA            DHE 4096 bits
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 4096 bits

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    4096

Subject:  u03.fr
Altnames: DNS:blog.chezfanny.me, DNS:blog.u03.fr, DNS:chezfanny.me, DNS:photos.u03.fr, DNS:u03.fr, DNS:www.chezfanny.me, DNS:www.u03.fr
Issuer:   Let's Encrypt Authority X3

Not valid before: Mar 11 18:44:00 2017 GMT
Not valid after:  Jun  9 18:44:00 2017 GMT

A l’inverse voici un site mal configuré, il autorise encore du SSLv3, ainsi qu’un protocole de chiffrement faible (RC4) et ça c’est mal…

  Supported Server Cipher(s):
Preferred TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 1024 bits
Accepted  TLSv1.0  256 bits  AES256-SHA                   
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 1024 bits
Accepted  TLSv1.0  128 bits  AES128-SHA                   
Accepted  TLSv1.0  128 bits  CAMELLIA128-SHA              
Accepted  TLSv1.0  128 bits  RC4-SHA                      
Accepted  TLSv1.0  112 bits  EDH-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA                 
Preferred SSLv3    256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  SSLv3    256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 1024 bits
Accepted  SSLv3    256 bits  AES256-SHA                   
Accepted  SSLv3    256 bits  CAMELLIA256-SHA              
Accepted  SSLv3    128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  SSLv3    128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 1024 bits
Accepted  SSLv3    128 bits  AES128-SHA                   
Accepted  SSLv3    128 bits  CAMELLIA128-SHA              
Accepted  SSLv3    128 bits  RC4-SHA                      
Accepted  SSLv3    112 bits  EDH-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  SSLv3    112 bits  DES-CBC3-SHA

Il est également possible d’obtenir le certificat SSL du serveur:

./sslscan u03.fr --show-certificate google.com

~~~
  SSL Certificate:
    Certificate blob:
-----BEGIN CERTIFICATE-----
MIIIGjCCBwKgAwIBAgIIYAH3sAinQFswDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNTE2MTM1ODQzWhcNMTcwODA4MTM0MDAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArnwe2yhb
OLrEXyg4S6T5xUtW9NgtJ2JpvcLi8JudFvNicQ1hqCD34C5Zdd9TUi2KdC8wGVeg
5VuZrtVijJmiEBPdsgPeraaTzqmI/6POu0H/xD+/TyZF6nBCHoNzV1DuMYYrQr60
YKCdxfZg3H/oTQfJYDuv7lojHurG9S2xgeUBNKoul1A6mwuKOV1I9BHDbrfNqWRl
bA5C+CQAW/fdVa0DXxbZCV3HLLNSMIBJI2Sro+Rpv2n31JbX/RILrT1xLYpzHQKv
Zayn+JbRfltYcf+D1fNGmoD9U+lNDOT3METH0PSCx6G24P0AAW269tHLaXal1kl6
0F9LK8pT63yGMwIDAQABo4IE5zCCBOMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIDswYDVR0RBIIDqjCCA6aCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
gg4qLmdjcC5ndnQyLmNvbYIWKi5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29n
bGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28u
anCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNv
bS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xl
LmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29v
Z2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsq
Lmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5w
dIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2dsZWFwaXMuY26CFCouZ29vZ2xl
Y29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0q
LmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQqLm1ldHJpYy5n
c3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlv
dXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVj
YXRpb24uY29tggsqLnl0aW1nLmNvbYIaYW5kcm9pZC5jbGllbnRzLmdvb2dsZS5j
b22CC2FuZHJvaWQuY29tghtkZXZlbG9wZXIuYW5kcm9pZC5nb29nbGUuY26CHGRl
dmVsb3BlcnMuYW5kcm9pZC5nb29nbGUuY26CBGcuY2+CBmdvby5nbIIUZ29vZ2xl
LWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIY
c291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29vLmds
ggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tMGgG
CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
b20vb2NzcDAdBgNVHQ4EFgQUa/VrReVPeU5yBb1FqeWBZRki1oIwDAYDVR0TAQH/
BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY
MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6
Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAGM3
RyD6uTCMSwjM+wpCN5EQZJPZMMtxb+4ClYKQGvXNOjhHfhHVlE7swNlJFjVMrZn9
T3z2Uk7tx7yYbLE4q4XMRreqQ7uSPTH1/sV0jhvIz6DzjfAjrFI1hSGIv4buZraG
uueAfOpUQlnPVCIYREBrnTb/Gl3AlHkSKVLc1Q0XqkV9huJSbXxjLwRWOOU3WX8Z
H2SWCUM+RiBw1fG4uWFc+ucNbedtNl86NJXG5VnPpVFJvYXXvOLTXm7pDR7qRDPw
i/RO1L7fqvy17nSycdGfIBn6ZNyclRUEqDUaI6EvU61MLNujcZchVH4Vdt1oQNco
jipFfdEGCLcQmqS03eo=
-----END CERTIFICATE-----
    Version: 2
    Serial Number: 60:01:f7:b0:08:a7:40:5b
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
    Not valid before: May 16 13:58:43 2017 GMT
    Not valid after: Aug  8 13:40:00 2017 GMT
    Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Public-Key: (2048 bit)
      Modulus:
          00:ae:7c:1e:db:28:5b:38:ba:c4:5f:28:38:4b:a4:
          f9:c5:4b:56:f4:d8:2d:27:62:69:bd:c2:e2:f0:9b:
          9d:16:f3:62:71:0d:61:a8:20:f7:e0:2e:59:75:df:
          53:52:2d:8a:74:2f:30:19:57:a0:e5:5b:99:ae:d5:
          62:8c:99:a2:10:13:dd:b2:03:de:ad:a6:93:ce:a9:
          88:ff:a3:ce:bb:41:ff:c4:3f:bf:4f:26:45:ea:70:
          42:1e:83:73:57:50:ee:31:86:2b:42:be:b4:60:a0:
          9d:c5:f6:60:dc:7f:e8:4d:07:c9:60:3b:af:ee:5a:
          23:1e:ea:c6:f5:2d:b1:81:e5:01:34:aa:2e:97:50:
          3a:9b:0b:8a:39:5d:48:f4:11:c3:6e:b7:cd:a9:64:
          65:6c:0e:42:f8:24:00:5b:f7:dd:55:ad:03:5f:16:
          d9:09:5d:c7:2c:b3:52:30:80:49:23:64:ab:a3:e4:
          69:bf:69:f7:d4:96:d7:fd:12:0b:ad:3d:71:2d:8a:
          73:1d:02:af:65:ac:a7:f8:96:d1:7e:5b:58:71:ff:
          83:d5:f3:46:9a:80:fd:53:e9:4d:0c:e4:f7:30:44:
          c7:d0:f4:82:c7:a1:b6:e0:fd:00:01:6d:ba:f6:d1:
          cb:69:76:a5:d6:49:7a:d0:5f:4b:2b:ca:53:eb:7c:
          86:33
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Subject Alternative Name: 
        DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.gcp.gvt2.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com
      Authority Information Access: 
        CA Issuers - URI:http://pki.google.com/GIAG2.crt
        OCSP - URI:http://clients1.google.com/ocsp

      X509v3 Subject Key Identifier: 
        6B:F5:6B:45:E5:4F:79:4E:72:05:BD:45:A9:E5:81:65:19:22:D6:82
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Authority Key Identifier: 
        keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

      X509v3 Certificate Policies: 
        Policy: 1.3.6.1.4.1.11129.2.5.1
        Policy: 2.23.140.1.2.2

      X509v3 CRL Distribution Points: 

        Full Name:
          URI:http://pki.google.com/GIAG2.crl

  Verify Certificate:
    unable to get local issuer certificate

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  *.google.com
Altnames: DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.gcp.gvt2.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com
Issuer:   Google Internet Authority G2

Not valid before: May 16 13:58:43 2017 GMT
Not valid after:  Aug  8 13:40:00 2017 GMT

sslscan dispose de nombreuses options qui permettent par exemple de scanner une liste de serveurs ou d’obtenir le résultat en XML, ce qui permet d’automatiser des tests:

./sslscan
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|


                1.11.10-rbsec-7-g3fe5d00-static
                OpenSSL 1.0.2-chacha (1.0.2g-dev)
Command:
  ./sslscan [Options] [host:port | host]

Options:
  --targets=<file>     A file containing a list of hosts to check.
                       Hosts can  be supplied  with ports (host:port)
  --sni-name=<name>    Hostname for SNI
  --ipv4               Only use IPv4
  --ipv6               Only use IPv6
  --show-certificate   Show full certificate information
  --no-check-certificate  Don't warn about weak certificate algorithm or keys
  --show-client-cas    Show trusted CAs for TLS client auth
  --show-ciphers       Show supported client ciphers
  --show-cipher-ids    Show cipher ids
  --show-times         Show handhake times in milliseconds
  --ssl2               Only check SSLv2 ciphers
  --ssl3               Only check SSLv3 ciphers
  --tls10              Only check TLSv1.0 ciphers
  --tls11              Only check TLSv1.1 ciphers
  --tls12              Only check TLSv1.2 ciphers
  --tlsall             Only check TLS ciphers (all versions)
  --ocsp               Request OCSP response from server
  --pk=<file>          A file containing the private key or a PKCS#12 file
                       containing a private key/certificate pair
  --pkpass=<password>  The password for the private  key or PKCS#12 file
  --certs=<file>       A file containing PEM/ASN1 formatted client certificates
  --no-ciphersuites    Do not check for supported ciphersuites
  --no-fallback        Do not check for TLS Fallback SCSV
  --no-renegotiation   Do not check for TLS renegotiation
  --no-compression     Do not check for TLS compression (CRIME)
  --no-heartbleed      Do not check for OpenSSL Heartbleed (CVE-2014-0160)
  --starttls-ftp       STARTTLS setup for FTP
  --starttls-imap      STARTTLS setup for IMAP
  --starttls-irc       STARTTLS setup for IRC
  --starttls-ldap      STARTTLS setup for LDAP
  --starttls-pop3      STARTTLS setup for POP3
  --starttls-smtp      STARTTLS setup for SMTP
  --starttls-mysql     STARTTLS setup for MYSQL
  --starttls-xmpp      STARTTLS setup for XMPP
  --starttls-psql      STARTTLS setup for PostgreSQL
  --xmpp-server        Use a server-to-server XMPP handshake
  --http               Test a HTTP connection
  --rdp                Send RDP preamble before starting scan
  --bugs               Enable SSL implementation bug work-arounds
  --timeout=<sec>      Set socket timeout. Default is 3s
  --sleep=<msec>       Pause between connection request. Default is disabled
  --xml=<file>         Output results to an XML file
                       <file> can be -, which means stdout
  --version            Display the program version
  --verbose            Display verbose output
  --no-cipher-details  Disable EC curve names and EDH/RSA key lengths output
  --no-colour          Disable coloured output
  --help               Display the  help text  you are  now reading

Example:
  ./sslscan 127.0.0.1
  ./sslscan [::1]

Voici un exemple de sortie en XML:

./sslscan --xml=- u03.fr
<?xml version="1.0" encoding="UTF-8"?>
<document title="SSLScan Results" version="1.11.10-rbsec-7-g3fe5d00-static" web="http://github.com/rbsec/sslscan">
 <ssltest host="u03.fr" sniname="u03.fr" port="443">
  <renegotiation supported="1" secure="1" />
  <compression supported="0" />
  <heartbleed sslversion="TLSv1.2" vulnerable="0" />
  <heartbleed sslversion="TLSv1.1" vulnerable="0" />
  <heartbleed sslversion="TLSv1.0" vulnerable="0" />
  <cipher status="preferred" sslversion="TLSv1.2" bits="256" cipher="ECDHE-RSA-AES256-GCM-SHA384" id="0xC030" curve="P-256" ecdhebits="256" />
  <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="ECDHE-RSA-AES256-SHA384" id="0xC028" curve="P-256" ecdhebits="256" />
  <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="ECDHE-RSA-AES256-SHA" id="0xC014" curve="P-256" ecdhebits="256" />
  <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="DHE-RSA-AES256-GCM-SHA384" id="0x9F" dhebits="4096" />
  <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="DHE-RSA-AES256-SHA256" id="0x6B" dhebits="4096" />
  <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="DHE-RSA-AES256-SHA" id="0x39" dhebits="4096" />
  <cipher status="accepted" sslversion="TLSv1.2" bits="128" cipher="ECDHE-RSA-AES128-GCM-SHA256" id="0xC02F" curve="P-256" ecdhebits="256" />
  <cipher status="accepted" sslversion="TLSv1.2" bits="128" cipher="DHE-RSA-AES128-GCM-SHA256" id="0x9E" dhebits="4096" />
  <cipher status="preferred" sslversion="TLSv1.1" bits="256" cipher="ECDHE-RSA-AES256-SHA" id="0xC014" curve="P-256" ecdhebits="256" />
  <cipher status="accepted" sslversion="TLSv1.1" bits="256" cipher="DHE-RSA-AES256-SHA" id="0x39" dhebits="4096" />
  <cipher status="preferred" sslversion="TLSv1.0" bits="256" cipher="ECDHE-RSA-AES256-SHA" id="0xC014" curve="P-256" ecdhebits="256" />
  <cipher status="accepted" sslversion="TLSv1.0" bits="256" cipher="DHE-RSA-AES256-SHA" id="0x39" dhebits="4096" />
  <certificate>
   <signature-algorithm>sha256WithRSAEncryption</signature-algorithm>
   <pk error="false" type="RSA" bits="4096" />
   <subject><![CDATA[u03.fr]]></subject>
   <altnames><![CDATA[DNS:blog.chezfanny.me, DNS:blog.u03.fr, DNS:chezfanny.me, DNS:photos.u03.fr, DNS:u03.fr, DNS:www.chezfanny.me, DNS:www.u03.fr]]></altnames>
   <issuer><![CDATA[Let's Encrypt Authority X3]]></issuer>
   <self-signed>false</self-signed>
   <not-valid-before>Mar 11 18:44:00 2017 GMT</not-valid-before>
   <not-valid-after>Jun  9 18:44:00 2017 GMT</not-valid-after>
   <expired>false</expired>
  </certificate>
 </ssltest>
</document>

 

 

 

 

 

 

 

 

 

 

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.