Choose a standard

These results have been calculated using the following standard:

Export

C
is the overall score for
virtualmin.com

Crypto on this site is outdated and might not provide enough security.

Note: The overall score is calculated based on the lowest score achieved by any of the machines scanned.

Machines Scanned

C
virtualmin.com 198.154.100.99 2019-08-23 03:38:29 UTC
You must be logged in to monitor hosts.
C
jamie.cloud.virtualmin.com 108.60.199.109 2019-08-23 03:38:29 UTC
You must be logged in to monitor hosts.
C
ns.cloud.virtualmin.com 108.60.199.108 2019-08-23 03:38:29 UTC
You must be logged in to monitor hosts.
C
ns2.cloud.virtualmin.com 108.60.199.116 2019-08-23 03:38:29 UTC
You must be logged in to monitor hosts.
C
docs.virtualmin.com 198.154.100.100 2019-08-23 03:38:29 UTC
You must be logged in to monitor hosts.
-
ftp.virtualmin.com 108.60.199.107 2019-08-23 03:38:30 UTC
You must be logged in to monitor hosts.
C
software.virtualmin.com 149.28.242.101 2019-08-23 03:38:30 UTC
You must be logged in to monitor hosts.
C
software2.virtualmin.com 163.172.162.254 2019-08-23 03:38:30 UTC
You must be logged in to monitor hosts.
C
srv1.virtualmin.com 108.60.199.106 2019-08-23 03:38:30 UTC
You must be logged in to monitor hosts.
down arrow

Crypto Services Discovered

Below we list all of the machines detected. For each machine, we list the cryptographic services found. For each service, we give the reasons behind the grading. To see the full details of the cryptography offered by a service, click on "show details".

virtualmin.com

IP address 198.154.100.99
Last scan 2019-08-23 03:38:29 UTC
SSH (port 22)
Rules applicable 3
C
A
A!
B
C
D
2 0 0 1 0
TLS POP3 (port 110)
Rules applicable 3
A
A
A!
B
C
D
3 0 0 0 0
TLS IMAP (port 143)
Rules applicable 3
A
A
A!
B
C
D
3 0 0 0 0
TLS HTTP (port 443)
Rules applicable 4
B
A
A!
B
C
D
3 0 1 0 0
TLS IMAP (port 993)
Rules applicable 3
A
A
A!
B
C
D
3 0 0 0 0
TLS POP3 (port 995)
Rules applicable 3
A
A
A!
B
C
D
3 0 0 0 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH04EDi9lRIUO1XRJ5d51cZcjLT1iS7aFEgf+gGVFkjErfO9XUZ/peZW+2giZAZ6Db7BXsbyxK0IpPmK47Yyjko=
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDezUOU1IQaSMNcjaOUX1zJWU49SiRSIqNeESwDErsTBfr6PXULbtah8OQqPwcoQVvDJ01QwiGdfCejPAwx19g73vCZo/3NVJDy28xpVT7kbEZUAO0Ji4IQfOwgzeyrDAvv0cAO1QFhOsdte1ZK7wotpB2odFmbMmtnv00/Fv7M+huckqRBuFBIy3OvZEbIdbP+TucDpOcE1IBf/32bTiHPPjDjJU+VkJUi5iKXjv1UAuSD+hSG8vOA84vQIdsF+gqpDns3yqKvdGJEZ4LaBbEY/vNOh+C3eigHo4rsXOwdtib5/hSzrSmZqyxy4L/RAe3Gkw+uyl1fyQW6d3LRtDYr test this key
C
Weak cryptography
Diffie-Hellman group security
Trigger The server supports the "diffie-hellman-group1-sha1" algorithm.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

The "diffie-hellman-group1-sha1" key exchange algorithm uses the commonly-shared and 1024-bit Oakley Group 2 (RFC 4253).

A
Passed
Support for DES cipher
Trigger The server doesn't support the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

SSH RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

TLS (port 110 – POP3)

Show scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Certificate expiration date 2019-10-06 22:19:08 UTC
Certificate serial number 284192951379732757088713524515803857367020
Certificate issuer C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
Certificate subject CN=virtualmin.com
Certificate SANs
  • cloudmin.com
  • virtualmin.com
  • www.cloudmin.com
  • www.virtualmin.com
A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

TLS (port 143 – IMAP)

Show scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Certificate expiration date 2019-10-06 22:19:08 UTC
Certificate serial number 284192951379732757088713524515803857367020
Certificate issuer C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
Certificate subject CN=virtualmin.com
Certificate SANs
  • cloudmin.com
  • virtualmin.com
  • www.cloudmin.com
  • www.virtualmin.com
A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

TLS (port 443 – HTTP)

Show scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_MD5 TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Server
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate expiration date 2019-10-06 22:19:08 UTC
Certificate serial number 284192951379732757088713524515803857367020
Certificate issuer C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
Certificate subject CN=virtualmin.com
Certificate SANs
  • cloudmin.com
  • virtualmin.com
  • www.cloudmin.com
  • www.virtualmin.com
B
Warnings
Diffie-Hellman group size
Trigger The server uses a 2048-bit Diffie-Hellman group.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

TLS (port 993 – IMAP)

Show scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Certificate expiration date 2019-10-06 22:19:08 UTC
Certificate serial number 284192951379732757088713524515803857367020
Certificate issuer C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
Certificate subject CN=virtualmin.com
Certificate SANs
  • cloudmin.com
  • virtualmin.com
  • www.cloudmin.com
  • www.virtualmin.com
A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

TLS (port 995 – POP3)

Show scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Certificate expiration date 2019-10-06 22:19:08 UTC
Certificate serial number 284192951379732757088713524515803857367020
Certificate issuer C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
Certificate subject CN=virtualmin.com
Certificate SANs
  • cloudmin.com
  • virtualmin.com
  • www.cloudmin.com
  • www.virtualmin.com
A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

jamie.cloud.virtualmin.com

IP address 108.60.199.109
Last scan 2019-08-23 03:38:29 UTC
SSH (port 22)
Rules applicable 4
C
A
A!
B
C
D
2 0 1 1 0
TLS HTTP (port 443)
Rules applicable 4
B
A
A!
B
C
D
3 0 1 0 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_5.3
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • arcfour
  • arcfour128
  • arcfour256
  • blowfish-cbc
  • cast128-cbc
  • rijndael-cbc@lysator.liu.se
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-md5
  • hmac-md5-96
  • hmac-ripemd160
  • hmac-ripemd160@openssh.com
  • hmac-sha1
  • hmac-sha1-96
  • hmac-sha2-256
  • hmac-sha2-512
  • umac-64@openssh.com
Server host key algorithms
  • ssh-dss
  • ssh-rsa
Key exchange algorithms
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
Server keys
DSA 1024-bit ssh-dss AAAAB3NzaC1kc3MAAACBAN5E5lzCaG4BMjM/OPwnglJSRepcVrOIDGhcVL1BibiVQTZm/P37QIyI1JW+3XC1VUBSjeV/bzBh1QrXJ9/2LdC8a+nUqQX9tRTpM9+0N9Cz3zPvQtii5g4TVIwx2GVtrOyvnDL+3ETHOdhdK92UYmvyKE6iLhyXqhLAt3TzrUgpAAAAFQC/gk6jAEvkmlFFPhK7waYTHeXm/wAAAIBmX8kin7RIb2y6dV9ubC5GQBHUuPwodg8JXbrwWaB850cDs+GFgc0bX35kq4d/81yBt0mKuVLFuWmugiZgLOrCsiztQmaQlqjq1JYjZyKt5mW4/m2bx08gyKojyvXad6UJLnav6QhYJSdDbvm2WaG3XkqGjQBi6gvrfV6MVHGhvgAAAIBYJ2ODwY9gzEVnbSqZgxhLx4IFvgjSCEr0SKgYXS718SSqwYGqC5KCGSZ28sXrAfcgrCr4Zh8v58+pMx3wM2cgreaQaqntAJIsQyWV7GU4V1sGewRuxxFu97p5ulsoVFGxKoCZkfsdJL1Kt+Ukrf5AqFpGpLBkhQmKBqaarYG0Vw==
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnYPBDArn9nHDv5wYOXTtK2mcALWhK5LieInSBK3S+42VQdARM7O9GWm4qQZNM1s9Eu/iXx4O4xxB9Tp8wrho15S8AHL43YXYBZmtlZ/nr7oylijuAXQaocL/Nb9mTu0ZgPq2tCzQ2RSB9KRGqIn4MU+o5/j3QRMka0NKK94YQRXToSYoSLI5MD21qU41qf6POHf3uKVe5UFnWHEtu0t3X4LXokZAuPXpl3vM1yKgjYq1B3XNXsEZcfbRXo/3TzDGa4aa9N4FLHieAXrBsNoVieJV90x6wKjJJVaCS0IfExJxpkbOjU0gtPwJl/7NPkBBaPuxW2/pJbj+9mhnZpG7nw== test this key
C
Weak cryptography
Diffie-Hellman group security
Trigger The server supports the "diffie-hellman-group1-sha1" algorithm.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

The "diffie-hellman-group1-sha1" key exchange algorithm uses the commonly-shared and 1024-bit Oakley Group 2 (RFC 4253).

B
Warnings
SSH DSA key length
Trigger The server uses a 1024-bit DSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications and 3072 bits for near term applications (NIST SP 800-57, Part 1, Rev. 3).

A
Passed
Support for DES cipher
Trigger The server doesn't support the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

SSH RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

TLS (port 443 – HTTP)

Show scan details
Versions SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_SEED_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_MD5 SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate expiration date 2019-11-20 04:08:36 UTC
Certificate serial number 295792429249362644590041866639541938328029
Certificate issuer C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
Certificate subject CN=jamie.cloud.virtualmin.com
Certificate SANs
  • jamie.cloud.virtualmin.com
B
Warnings
Diffie-Hellman group size
Trigger The server uses a 2048-bit Diffie-Hellman group.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

ns.cloud.virtualmin.com

IP address 108.60.199.108
Last scan 2019-08-23 03:38:29 UTC
SSH (port 22)
Rules applicable 4
C
A
A!
B
C
D
2 0 1 1 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_5.3
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • arcfour
  • arcfour128
  • arcfour256
  • blowfish-cbc
  • cast128-cbc
  • rijndael-cbc@lysator.liu.se
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-md5
  • hmac-md5-96
  • hmac-ripemd160
  • hmac-ripemd160@openssh.com
  • hmac-sha1
  • hmac-sha1-96
  • hmac-sha2-256
  • hmac-sha2-512
  • umac-64@openssh.com
Server host key algorithms
  • ssh-dss
  • ssh-rsa
Key exchange algorithms
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
Server keys
DSA 1024-bit ssh-dss AAAAB3NzaC1kc3MAAACBALNCYRXQXdQa24tHfi4CtIufjonvfdTE1oAL0xtCot6izTj76Bw4O1KVNV6fUbAFlVwXXfYMlt4G5170qH1KzpdGCwFBxvTFO6Y3kL3ZPa8EUdw3r7fkaKnrMPYIllfSTrWL64xG5l6nV1hfJFpPSHQqcbSFyRiFlL7jFhyrbH/NAAAAFQDhENX+q/B7MQYW2n3WYsrCRXtz6wAAAIEAheAuA3E7C27sWFQCSc/47eR3mcSLBV0pvQSeQRQifgxglhn2Q5PvwaTISzFa7fXmkCq3bqm2dLYXb0j8HIlRyZpDVedCuVwOF7bUlj5yApqma88RMJY1LNMyPR67Tup/ki+6AWyNm45KnP1K05xtCV3ITQi+9MpgCTxhD/DmRMMAAACALBr4rotJU51/GnFvRQmTEke5jPY+GVawg6L93F33c/AywJKxzUlUfQODq4ukbBo4/+8WHTU3cYto2idY5mznxu8PMJeJUhCcn72iDwTBdgjby49Od5c+M2xKUWeN+Z5JWrWApEGTihjqUM2F8XR2p/D/X9CY/SRdCD99JAA2pzI=
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmNKFgZijlUnEGT5CvB+wS9+83Oh7RXFm97wT7zKiOulvnKL8NfUGWqoiYRQVHj73xxqyjiLGiRRb2oTyoINbjWRrtkQ11FQm8p1ClhFiLCyzvS7TEdXsA9Do6VKpnN5YIjcAx1V7hyGI7GI0hq/DouXQx6vmBcstEnvwatC0TUd97poRpJ/GSkeckrk5CrriCrBVIcKSlucfqRIBR6CZqYbH8kDdBQ6cO06o9mnVuszvmlDTqC7mr5XTP0N0u/e5spNogxZs61vjnryNvhDewf0KZJzbWpW6LKny8LyhU003t3gII9bXhz83pLiD79DDp8x0tpTvrVhgeTxPfwpvwQ== test this key
C
Weak cryptography
Diffie-Hellman group security
Trigger The server supports the "diffie-hellman-group1-sha1" algorithm.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

The "diffie-hellman-group1-sha1" key exchange algorithm uses the commonly-shared and 1024-bit Oakley Group 2 (RFC 4253).

B
Warnings
SSH DSA key length
Trigger The server uses a 1024-bit DSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications and 3072 bits for near term applications (NIST SP 800-57, Part 1, Rev. 3).

A
Passed
Support for DES cipher
Trigger The server doesn't support the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

SSH RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

ns2.cloud.virtualmin.com

IP address 108.60.199.116
Last scan 2019-08-23 03:38:29 UTC
SSH (port 22)
Rules applicable 4
C
A
A!
B
C
D
2 0 1 1 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_5.3
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • arcfour
  • arcfour128
  • arcfour256
  • blowfish-cbc
  • cast128-cbc
  • rijndael-cbc@lysator.liu.se
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-md5
  • hmac-md5-96
  • hmac-ripemd160
  • hmac-ripemd160@openssh.com
  • hmac-sha1
  • hmac-sha1-96
  • hmac-sha2-256
  • hmac-sha2-512
  • umac-64@openssh.com
Server host key algorithms
  • ssh-dss
  • ssh-rsa
Key exchange algorithms
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
Server keys
DSA 1024-bit ssh-dss AAAAB3NzaC1kc3MAAACBAM1NE0NwIyNfUsMbiQBH/zzpdtbKLtaVNvsHTrQZh+t2W/TuKO4coFyQkp1224uEnYkUJfgM+3UmQcL9CiJolXCwExbD4c0jTJUXEIENwgkmMe4TDuDKkmwW7V6465teo4jwHcnCXcfpfMCgzA+Gvxe49heNmhgr2pgbT4uVRHBNAAAAFQC5APBv3YMN/CY8Wpq4+LhnzT2i4QAAAIBuvyWn5U2BxtEL0RawbmYgQ4JH556q7tOLTTlNh8ANR/z2MjcMcN0fTawmmQ/hhfRid3/7Iyhkn8Ro2eSBKZWBU4NgNAhcZLys/Y/iBx+q/eGxgL5ARFGrQ76TAXBVAjRZmX6AwOp1j05CkroZdhlIZRsmXgx7dN/HUJvHItup9QAAAIEAo01lKGCCh8/a5OPLFbV0rx9zs57g3nCUc/wVJeRIMbPIkEgN0eASOqDqhczeK4UcHj+uPZLgDxPlaz4qkH9C5yPNZ0aSyILCZslVl/4oi9EjwjtIG2TtNXJtzQ4m6cWdaB9rLOLsQPnU2pCBQEKF+ZKbOzBEDJ/D/rJd74+iLrc=
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4G91P3dSXSiOzJZIcVgYEf7g4mkTG+LZqEezzPMgAVSs1HnrA4wgLLc8gMqyhwUfPrxvg8NZdkLb4943SZUrXLrBkAwd4nnakR8qZHJvnFJaxTDr4QnyLHI+Nh0KOQeJVeiWCdWTBXnCcsyoeFBFENhO1J3uYRfvypbSnjRYKwWIzPWPipA+uTCph8d5hHSPZuZOsQscYS7pMh17ARwwbhRs/YzItmaOUPFLPFAP71aG7ImT0BQbqY/3BvADcaP/yaMncxdi3n84oT4/VJSPmdjLTnhEzhYhPLZ+6a5cwa/AQSBQtAl2hrNPn2fvqSAOIpykqtjGcWkjIfHW8DpJ0Q== test this key
C
Weak cryptography
Diffie-Hellman group security
Trigger The server supports the "diffie-hellman-group1-sha1" algorithm.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

The "diffie-hellman-group1-sha1" key exchange algorithm uses the commonly-shared and 1024-bit Oakley Group 2 (RFC 4253).

B
Warnings
SSH DSA key length
Trigger The server uses a 1024-bit DSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications and 3072 bits for near term applications (NIST SP 800-57, Part 1, Rev. 3).

A
Passed
Support for DES cipher
Trigger The server doesn't support the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

SSH RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

docs.virtualmin.com

IP address 198.154.100.100
Last scan 2019-08-23 03:38:29 UTC
SSH (port 22)
Rules applicable 3
C
A
A!
B
C
D
2 0 0 1 0
TLS HTTP (port 443)
Rules applicable 3
A
A
A!
B
C
D
3 0 0 0 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH04EDi9lRIUO1XRJ5d51cZcjLT1iS7aFEgf+gGVFkjErfO9XUZ/peZW+2giZAZ6Db7BXsbyxK0IpPmK47Yyjko=
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr3OBZ5jJIQSrFuegq1KSTIVMU+6QyJcrK/OYnID2BlzLMwCeHgTQ4V42nCAFdOqgKDTkWaH3Sw+kNq296l2fw2Zunkjox/0AQJ8TU3zwEI+5PSotFF9MMXJtW9w5IecYC0W55XZm/dOe2WFPwTDAuAAJAv5bNZTxuleiyC6kzpQ+dLMcV6hRhDh8XDFSQe2I46QQJe+ZwAJOANXhOV5qHfZrFz1UNbsay3TzjY0VsVQ3bFmMu7KIKvD2BufmpurEsLcvKFAqfKon1jRPIZf2EpDmeb5tPwsN+W2vNSeg8gkEEZI5ejnHFlqoCkuttTPUVybq7WIImOrZ3GnzqERRqQ== test this key
C
Weak cryptography
Diffie-Hellman group security
Trigger The server supports the "diffie-hellman-group1-sha1" algorithm.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

The "diffie-hellman-group1-sha1" key exchange algorithm uses the commonly-shared and 1024-bit Oakley Group 2 (RFC 4253).

A
Passed
Support for DES cipher
Trigger The server doesn't support the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

SSH RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

TLS (port 443 – HTTP)

Show scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Certificate expiration date 2019-10-10 22:57:51 UTC
Certificate serial number 263731484751684393618628081304525236576040
Certificate issuer C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
Certificate subject CN=docs.virtualmin.com
Certificate SANs
  • docs.virtualmin.com
  • doxfer.webmin.com
A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

ftp.virtualmin.com

IP address 108.60.199.107
Last scan 2019-08-23 03:38:30 UTC

No service that could be analyzed detected on this machine.

software.virtualmin.com

IP address 149.28.242.101
Last scan 2019-08-23 03:38:30 UTC
TLS FTP (port 21)
Rules applicable 4
B
A
A!
B
C
D
3 0 1 0 0
SSH (port 22)
Rules applicable 3
C
A
A!
B
C
D
2 0 0 1 0
TLS HTTP (port 443)
Rules applicable 4
B
A
A!
B
C
D
3 0 1 0 0

TLS (port 21 – FTP)

Show scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_MD5 TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (Postfix 2048-bit): 0xf2ea0a012bb967db1d155744be940e859bdba474fb6be6442ab52ef8546703dbf32b7b869fa8241b0acb13fc1c59cc5c2cee7a98063dd648a8add2876584d6f0a62aeb8d7a6c0dc9aceb41c2266f7920171baa5af924a48370e7ea22b6acc69da3cb36cb531351840343c2ecaa760eac7bf9e757cfd2432aeeff5b574aebf746c5e783f9e1115d54a331f36afbea7e6012db1536c54a6d369ba1bdf06558dd082225495a6e9866162576eedb314f174ded6923fccc31ab67d8c2558f9c128538cf586b5a01d3b68bdf8685bc8b550b36b19f38e71d3331a12bf56db8853a44c2aa7c2e8e86664b31dfdf6b7229e63a064561a7976a044042b6f40449c46ed403
  • Generator: 0x5
Certificate expiration date 2018-08-26 06:18:54 UTC
Certificate serial number 10016193776172319625
Certificate issuer C=NA,ST=NA,L=NA,O=Self-signed for software3.virtualmin.com ,CN=software3.virtualmin.com
Certificate subject C=NA,ST=NA,L=NA,O=Self-signed for software3.virtualmin.com ,CN=software3.virtualmin.com
B
Warnings
Diffie-Hellman group size
Trigger The server uses a 2048-bit Diffie-Hellman group.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPk4PTMjmD6iGqSA0hRWBiAM6I8THGH1DhrFV3FtQcenA+hVldrCFrd+EHuUpdRZhbY49T3hyi8Dm/EzSzG6S2o=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx+fPwMNnu2ZYg4jbxeEqBB15faIf+Qc7lNNAcExUhj
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqU1NHmBQNavlQnbAKMA4fgBHxY/87PDmQesVO7/p2AX5xBtHXRhMxFEPPmvoggLV2ixBrAn8YYUsgyOf73FObNS6u1pR11Oh96cUCXY8g5SJGYdXujdIYidAh7an2JYiJ1qsaILqnWHNfChVyscgJZdT9rCWhurQJZh7ZoI08MyomBvz6tfLi1Kamipgb3aazQtlJqbm1fVfh9G/ggV4gdFr66L/+BlFgautY7h81CzVP/D3pi6avzNQXYh4UxLdrY6jGK/IENFEq35CUOj2JAxO8FwvvnyGuPMwnQF9UTOiXjwIC/P4u4fPGgi2ZyWLTFTi5wQFfygtFLYkdpozd test this key
C
Weak cryptography
Diffie-Hellman group security
Trigger The server supports the "diffie-hellman-group1-sha1" algorithm.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

The "diffie-hellman-group1-sha1" key exchange algorithm uses the commonly-shared and 1024-bit Oakley Group 2 (RFC 4253).

A
Passed
Support for DES cipher
Trigger The server doesn't support the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

SSH RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

TLS (port 443 – HTTP)

Show scan details
Versions TLS 1.2
Ciphers
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate expiration date 2019-09-25 18:01:11 UTC
Certificate serial number 270833132146228631696336742145563968545737
Certificate issuer C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
Certificate subject CN=software2.virtualmin.com
Certificate SANs
  • software.virtualmin.com
  • software2.virtualmin.com
B
Warnings
Diffie-Hellman group size
Trigger The server uses a 2048-bit Diffie-Hellman group.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

software2.virtualmin.com

IP address 163.172.162.254
Last scan 2019-08-23 03:38:30 UTC
SSH (port 22)
Rules applicable 3
C
A
A!
B
C
D
2 0 0 1 0
TLS HTTP (port 443)
Rules applicable 4
B
A
A!
B
C
D
3 0 1 0 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPcnFNDS7MWZFFreFTk1Rz8B2Ye+5tRBO1jfwinMr+oMlaWAR/G1ESSroqeOuqqgv6B3Nh/roGy/oeAYPakEm+k=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINDzX2RmhT0kwF80vf1pyjVh0qrPAXm1eYkbCmjhqHNN
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3sqondu425wrOD3R7Od7xeXKTEKGS3i7gBis7IHSBwrt5y0K3dn+0UOGawXRWNSCc/AecI173zCr5nFmEBDNpITnzx+nwO+wxg6piwa6urJ9mcXFL1ah2ZgBrvw9D7ffDF3mqJzTNoevaRIgyYsHEeE1EjHx7NNGNsgdFxn9STCL5Z0zOc3c0FDHFzQZ4mHZgd3uIJJkeFlU6PYd2xq8SfEmwgYR5Rl3F/9v4lnI4ekV4WRIyn7nh3FDjoDfMT7dqORkiyISsGuf0d+O6PHnpd/HzxRLxnKkCpKE3kNDiRtygT6AArs6Ezosu0MdVKGiH4g/Q3xVny01hVxKlTBOt test this key
C
Weak cryptography
Diffie-Hellman group security
Trigger The server supports the "diffie-hellman-group1-sha1" algorithm.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

The "diffie-hellman-group1-sha1" key exchange algorithm uses the commonly-shared and 1024-bit Oakley Group 2 (RFC 4253).

A
Passed
Support for DES cipher
Trigger The server doesn't support the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

SSH RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

TLS (port 443 – HTTP)

Show scan details
Versions TLS 1.2
Ciphers
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate expiration date 2019-09-25 18:01:11 UTC
Certificate serial number 270833132146228631696336742145563968545737
Certificate issuer C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
Certificate subject CN=software2.virtualmin.com
Certificate SANs
  • software.virtualmin.com
  • software2.virtualmin.com
B
Warnings
Diffie-Hellman group size
Trigger The server uses a 2048-bit Diffie-Hellman group.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

A
Passed
Security of hash function for certificate signature digest
Trigger The hash used for the certificate is SHA-256.
Context

NIST considers SHA-512 as the only hash algorithm providing security for long-term use. Algorithms SHA-256 and SHA-384 are acceptable for near-term use and SHA-1 should not be used (NIST SP 800-57, Part 1, Rev. 3).

Support for DES cipher
Trigger The server doesn't support any cipher suites containing the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

Certificate RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).

srv1.virtualmin.com

IP address 108.60.199.106
Last scan 2019-08-23 03:38:30 UTC
SSH (port 22)
Rules applicable 3
C
A
A!
B
C
D
2 0 0 1 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDRrSW3n2qH1bSsXt7elR7SnRIRE6PlfNiNhwvhJrM2GW/V7cZJqViS5fo6BDCe4EcMNDjDlkCRp+F3qc/d/He4=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExeORn8J+O+iNUt04t0MPsC5YSQNDKDB+zN++aXKh06
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC27TLNXe5BBUwJz8xUHnwYfkw4FLkWFBs9aUfwUepTiu4APN3SzCqryat54QFsT18weTnef21qsOLIenL8KRfABiZObJIJ8o/F888oMwwlmXspxqjzuOngz3RgU4r0SvtKQGIZjW4T7SBXAY49eFtNeb7GyEQJltrIeSYu6Q8Zv2zoYIu/xYE907iU1FokBL2e4x13PiaDd02TvnEN4LbTc5+K9SrN05eC5tQ/vbkHXajIvUO8RjIC3eGdQZs3qFLGOEtLiqOJfuCdxkGEq6iYeJz7XnoqJaLBVL6bWWTGYh3BjCitzGtSDsU0/VpWSl78CjN0JJhXPGR7c0dcZ+sH test this key
C
Weak cryptography
Diffie-Hellman group security
Trigger The server supports the "diffie-hellman-group1-sha1" algorithm.
Context

Diffie-Hellman is mainly used so that two machines can compute a shared secret and so benefit from forward secrecy.

NIST recommends a group size of at least 1024 bits for legacy applications, 3072 bits for near term applications and 15360 for long term applications (NIST SP 800-57, Part 1, Rev. 3).

The "diffie-hellman-group1-sha1" key exchange algorithm uses the commonly-shared and 1024-bit Oakley Group 2 (RFC 4253).

A
Passed
Support for DES cipher
Trigger The server doesn't support the DES cipher.
Context

DES is a cipher with an effective key length of 56 bits, which is considered unsuitable by NIST even for legacy use (NIST SP 800-57, Part 1, Rev. 3).

SSH RSA key length
Trigger The server uses a 2048-bit RSA key.
Context

NIST recommends a length of at least 1024 bits for legacy applications, 2048 bits for near term applications and 15360 bits for long term applications (NIST SP 800-57, Part 1, Rev. 3).