#2 sslyze [4]
$ apt install python-pip
$ pip install --upgrade setuptools
$ pip install --upgrade sslyze
$ python -m sslyze --regular 10.253.194.151:443
AVAILABLE PLUGINS
-----------------
OpenSslCcsInjectionPlugin
CompressionPlugin
HeartbleedPlugin
OpenSslCipherSuitesPlugin
SessionRenegotiationPlugin
FallbackScsvPlugin
SessionResumptionPlugin
HttpHeadersPlugin
RobotPlugin
CertificateInfoPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
10.253.194.151:443 => 10.253.194.151
SCAN RESULTS FOR 10.253.194.151:443 - 10.253.194.151
----------------------------------------------------
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS
injection
* Session Renegotiation:
Client-initiated Renegotiation: OK - Rejected
Secure Renegotiation: OK - Supported
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* Resumption Support:
With Session IDs: OK - Supported (5 successful, 0
failed, 0 errors, 5 total attempts).
With TLS Tickets: NOT SUPPORTED - TLS ticket not
assigned.
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* TLSV1 Cipher Suites:
Server rejected all cipher suites.
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_3 Cipher Suites:
Server rejected all cipher suites.
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
* TLSV1_2 Cipher Suites:
Forward Secrecy OK - Supported
RC4 OK - Not Supported
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256
bits HTTP 200 OK
Accepted:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-2048 bits 256
bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256
bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256
bits HTTP 200 OK
DHE_RSA_WITH_AES_256_CCM_8 - 256
bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256
bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-2048 bits 256
bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256
bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_256_CCM - 256
bits HTTP 200 OK
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128
bits HTTP 200 OK
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-2048 bits 128
bits HTTP 200 OK
* ROBOT Attack:
OK - Not vulnerable, RSA cipher
suites not supported
* Deflate Compression:
OK - Compression disabled
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* Certificate Information:
Content
SHA1 Fingerprint:
79af5ab28acdf6c880cf5bd9da2a6acb4dfc46bf
Common Name: 10.253.194.151
Issuer: 10.253.194.151
Serial Number:
56128595917874360689874067407377294145249645142
Not Before: 2019-07-15 06:08:16
Not After: 2020-07-14 06:08:16
Signature Algorithm: sha256
Public Key Algorithm: RSA
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: []
Trust
Hostname Validation: OK - Certificate matches
10.253.194.151
Android CA Store (8.1.0_r9): FAILED - Certificate is NOT Trusted:
self signed certificate
iOS CA Store (11): FAILED - Certificate is NOT Trusted:
self signed certificate
Java CA Store (jre-10.0.2): FAILED - Certificate is NOT Trusted:
self signed certificate
macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted:
self signed certificate
Mozilla CA Store (2018-04-12): FAILED - Certificate is NOT Trusted:
self signed certificate
Windows CA Store (2018-06-30): FAILED - Certificate is NOT Trusted:
self signed certificate
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: 10.253.194.151
Verified Chain: ERROR - Could not build verified
chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified
chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified
chain (certificate untrusted?)
Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: NOT SUPPORTED - Extension not found
OCSP Stapling
NOT SUPPORTED - Server did not send
back an OCSP response
SCAN COMPLETED IN 0.47 S
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3555
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3389
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4929
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0169
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2566
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-3587
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0160
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0224
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3566
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-0204
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2808
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4000
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0703
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0800
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2183
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6329
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9244
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836329
Title:
Regression running ssllabs.com/ssltest causes 2 apache process to eat
up 100% cpu, easy DoS
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1836329/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
