Ubuntu
apache2 package

Bug #1836329
Comment #5

Comment 5 for bug 1836329

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-07-15:

#2 sslyze [4]
$ apt install python-pip
$ pip install --upgrade setuptools
$ pip install --upgrade sslyze
$ python -m sslyze --regular 10.253.194.151:443

AVAILABLE PLUGINS
-----------------

  OpenSslCcsInjectionPlugin
  CompressionPlugin
  HeartbleedPlugin
  OpenSslCipherSuitesPlugin
  SessionRenegotiationPlugin
  FallbackScsvPlugin
  SessionResumptionPlugin
  HttpHeadersPlugin
  RobotPlugin
  CertificateInfoPlugin

CHECKING HOST(S) AVAILABILITY
-----------------------------

10.253.194.151:443 => 10.253.194.151

SCAN RESULTS FOR 10.253.194.151:443 - 10.253.194.151
----------------------------------------------------

* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection

* Session Renegotiation:
Client-initiated Renegotiation: OK - Rejected
Secure Renegotiation: OK - Supported

* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed

* Resumption Support:
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Tickets: NOT SUPPORTED - TLS ticket not assigned.

* SSLV3 Cipher Suites:
Server rejected all cipher suites.

* TLSV1 Cipher Suites:
Server rejected all cipher suites.

* SSLV2 Cipher Suites:
Server rejected all cipher suites.

* TLSV1_3 Cipher Suites:
Server rejected all cipher suites.

* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported

* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported

* ROBOT Attack:
OK - Not vulnerable, RSA cipher suites not supported

* Deflate Compression:
OK - Compression disabled

* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.

     Trust
       Hostname Validation: OK - Certificate matches 10.253.194.151
       Android CA Store (8.1.0_r9): FAILED - Certificate is NOT Trusted: self signed certificate
       iOS CA Store (11): FAILED - Certificate is NOT Trusted: self signed certificate
       Java CA Store (jre-10.0.2): FAILED - Certificate is NOT Trusted: self signed certificate
       macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted: self signed certificate
       Mozilla CA Store (2018-04-12): FAILED - Certificate is NOT Trusted: self signed certificate
       Windows CA Store (2018-06-30): FAILED - Certificate is NOT Trusted: self signed certificate
       Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
       Received Chain: 10.253.194.151
       Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Order: OK - Order is valid
       Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)

     Extensions
       OCSP Must-Staple: NOT SUPPORTED - Extension not found
       Certificate Transparency: NOT SUPPORTED - Extension not found

OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response

SCAN COMPLETED IN 0.47 S

#2 sslyze [4]
$ apt install python-pip
$ pip install --upgrade setuptools
$ pip install --upgrade sslyze
$ python -m sslyze --regular 10.253.194.151:443

AVAILABLE PLUGINS
 -----------------

CHECKING HOST(S) AVAILABILITY
 -----------------------------

10.253.194.151:443                       => 10.253.194.151

SCAN RESULTS FOR 10.253.194.151:443 - 10.253.194.151
 ----------------------------------------------------

* OpenSSL CCS Injection:
                                          OK - Not vulnerable to OpenSSL CCS injection

* Session Renegotiation:
       Client-initiated Renegotiation:    OK - Rejected
       Secure Renegotiation:              OK - Supported

* OpenSSL Heartbleed:
                                          OK - Not vulnerable to Heartbleed

* Resumption Support:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Tickets:                  NOT SUPPORTED - TLS ticket not assigned.

* SSLV3 Cipher Suites:
      Server rejected all cipher suites.

* TLSV1 Cipher Suites:
      Server rejected all cipher suites.

* SSLV2 Cipher Suites:
      Server rejected all cipher suites.

* TLSV1_3 Cipher Suites:
      Server rejected all cipher suites.

* Downgrade Attacks:
       TLS_FALLBACK_SCSV:                 OK - Supported

* TLSV1_2 Cipher Suites:
       Forward Secrecy                    OK - Supported
       RC4                                OK - Not Supported

Preferred:
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256 bits  256 bits      HTTP 200 OK                                                 
     Accepted:
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        DHE_RSA_WITH_AES_256_CCM_8                        -              256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_CCM                      -              256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               DH-2048 bits   128 bits      HTTP 200 OK

* ROBOT Attack:
                                          OK - Not vulnerable, RSA cipher suites not supported

* Deflate Compression:
                                          OK - Compression disabled

* TLSV1_1 Cipher Suites:
      Server rejected all cipher suites.

* Certificate Information:
     Content
       SHA1 Fingerprint:                  79af5ab28acdf6c880cf5bd9da2a6acb4dfc46bf
       Common Name:                       10.253.194.151
       Issuer:                            10.253.194.151
       Serial Number:                     56128595917874360689874067407377294145249645142
       Not Before:                        2019-07-15 06:08:16
       Not After:                         2020-07-14 06:08:16
       Signature Algorithm:               sha256
       Public Key Algorithm:              RSA
       Key Size:                          2048
       Exponent:                          65537 (0x10001)
       DNS Subject Alternative Names:     []

Trust
       Hostname Validation:               OK - Certificate matches 10.253.194.151
       Android CA Store (8.1.0_r9):       FAILED - Certificate is NOT Trusted: self signed certificate
       iOS CA Store (11):                 FAILED - Certificate is NOT Trusted: self signed certificate
       Java CA Store (jre-10.0.2):        FAILED - Certificate is NOT Trusted: self signed certificate
       macOS CA Store (High Sierra):      FAILED - Certificate is NOT Trusted: self signed certificate
       Mozilla CA Store (2018-04-12):     FAILED - Certificate is NOT Trusted: self signed certificate
       Windows CA Store (2018-06-30):     FAILED - Certificate is NOT Trusted: self signed certificate
       Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate
       Received Chain:                    10.253.194.151
       Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Order:              OK - Order is valid
       Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)

Extensions
       OCSP Must-Staple:                  NOT SUPPORTED - Extension not found
       Certificate Transparency:          NOT SUPPORTED - Extension not found

OCSP Stapling
                                          NOT SUPPORTED - Server did not send back an OCSP response

SCAN COMPLETED IN 0.47 S

Ubuntuapache2 package

Comment 5 for bug 1836329

Ubuntu
apache2 package