Openssl Testing Cheat Sheet
25 | 23 Aug 2015Check the Signing Algorithms
Sha1 on it's own is now considered insecure, the following will pring out the algorithm used.
mike@mike-laptop3:~/git/ssl/src$ openssl s_client -showcerts -connect secure.mikejonesey.co.uk:443 /dev/null| tr "n" "~" | sed 's/END CERTIFICATE-----~/END CERTIFICATE-----n/g' | grep "CERTIFICATE" | while read al; do crt=$(echo "$al" | tr "~" "n" | openssl x509 -noout -text); crt_cname=$(echo "$crt" | grep "Subject: .*CN=" | grep -o "CN=[a-zA-Z0-9. ]*" | sed 's/CN=//'); crt_alg=$(echo "$crt" | head -6 | grep "Signature Algorithm" | sed 's/.* //'); echo -e "$crt_cnamen $crt_alg"; done
secure.mikejonesey.co.uk
sha256WithRSAEncryption
COMODO RSA Certification Authority
sha384WithRSAEncryption
COMODO RSA Domain Validation Secure Server CA
sha384WithRSAEncryption
Check the Certificate's date Validity
the following can be used to simpley print out the dates each of your chain of certificates has, you could also easily update to print out an integer of days valid, and days remaining allowing for easy alerting.
openssl s_client -showcerts -connect secure.mikejonesey.co.uk:443 /dev/null| tr "n" "~" | sed 's/END CERTIFICATE-----~/END CERTIFICATE-----n/g' | grep "CERTIFICATE" | while read al; do crt=$(echo "$al" | tr "~" "n" | openssl x509 -noout -text); crt_cname=$(echo "$crt" | grep "Subject: .*CN=" | grep -o "CN=[a-zA-Z0-9. ]*" | sed 's/CN=//'); mydata=$(echo "$crt" | grep "Validity" -A 2); echo -e "$crt_cnamen $mydata"; done
secure.mikejonesey.co.uk
Validity
Not Before: Apr 6 00:00:00 2015 GMT
Not After : Apr 5 23:59:59 2018 GMT
COMODO RSA Certification Authority
Validity
Not Before: May 30 10:48:38 2000 GMT
Not After : May 30 10:48:38 2020 GMT
COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Feb 12 00:00:00 2014 GMT
Not After : Feb 11 23:59:59 2029 GMT
Check for Poodle Vulnerability (Support for SSLv3)
Ensuring SSLv3 is switched off on your server can be achieved using the following.
mike@mike-laptop3:~/git/ssl/src$ openssl s_client -connect secure.mikejonesey.co.uk:443 -ssl3 2>&1 | grep "handshake failure"
140602235258512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1294:SSL alert number 40
140602235258512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:618:
Check for the EXPORT cipher
The export cipher is now considered insecure.
mike@mike-laptop3:~/git/ssl/src$ openssl s_client -connect secure.mikejonesey.co.uk:443 -cipher EXPORT &1 | grep "handshake failure"
139776399570576:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:
Check for the RC4 cipher
RC4 is also now considered insecure.
mike@mike-laptop3:~/git/ssl/src$ openssl s_client -connect secure.mikejonesey.co.uk:443 -cipher RC4 &1 | grep "handshake failure"
139776399570576:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:
Full Testing Script
Putting all little bits of info together into a script; this is useful in combination with a mail client or monitoring agent like zabbix that can notify of issues. Especially if you have a large number of sites to manage.
I've also added support for browser compatibility tests, this enables you to clearly identify which web browser / programs will be able to communicate securley with your server.
Download Link: https://secure.mikejonesey.co.uk/downloads?name=ssl-check.sh
Pgp code sig: https://secure.mikejonesey.co.uk/downloads?name=ssl-check.sh.sig
#!/bin/bash
if [ -n "$1" ]; then
domainname=$1
else
read -p "Enter the fqdn: " domainname
fi
printf "e[0;37m"
pfs_ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA256"
function checkClient(){
domainname="$1"
clientname="$2"
goodcipher_list="$3"
badcipher_list="$4"
client_test=$(openssl s_client -connect $domainname:443 -tls1 -cipher "$goodcipher_list:$badcipher_list" &1)
cipherUsed=$(echo "$client_test" | grep "New, TLSv1/SSLv3, Cipher is .*" | sed 's/.*Cipher is //')
if [ -z "$cipherUsed" ]; then
echo -e "e[0;31m $clientname: NOe[0;37m"
elif [[ $badcipher_list == *$cipherUsed* ]]; then
echo -e "e[0;31m $clientname: NO - only supports weak cipherse[0;37m"
elif [[ $goodcipher_list == *$cipherUsed* ]]; then
if [[ $pfs_ciphers != *$cipherUsed* ]]; then
echo -e "e[0;32m $clientname: YES : $cipherUsede[0;37m"
else
echo -e "e[0;32m $clientname: YES : $cipherUsed : PFSe[0;37m"
fi
fi
}
function checkPfsCipher(){
domainname="$1"
# Support for > 1024 bit keys
#ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
#ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
#ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
#ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
#DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
#DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
#ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
#ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
#ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
#ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
#DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
#DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
# Support for <= 1024 bit keys
#DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
#DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
#DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
#DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
pfs_test=$(openssl s_client -connect $domainname:443 -cipher "$pfs_ciphers" &1)
if [ -n "$(echo "$pfs_test" | grep "error setting cipher list")" ]; then
echo "Local Testing node does not support pfs ciphers" >&2
return 1
elif [ -n "$(echo "$pfs_test" | grep "alert handshake failure")" ]; then
echo "Server being tested does not support pfs ciphers" >&2
return 1
elif [ -n "$(echo "$pfs_test" | grep "SSL handshake has read")" -a -n "$(echo "$pfs_test" | grep "New, TLSv1/SSLv3, Cipher is .*DSS.*")" ]; then
echo "Server being tested supports pfs but only using depriciated ciphers" >&2
echo "1024 bit"
return 2
elif [ -n "$(echo "$pfs_test" | grep "SSL handshake has read")" ]; then
cipherUsed=$(echo "$pfs_test" | grep "New, TLSv1/SSLv3, Cipher is .*" | sed 's/.*Cipher is //')
echo "$cipherUsed"
return 0
fi
return 3
}
function checkDomain(){
domainname="$1"
connection=$(openssl s_client -showcerts -connect $domainname:443 /dev/null)
echo "$connection"|tr "n" "~"|sed 's/END CERTIFICATE-----~/END CERTIFICATE-----n/g'|grep "CERTIFICATE"| while read al; do
crt=$(echo "$al" | tr "~" "n" | openssl x509 -noout -text)
crt_cname=$(echo "$crt" | grep "Subject: .*CN=" | grep -o "CN=[a-zA-Z0-9. ]*" | sed 's/CN=//')
echo "Certificate: $crt_cname"
crt_alg=$(echo "$crt" | head -6 | grep "Signature Algorithm" | sed 's/.* //')
if [ "$crt_alg" == "sha1WithRSAEncryption" ]; then
echo -e "e[0;31m Signature Algorithm: $crt_alge[0;37m"
else
echo -e "e[0;32m Signature Algorithm: $crt_alge[0;37m"
fi
echo " Validity:"
crt_date=$(echo "$crt" | grep "Validity" -A 2)
crt_date_nb=$(echo "$crt_date" | grep "Not Before")
crt_date_nb=$(echo ${crt_date_nb:24:24})
if [ "$(date -d "$crt_date_nb" +"%s")" -gt "$(date +"%s")" ]; then
echo -e "e[0;31m Not Before: $crt_date_nbe[0;37m"
else
echo -e "e[0;32m Not Before: $crt_date_nbe[0;37m"
fi
crt_date_nb=$(echo "$crt_date" | grep "Not After")
crt_date_nb=$(echo ${crt_date_nb:24:24})
if [ "$(date -d "$crt_date_nb" +"%s")" -lt "$(date +"%s")" ]; then
echo -e "e[0;31m Not After: $crt_date_nbe[0;37m"
else
echo -e "e[0;32m Not After: $crt_date_nbe[0;37m"
fi
echo
done
echo "Connection Details:"
pub_key_bit=$(echo "$connection" | grep -o "Server public key is [0-9]* bit" | sed 's/Server public key is ([0-9]*) bit/1/')
if [ "$pub_key_bit" -lt "2048" ]; then
echo -e "e[0;31m Pub key bits: $pub_key_bite[0;37m"
else
echo -e "e[0;32m Pub key bits: $pub_key_bite[0;37m"
fi
sec_reneg=$(echo "$connection" | grep "Secure Renegotiation IS supported")
if [ -z "$sec_reneg" ]; then
echo -e "e[0;31m Secure Renegotiation: NO SUPPORTe[0;37m"
else
echo -e "e[0;32m Secure Renegotiation: YESe[0;37m"
fi
pfsCipher=$(checkPfsCipher "$domainname")
if [ "$pfsCipher" == "1024 bit" ]; then
echo -e "e[0;31m Supports PFS: NO - bit limit 1024e[0;37m"
elif [ -z "$pfsCipher" -o "$pub_key_bit" -lt "2048" ]; then
echo -e "e[0;31m Supports PFS: NOe[0;37m"
else
echo -e "e[0;32m Supports PFS: YES : $pfsCipher : $pub_key_bite[0;37m"
fi
echo ""
echo "Client Support:"
##################################################
# Android 2.3.7
##################################################
#WEAK#SSL_RSA_WITH_RC4_128_MD5 - RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
#WEAK#SSL_RSA_WITH_RC4_128_SHA - RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
#TLS_RSA_WITH_AES_128_CBC_SHA - AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
#TLS_DHE_RSA_WITH_AES_128_CBC_SHA - DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
#TLS_DHE_DSS_WITH_AES_128_CBC_SHA - DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
#WEAK#SSL_RSA_WITH_3DES_EDE_CBC_SHA - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
#WEAK#SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - DHE-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
#WEAK#SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - DHE-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
#WEAK#SSL_RSA_WITH_DES_CBC_SHA - DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
#WEAK#SSL_DHE_RSA_WITH_DES_CBC_SHA - DHE-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
#WEAK#SSL_DHE_DSS_WITH_DES_CBC_SHA - DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
#WEAK#SSL_RSA_EXPORT_WITH_RC4_40_MD5 - EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
#WEAK#SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
#WEAK#SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - EXP-DHE-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
#WEAK#SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - EXP-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
checkClient "$domainname" "Android 2.3.7" "AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA" "RC4-MD5:RC4-SHA:DES-CBC3-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:DES-CBC-SHA:DHE-RSA-DES-CBC-SHA:DHE-DSS-DES-CBC-SHA:EXP-RC4-MD5:EXP-DES-CBC-SHA:EXP-DHE-RSA-DES-CBC-SHA:EXP-DHE-DSS-DES-CBC-SHA"
##################################################
# Android 4.0.4
##################################################
# checkClient "$domainname" "Android 4.0.4" "" ""
##################################################
# Android 4.1.1
##################################################
# checkClient "$domainname" "Android 4.1.1" "" ""
##################################################
# Android 4.2.2
##################################################
# checkClient "$domainname" "Android 4.2.2" "" ""
##################################################
# Android 4.3
##################################################
# checkClient "$domainname" "Android 4.3" "" ""
##################################################
# Android 4.4.2
##################################################
# checkClient "$domainname" "Android 4.4.2" "" ""
##################################################
# Android 5.0.0
##################################################
# checkClient "$domainname" "Android 5.0.0" "" ""
##################################################
# Chrome 43 / OS X
##################################################
# checkClient "$domainname" "Chrome 43 / OS X" "" ""
##################################################
# Firefox 31 Win 7
##################################################
# checkClient "$domainname" "???" "" ""
##################################################
# Firefox 39 / OS X
##################################################
# checkClient "$domainname" "???" "" ""
##################################################
# Firefox 40 / Linux
##################################################
#0xC0,0x2B - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
#0xC0,0x2F - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
#0xC0,0x0A - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
#0xC0,0x09 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
#0xC0,0x13 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
#0xC0,0x14 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
#0x00,0x33 - TLS_DHE_RSA_WITH_AES_128_CBC_SHA - DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
#0x00,0x39 - TLS_DHE_RSA_WITH_AES_256_CBC_SHA - DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
#0x00,0x2F - TLS_RSA_WITH_AES_128_CBC_SHA - AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
#0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA - AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
#0x00,0x0A - SSL_RSA_WITH_3DES_EDE_CBC_SHA - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
checkClient "$domainname" "Firefox 40 / Linux" "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA" ""
##################################################
# Googlebot Feb 2015
##################################################
# checkClient "$domainname" "Googlebot Feb 2015" "" ""
##################################################
# IE 6 / XP
##################################################
# checkClient "$domainname" "IE 6 / XP" "" ""
##################################################
# IE 7 / Vista
##################################################
# checkClient "$domainname" "IE 7 / Vista" "" ""
##################################################
# IE 8 / XP
##################################################
# checkClient "$domainname" "IE 8 / XP " "" ""
##################################################
# IE 8-10 / Win 7
##################################################
# checkClient "$domainname" "IE 8-10 / Win 7" "" ""
##################################################
# IE 11 / Win 7
##################################################
# checkClient "$domainname" "IE 11 / Win 7" "" ""
##################################################
# IE 11 / Win 8.1
##################################################
# checkClient "$domainname" "IE 11 / Win 8.1" "" ""
##################################################
# IE 10 / Win Phone 8.0
##################################################
# checkClient "$domainname" "IE 10 / Win Phone 8.0" "" ""
##################################################
# IE 11 / Win Phone 8.1
##################################################
# checkClient "$domainname" "IE 11 / Win Phone 8.1" "" ""
##################################################
# IE 11 / Win Phone 8.1 Update
##################################################
# checkClient "$domainname" "IE 11 / Win Phone 8.1 Update" "" ""
##################################################
# Edge 12 / Win 10 (Build 10130)
##################################################
# checkClient "$domainname" "Edge 12 / Win 10 (Build 10130) " "" ""
##################################################
# Java 6u45
##################################################
# checkClient "$domainname" "Java 6u45 " "" ""
##################################################
# Java 7u25
##################################################
# checkClient "$domainname" "Java 7u25" "" ""
##################################################
# Java 8u31
##################################################
# checkClient "$domainname" "Java 8u31" "" ""
##################################################
# OpenSSL 0.9.8y
##################################################
# checkClient "$domainname" "OpenSSL 0.9.8y" "" ""
##################################################
# OpenSSL 1.0.1l
##################################################
# checkClient "$domainname" "OpenSSL 1.0.1l " "" ""
##################################################
# OpenSSL 1.0.2
##################################################
# checkClient "$domainname" "OpenSSL 1.0.2 " "" ""
##################################################
# Safari 5.1.9 / OS X 10.6.8
##################################################
# checkClient "$domainname" "Safari 5.1.9 / OS X 10.6.8" "" ""
##################################################
# Safari 6 / iOS 6.0.1
##################################################
# checkClient "$domainname" "Safari 6 / iOS 6.0.1" "" ""
##################################################
# Safari 6.0.4 / OS X 10.8.4
##################################################
# checkClient "$domainname" "Safari 6.0.4 / OS X 10.8.4" "" ""
##################################################
# Safari 7 / iOS 7.1
##################################################
# checkClient "$domainname" "Safari 7 / iOS 7.1 " "" ""
##################################################
# Safari 7 / OS X 10.9
##################################################
# checkClient "$domainname" "Safari 7 / OS X 10.9" "" ""
##################################################
# Safari 8 / iOS 8.4
##################################################
# checkClient "$domainname" "Safari 8 / iOS 8.4" "" ""
##################################################
# Safari 8 / OS X 10.10
##################################################
# checkClient "$domainname" "Safari 8 / OS X 10.10" "" ""
##################################################
# Yahoo Slurp Jan 2015
##################################################
# checkClient "$domainname" "Yahoo Slurp Jan 2015" "" ""
# checkClient "$domainname" "Android 2.3.7" "" ""
# checkClient "$domainname" "Android 2.3.7" "" ""
# checkClient "$domainname" "Android 2.3.7" "" ""
# checkClient "$domainname" "Android 2.3.7" "" ""
# checkClient "$domainname" "Android 2.3.7" "" ""
}
checkDomain "$domainname"
Sample Output
mike@mike-laptop3:~/work/ssl-check$ ./ssl-check.sh secure.mikejonesey.co.uk
Certificate: secure.mikejonesey.co.uk
Signature Algorithm: sha256WithRSAEncryption
Validity:
Not Before: Apr 6 00:00:00 2015 GMT
Not After: Apr 5 23:59:59 2018 GMT
Certificate: COMODO RSA Certification Authority
Signature Algorithm: sha384WithRSAEncryption
Validity:
Not Before: May 30 10:48:38 2000 GMT
Not After: May 30 10:48:38 2020 GMT
Certificate: COMODO RSA Domain Validation Secure Server CA
Signature Algorithm: sha384WithRSAEncryption
Validity:
Not Before: Feb 12 00:00:00 2014 GMT
Not After: Feb 11 23:59:59 2029 GMT
Connection Details:
Pub key bits: 2048
Secure Renegotiation: YES
Supports PFS: YES : ECDHE-RSA-AES256-GCM-SHA384 : 2048
Client Support:
Android 2.3.7: YES : DHE-RSA-AES128-SHA : PFS
Firefox 40 / Linux: YES : ECDHE-RSA-AES256-SHA : PFS
Git Updates
I plan to update the browser client support in free time, for updates see my git repo;
git clone https://github.com/mikejonesey/ssl-checker.git
