Crypto Service Audit by Cryptosense

Report for virtualmin.com produced at 2024-04-24 01:55:07 UTC using the ECRYPT standard.

For more information on coverage, go to discovery.cryptosense.com/faq. If you have any suggestions for improving this report, please send us an email at discovery@cryptosense.com.

C
is the overall score for
virtualmin.com

Crypto on this site is outdated and might not provide enough security.

Note: The overall score is calculated based on the lowest score achieved by any of the machines scanned.

Machines Scanned

-
 virtualmin.com 198.154.100.99 2024-04-23 14:51:14 UTC
-
 jamie.cloud.virtualmin.com 108.60.199.109 2024-04-23 14:51:14 UTC
-
 ns.cloud.virtualmin.com 108.60.199.108 2024-04-23 14:51:14 UTC
-
 ns2.cloud.virtualmin.com 108.60.199.116 2024-04-23 14:51:14 UTC
-
 docs.virtualmin.com 198.154.100.100 2024-04-23 14:51:14 UTC
-
 ftp.virtualmin.com 108.60.199.107 2024-04-23 14:51:14 UTC
C
software.virtualmin.com 149.28.242.101 2024-04-23 14:51:15 UTC
-
 software2.virtualmin.com 163.172.162.254 2024-04-23 14:51:15 UTC
-
 srv1.virtualmin.com 108.60.199.106 2024-04-23 14:51:15 UTC

Crypto Services Discovered

In the next pages, we list all of the machines detected. For each machine, we list the cryptographic services found. For each service, we give the reasons behind the grading and, if applicable, instructions on how to fix it.

virtualmin.com

IP address 198.154.100.99
Last scan 2024-04-23 14:51:14 UTC

No service that could be analyzed detected on this machine.

jamie.cloud.virtualmin.com

IP address 108.60.199.109
Last scan 2024-04-23 14:51:14 UTC

No service that could be analyzed detected on this machine.

ns.cloud.virtualmin.com

IP address 108.60.199.108
Last scan 2024-04-23 14:51:14 UTC

No service that could be analyzed detected on this machine.

ns2.cloud.virtualmin.com

IP address 108.60.199.116
Last scan 2024-04-23 14:51:14 UTC

No service that could be analyzed detected on this machine.

docs.virtualmin.com

IP address 198.154.100.100
Last scan 2024-04-23 14:51:14 UTC

No service that could be analyzed detected on this machine.

ftp.virtualmin.com

IP address 108.60.199.107
Last scan 2024-04-23 14:51:14 UTC

No service that could be analyzed detected on this machine.

software.virtualmin.com

IP address 149.28.242.101
Last scan 2024-04-23 14:51:15 UTC
TLS FTP (port 21)
Rules applicable 5
C
A
A!
B
C
D
F
2 0 2 1 0 0
SSH (port 22)
Rules applicable 6
C
A
A!
B
C
D
F
2 0 3 1 0 0
TLS HTTP (port 443)
Rules applicable 5
B
A
A!
B
C
D
F
3 0 2 0 0 0

TLS (port 21 – FTP)

Scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_MD5 TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (Postfix 2048-bit): 0xf2ea0a012bb967db1d155744be940e859bdba474fb6be6442ab52ef8546703dbf32b7b869fa8241b0acb13fc1c59cc5c2cee7a98063dd648a8add2876584d6f0a62aeb8d7a6c0dc9aceb41c2266f7920171baa5af924a48370e7ea22b6acc69da3cb36cb531351840343c2ecaa760eac7bf9e757cfd2432aeeff5b574aebf746c5e783f9e1115d54a331f36afbea7e6012db1536c54a6d369ba1bdf06558dd082225495a6e9866162576eedb314f174ded6923fccc31ab67d8c2558f9c128538cf586b5a01d3b68bdf8685bc8b550b36b19f38e71d3331a12bf56db8853a44c2aa7c2e8e86664b31dfdf6b7229e63a064561a7976a044042b6f40449c46ed403
  • Generator: 0x5
Certificate start date 2018-07-27 06:18:54 UTC
Certificate expiration date 2018-08-26 06:18:54 UTC
Certificate serial number 10016193776172319625
Certificate issuer CN=software3.virtualmin.com ,O=Self-signed for software3.virtualmin.com ,L=NA,ST=NA,C=NA
Certificate subject CN=software3.virtualmin.com ,O=Self-signed for software3.virtualmin.com ,L=NA,ST=NA,C=NA
C
Weak cryptography
Support for RC4 cipher
Trigger The server supports a cipher suite containing the RC4 cipher.
Context

ECRYPT discourages the use of RC4 for both legacy and future applications (ECRYPT 2016 report).

In TLS, cipher suites using RC4 have been deprecated as of February 2015 (RFC 7465).

B
Warnings
Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

ECRYPT recommends a length of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 bits for long term applications (ECRYPT 2016 report).

Diffie-Hellman group size
Trigger The server uses a 2048-bit Diffie-Hellman group.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

ECRYPT recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (ECRYPT 2016 report).

SSH (port 22)

Scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPk4PTMjmD6iGqSA0hRWBiAM6I8THGH1DhrFV3FtQcenA+hVldrCFrd+EHuUpdRZhbY49T3hyi8Dm/EzSzG6S2o=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx+fPwMNnu2ZYg4jbxeEqBB15faIf+Qc7lNNAcExUhj
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqU1NHmBQNavlQnbAKMA4fgBHxY/87PDmQesVO7/p2AX5xBtHXRhMxFEPPmvoggLV2ixBrAn8YYUsgyOf73FObNS6u1pR11Oh96cUCXY8g5SJGYdXujdIYidAh7an2JYiJ1qsaILqnWHNfChVyscgJZdT9rCWhurQJZh7ZoI08MyomBvz6tfLi1Kamipgb3aazQtlJqbm1fVfh9G/ggV4gdFr66L/+BlFgautY7h81CzVP/D3pi6avzNQXYh4UxLdrY6jGK/IENFEq35CUOj2JAxO8FwvvnyGuPMwnQF9UTOiXjwIC/P4u4fPGgi2ZyWLTFTi5wQFfygtFLYkdpozd test this key
C
Weak cryptography
Diffie-Hellman group security
Trigger The server supports the "diffie-hellman-group1-sha1" algorithm.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

ECRYPT recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (ECRYPT 2016 report).

The "diffie-hellman-group1-sha1" key exchange algorithm uses the commonly-shared and 1024-bit Oakley Group 2 (RFC 4253).

B
Warnings
SSH RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

ECRYPT recommends a length of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 bits for long term applications (ECRYPT 2016 report).

Support for Blowfish cipher
Trigger The server supports the Blowfish cipher.
Context

Blowfish is a block cipher with a 64-bit block size.

ECRYPT considers Blowfish to only be suitable for legacy applications (ECRYPT 2016 report).

Support for 3DES cipher
Trigger The server supports the 3DES cipher.
Context

Three-key-3DES is a cipher with 168-bit keys but an effective key length of 112 bits because of a meet-in-the-middle attack. This is considered enough only for legacy. Furthermore, it has a 64-bit block size, which can be insufficient for some applications, for example because of birthday attacks (sweet32.info).

ECRYPT considers 3DES to only be suitable for legacy applications (ECRYPT 2016 report).

TLS (port 443 – HTTP)

Scan details
Versions TLS 1.2
Ciphers
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate start date 2023-09-12 16:51:07 UTC
Certificate expiration date 2023-12-11 16:51:06 UTC
Certificate serial number 279503508235384226986805774441936220599460
Certificate issuer CN=R3,O=Let's Encrypt,C=US
Certificate subject CN=software2.virtualmin.com
Certificate SANs
  • software.virtualmin.com
  • software2.virtualmin.com
B
Warnings
Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

ECRYPT recommends a length of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 bits for long term applications (ECRYPT 2016 report).

Diffie-Hellman group size
Trigger The server uses a 2048-bit Diffie-Hellman group.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

ECRYPT recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (ECRYPT 2016 report).

software2.virtualmin.com

IP address 163.172.162.254
Last scan 2024-04-23 14:51:15 UTC

No service that could be analyzed detected on this machine.

srv1.virtualmin.com

IP address 108.60.199.106
Last scan 2024-04-23 14:51:15 UTC

No service that could be analyzed detected on this machine.