sslscan
Pour vérifier la bonne configuration d’un serveur (web ou autre) utilisant SSL il y a bien sûr le site Qualys SSL Labs, cependant il n’est utilisable que si le serveur est accessible d’une façon ou d’une autre depuis internet.
sslscan permet de faire cette vérification en local, et de façon plus rapide (car on n’a pas nécessairement besoin de toutes informations fournies par le test de SSL Labs).
sslscan utilise une librairie openssl customisée afin de pouvoir continuer à utiliser des protocoles et algorithmes obsolètes pour de pouvoir réaliser ses tests. C’est pourquoi il est compilé habituellement en static, ce qui le rend de surcroît facilement transportable (puisqu’il n’y a qu’un exécutable). Ainsi il est facile de le compiler sur une machine ayant un accès internet et les outils de compilation (ce qui n’est normalement pas le cas des machines de production) et de l’utiliser ensuite ailleurs.
Compilation de sslscan:
git clone https://github.com/rbsec/sslscan cd sslscan make static
Ci dessous un test de sslscan sur le serveur u03.fr, sur ce test on voit que seuls TLSv1.0, TLSv1.1 et TLSv1.2 sont disponibles (c’est bien), et seulement des algorithmes de chiffrement de niveau élevé, tous les algorithmes utilisent DHE ou ECDHE et permettent donc de faire du PFS, c’est qui permet d’obtenir un A su test de Qualys SSL Labs (voir aussi mon billet « A+ »):
./sslscan u03.fr Version: 1.11.10-rbsec-7-g3fe5d00-static OpenSSL 1.0.2-chacha (1.0.2g-dev) Testing SSL server u03.fr on port 443 using SNI name u03.fr TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Secure session renegotiation supported TLS Compression: Compression disabled Heartbleed: TLS 1.2 not vulnerable to heartbleed TLS 1.1 not vulnerable to heartbleed TLS 1.0 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 4096 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 4096 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 4096 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 4096 bits Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 4096 bits Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 4096 bits SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 4096 Subject: u03.fr Altnames: DNS:blog.chezfanny.me, DNS:blog.u03.fr, DNS:chezfanny.me, DNS:photos.u03.fr, DNS:u03.fr, DNS:www.chezfanny.me, DNS:www.u03.fr Issuer: Let's Encrypt Authority X3 Not valid before: Mar 11 18:44:00 2017 GMT Not valid after: Jun 9 18:44:00 2017 GMT
A l’inverse voici un site mal configuré, il autorise encore du SSLv3, ainsi qu’un protocole de chiffrement faible (RC4) et ça c’est mal…
Supported Server Cipher(s): Preferred TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 256 bits CAMELLIA256-SHA Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits CAMELLIA128-SHA Accepted TLSv1.0 128 bits RC4-SHA Accepted TLSv1.0 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits Accepted TLSv1.0 112 bits DES-CBC3-SHA Preferred SSLv3 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 256 bits CAMELLIA256-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits Accepted SSLv3 128 bits AES128-SHA Accepted SSLv3 128 bits CAMELLIA128-SHA Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits Accepted SSLv3 112 bits DES-CBC3-SHA
Il est également possible d’obtenir le certificat SSL du serveur:
./sslscan u03.fr --show-certificate google.com
~~~
SSL Certificate:
Certificate blob:
-----BEGIN CERTIFICATE-----
MIIIGjCCBwKgAwIBAgIIYAH3sAinQFswDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNTE2MTM1ODQzWhcNMTcwODA4MTM0MDAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArnwe2yhb
OLrEXyg4S6T5xUtW9NgtJ2JpvcLi8JudFvNicQ1hqCD34C5Zdd9TUi2KdC8wGVeg
5VuZrtVijJmiEBPdsgPeraaTzqmI/6POu0H/xD+/TyZF6nBCHoNzV1DuMYYrQr60
YKCdxfZg3H/oTQfJYDuv7lojHurG9S2xgeUBNKoul1A6mwuKOV1I9BHDbrfNqWRl
bA5C+CQAW/fdVa0DXxbZCV3HLLNSMIBJI2Sro+Rpv2n31JbX/RILrT1xLYpzHQKv
Zayn+JbRfltYcf+D1fNGmoD9U+lNDOT3METH0PSCx6G24P0AAW269tHLaXal1kl6
0F9LK8pT63yGMwIDAQABo4IE5zCCBOMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIDswYDVR0RBIIDqjCCA6aCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
gg4qLmdjcC5ndnQyLmNvbYIWKi5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29n
bGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28u
anCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNv
bS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xl
LmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29v
Z2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsq
Lmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5w
dIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2dsZWFwaXMuY26CFCouZ29vZ2xl
Y29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0q
LmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQqLm1ldHJpYy5n
c3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlv
dXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVj
YXRpb24uY29tggsqLnl0aW1nLmNvbYIaYW5kcm9pZC5jbGllbnRzLmdvb2dsZS5j
b22CC2FuZHJvaWQuY29tghtkZXZlbG9wZXIuYW5kcm9pZC5nb29nbGUuY26CHGRl
dmVsb3BlcnMuYW5kcm9pZC5nb29nbGUuY26CBGcuY2+CBmdvby5nbIIUZ29vZ2xl
LWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIY
c291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29vLmds
ggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tMGgG
CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
b20vb2NzcDAdBgNVHQ4EFgQUa/VrReVPeU5yBb1FqeWBZRki1oIwDAYDVR0TAQH/
BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY
MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6
Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAGM3
RyD6uTCMSwjM+wpCN5EQZJPZMMtxb+4ClYKQGvXNOjhHfhHVlE7swNlJFjVMrZn9
T3z2Uk7tx7yYbLE4q4XMRreqQ7uSPTH1/sV0jhvIz6DzjfAjrFI1hSGIv4buZraG
uueAfOpUQlnPVCIYREBrnTb/Gl3AlHkSKVLc1Q0XqkV9huJSbXxjLwRWOOU3WX8Z
H2SWCUM+RiBw1fG4uWFc+ucNbedtNl86NJXG5VnPpVFJvYXXvOLTXm7pDR7qRDPw
i/RO1L7fqvy17nSycdGfIBn6ZNyclRUEqDUaI6EvU61MLNujcZchVH4Vdt1oQNco
jipFfdEGCLcQmqS03eo=
-----END CERTIFICATE-----
Version: 2
Serial Number: 60:01:f7:b0:08:a7:40:5b
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
Not valid before: May 16 13:58:43 2017 GMT
Not valid after: Aug 8 13:40:00 2017 GMT
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Public-Key: (2048 bit)
Modulus:
00:ae:7c:1e:db:28:5b:38:ba:c4:5f:28:38:4b:a4:
f9:c5:4b:56:f4:d8:2d:27:62:69:bd:c2:e2:f0:9b:
9d:16:f3:62:71:0d:61:a8:20:f7:e0:2e:59:75:df:
53:52:2d:8a:74:2f:30:19:57:a0:e5:5b:99:ae:d5:
62:8c:99:a2:10:13:dd:b2:03:de:ad:a6:93:ce:a9:
88:ff:a3:ce:bb:41:ff:c4:3f:bf:4f:26:45:ea:70:
42:1e:83:73:57:50:ee:31:86:2b:42:be:b4:60:a0:
9d:c5:f6:60:dc:7f:e8:4d:07:c9:60:3b:af:ee:5a:
23:1e:ea:c6:f5:2d:b1:81:e5:01:34:aa:2e:97:50:
3a:9b:0b:8a:39:5d:48:f4:11:c3:6e:b7:cd:a9:64:
65:6c:0e:42:f8:24:00:5b:f7:dd:55:ad:03:5f:16:
d9:09:5d:c7:2c:b3:52:30:80:49:23:64:ab:a3:e4:
69:bf:69:f7:d4:96:d7:fd:12:0b:ad:3d:71:2d:8a:
73:1d:02:af:65:ac:a7:f8:96:d1:7e:5b:58:71:ff:
83:d5:f3:46:9a:80:fd:53:e9:4d:0c:e4:f7:30:44:
c7:d0:f4:82:c7:a1:b6:e0:fd:00:01:6d:ba:f6:d1:
cb:69:76:a5:d6:49:7a:d0:5f:4b:2b:ca:53:eb:7c:
86:33
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.gcp.gvt2.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
X509v3 Subject Key Identifier:
6B:F5:6B:45:E5:4F:79:4E:72:05:BD:45:A9:E5:81:65:19:22:D6:82
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
Policy: 2.23.140.1.2.2
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.google.com/GIAG2.crl
Verify Certificate:
unable to get local issuer certificate
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: *.google.com
Altnames: DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.gcp.gvt2.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com
Issuer: Google Internet Authority G2
Not valid before: May 16 13:58:43 2017 GMT
Not valid after: Aug 8 13:40:00 2017 GMT
sslscan dispose de nombreuses options qui permettent par exemple de scanner une liste de serveurs ou d’obtenir le résultat en XML, ce qui permet d’automatiser des tests:
./sslscan
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
1.11.10-rbsec-7-g3fe5d00-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)
Command:
./sslscan [Options] [host:port | host]
Options:
--targets=<file> A file containing a list of hosts to check.
Hosts can be supplied with ports (host:port)
--sni-name=<name> Hostname for SNI
--ipv4 Only use IPv4
--ipv6 Only use IPv6
--show-certificate Show full certificate information
--no-check-certificate Don't warn about weak certificate algorithm or keys
--show-client-cas Show trusted CAs for TLS client auth
--show-ciphers Show supported client ciphers
--show-cipher-ids Show cipher ids
--show-times Show handhake times in milliseconds
--ssl2 Only check SSLv2 ciphers
--ssl3 Only check SSLv3 ciphers
--tls10 Only check TLSv1.0 ciphers
--tls11 Only check TLSv1.1 ciphers
--tls12 Only check TLSv1.2 ciphers
--tlsall Only check TLS ciphers (all versions)
--ocsp Request OCSP response from server
--pk=<file> A file containing the private key or a PKCS#12 file
containing a private key/certificate pair
--pkpass=<password> The password for the private key or PKCS#12 file
--certs=<file> A file containing PEM/ASN1 formatted client certificates
--no-ciphersuites Do not check for supported ciphersuites
--no-fallback Do not check for TLS Fallback SCSV
--no-renegotiation Do not check for TLS renegotiation
--no-compression Do not check for TLS compression (CRIME)
--no-heartbleed Do not check for OpenSSL Heartbleed (CVE-2014-0160)
--starttls-ftp STARTTLS setup for FTP
--starttls-imap STARTTLS setup for IMAP
--starttls-irc STARTTLS setup for IRC
--starttls-ldap STARTTLS setup for LDAP
--starttls-pop3 STARTTLS setup for POP3
--starttls-smtp STARTTLS setup for SMTP
--starttls-mysql STARTTLS setup for MYSQL
--starttls-xmpp STARTTLS setup for XMPP
--starttls-psql STARTTLS setup for PostgreSQL
--xmpp-server Use a server-to-server XMPP handshake
--http Test a HTTP connection
--rdp Send RDP preamble before starting scan
--bugs Enable SSL implementation bug work-arounds
--timeout=<sec> Set socket timeout. Default is 3s
--sleep=<msec> Pause between connection request. Default is disabled
--xml=<file> Output results to an XML file
<file> can be -, which means stdout
--version Display the program version
--verbose Display verbose output
--no-cipher-details Disable EC curve names and EDH/RSA key lengths output
--no-colour Disable coloured output
--help Display the help text you are now reading
Example:
./sslscan 127.0.0.1
./sslscan [::1]
Voici un exemple de sortie en XML:
./sslscan --xml=- u03.fr <?xml version="1.0" encoding="UTF-8"?> <document title="SSLScan Results" version="1.11.10-rbsec-7-g3fe5d00-static" web="http://github.com/rbsec/sslscan"> <ssltest host="u03.fr" sniname="u03.fr" port="443"> <renegotiation supported="1" secure="1" /> <compression supported="0" /> <heartbleed sslversion="TLSv1.2" vulnerable="0" /> <heartbleed sslversion="TLSv1.1" vulnerable="0" /> <heartbleed sslversion="TLSv1.0" vulnerable="0" /> <cipher status="preferred" sslversion="TLSv1.2" bits="256" cipher="ECDHE-RSA-AES256-GCM-SHA384" id="0xC030" curve="P-256" ecdhebits="256" /> <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="ECDHE-RSA-AES256-SHA384" id="0xC028" curve="P-256" ecdhebits="256" /> <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="ECDHE-RSA-AES256-SHA" id="0xC014" curve="P-256" ecdhebits="256" /> <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="DHE-RSA-AES256-GCM-SHA384" id="0x9F" dhebits="4096" /> <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="DHE-RSA-AES256-SHA256" id="0x6B" dhebits="4096" /> <cipher status="accepted" sslversion="TLSv1.2" bits="256" cipher="DHE-RSA-AES256-SHA" id="0x39" dhebits="4096" /> <cipher status="accepted" sslversion="TLSv1.2" bits="128" cipher="ECDHE-RSA-AES128-GCM-SHA256" id="0xC02F" curve="P-256" ecdhebits="256" /> <cipher status="accepted" sslversion="TLSv1.2" bits="128" cipher="DHE-RSA-AES128-GCM-SHA256" id="0x9E" dhebits="4096" /> <cipher status="preferred" sslversion="TLSv1.1" bits="256" cipher="ECDHE-RSA-AES256-SHA" id="0xC014" curve="P-256" ecdhebits="256" /> <cipher status="accepted" sslversion="TLSv1.1" bits="256" cipher="DHE-RSA-AES256-SHA" id="0x39" dhebits="4096" /> <cipher status="preferred" sslversion="TLSv1.0" bits="256" cipher="ECDHE-RSA-AES256-SHA" id="0xC014" curve="P-256" ecdhebits="256" /> <cipher status="accepted" sslversion="TLSv1.0" bits="256" cipher="DHE-RSA-AES256-SHA" id="0x39" dhebits="4096" /> <certificate> <signature-algorithm>sha256WithRSAEncryption</signature-algorithm> <pk error="false" type="RSA" bits="4096" /> <subject><![CDATA[u03.fr]]></subject> <altnames><![CDATA[DNS:blog.chezfanny.me, DNS:blog.u03.fr, DNS:chezfanny.me, DNS:photos.u03.fr, DNS:u03.fr, DNS:www.chezfanny.me, DNS:www.u03.fr]]></altnames> <issuer><![CDATA[Let's Encrypt Authority X3]]></issuer> <self-signed>false</self-signed> <not-valid-before>Mar 11 18:44:00 2017 GMT</not-valid-before> <not-valid-after>Jun 9 18:44:00 2017 GMT</not-valid-after> <expired>false</expired> </certificate> </ssltest> </document>