Let's Encrypt verbannt unverschlüsseltes Webhosting

Publiziert am von

Let's Encrypt ist mit dem Ziel angetreten, verschlüsselte Verbindungen zum Normalfall zu machen und das zum Nulltarif. Natürlich ist le-hosting.de ganz vorn mit dabei.

Unverschlüsselte Verbindungen gehören der Vergangenheit an und jeder Kunde kommt automatisch in den Genuß von gesicherten Verbindungen. Natürlich lass ich mir nicht die Butter vom Brot nehmen, le-hosting.de erreicht Bestwerte in Sicherheitstest bezüglich SSL/TLS:

SSL Server Test: der.internethering.de: Note A+

testssl.sh-Protokol

Für die Techniker unter uns habe ich ein Prüfprotokol der Software testssl.sh beigefügt. Wenn es nach meinen Anspruch an Sicherheit ginge, würde ich TSL 1.0/1.1 nicht mehr anbieten und so noch höhere Sicherheit bieten. Leider würden dann viele Clients ausgeschlossen werden, so dass ich einen Kompromiss eingegangen bin.

Protokol

###########################################################
    testssl.sh       2.7dev from https://testssl.sh/dev/
    (dc4f90a 2015-12-29 17:07:03 -- 1.434)

      This program is free software. Distribution and 
             modification under GPLv2 permitted. 
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2d-dev)" [~181 ciphers]
on misterjack:$PWD/bin/openssl.Linux.x86_64
 (built: "Jul  6 18:05:33 2015", platform: "linux-x86_64")


 Start 2016-01-07 04:36:30    -->> 188.40.116.207:443 (der.internethering.de) <<--

 further IP addresses:   2a01:4f8:101:26f::1
 rDNS (188.40.116.207):  mx1.le-hosting.de.
 Service detected:       HTTP


 Testing protocols (via sockets except TLS 1.2 and SPDY/HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN http/1.1 (offered)

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           not offered (OK)
 High grade encryption        offered (OK)


 Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here 

 PFS is offered (OK)  ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES128-SHA 


 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH
 Cipher order
     TLSv1:     DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA 
     TLSv1.1:   DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA 
     TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA 


 Testing server defaults (Server Hello) 

 TLS server extensions (std)  "server name" "renegotiation info" "EC point formats" "session ticket" "heartbeat" 
 Session Tickets RFC 5077     300 seconds (PFS requires session ticket keys to be rotated <= daily)
 SSL Session ID support       yes
 Server key size              2048 bit
 Signature Algorithm          SHA256 with RSA
 Fingerprint / Serial         SHA1 83A1FF3023D75E3627F6043F261821A82A90E9B1 / 017026E803204772772C856703677DEC0239
                              SHA256 09142391D92937FDB196C67D29CB65105853579724348EC373CF8299F9A583CE
 Common Name (CN)             "internethering.de" (CN in response to request w/o SNI: "le-hosting.de")
 subjectAltName (SAN)         "internethering.de" "autoconfig.internethering.de" "autodiscover.internethering.de" "www.internethering.de" "der.internethering.de" 
 Issuer                       "Let's Encrypt Authority X1" ("Let's Encrypt" from "US")
 EV cert (experimental)       no 
 Certificate Expiration       89 >= 60 days (2016-01-06 18:52 --> 2016-04-05 19:52 +0200)
 # of certificates provided   2
 Chain of trust (experim.)    Ok   
 Certificate Revocation List  --
 OCSP URI                     http://ocsp.int-x1.letsencrypt.org/
 OCSP stapling                not offered
 TLS timestamp                random values, no fingerprinting possible 


 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              -2 sec from localtime
 Strict Transport Security    365 days=31536000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                Apache
 Application banner           --
 Cookie(s)                    3 issued: NONE secure, 3/3 HttpOnly
 Security headers             X-Frame-Options: sameorigin
                              X-Content-Type-Options: nosniff
 Reverse Proxy banner         --


 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK) (timed out)
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
 BEAST (CVE-2011-3389)                     TLS1: DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA
                                                 DHE-RSA-CAMELLIA128-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-SHA
                                                 ECDHE-RSA-AES256-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing all 181 locally available ciphers against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256         TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             
 xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             
 xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                
 x9f     DHE-RSA-AES256-GCM-SHA384      DH 2048    AESGCM     256         TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               
 x6b     DHE-RSA-AES256-SHA256          DH 2048    AES        256         TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               
 x39     DHE-RSA-AES256-SHA             DH 2048    AES        256         TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  
 x88     DHE-RSA-CAMELLIA256-SHA        DH 2048    Camellia   256         TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128         TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             
 xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             
 xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                
 x9e     DHE-RSA-AES128-GCM-SHA256      DH 2048    AESGCM     128         TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               
 x67     DHE-RSA-AES128-SHA256          DH 2048    AES        128         TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               
 x33     DHE-RSA-AES128-SHA             DH 2048    AES        128         TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  
 x45     DHE-RSA-CAMELLIA128-SHA        DH 2048    Camellia   128         TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             


 Done 2016-01-07 04:37:20    -->> 188.40.116.207:443 (der.internethering.de) <<--

Zurück

Kommentare

Einen Kommentar schreiben

Was ist die Summe aus 2 und 6?