Choose a standard

These results have been calculated using the following standard:

Export

D
is the overall score for
weneedafence.ca

Crypto on this site is broken and is likely not to provide enough security.

Note: The overall score is calculated based on the lowest score achieved by any of the machines scanned.

Machines Scanned

D
weneedafence.ca 173.255.231.250 2024-04-29 11:53:54 UTC
You must be logged in to monitor hosts.
D
weneedafence.ca 2600:3c03::f03c:91ff:fe08:94f3 2024-04-29 11:53:54 UTC
You must be logged in to monitor hosts.
A
mx.niner.net 178.62.195.26 2024-04-29 11:53:55 UTC
You must be logged in to monitor hosts.
D
ns1.niner.net 159.203.0.217 2024-04-29 11:53:55 UTC
You must be logged in to monitor hosts.
D
ns1.niner.net 2604:a880:cad:d0::6813:4001 2024-04-29 11:53:55 UTC
You must be logged in to monitor hosts.
D
ns2.niner.net 159.203.55.78 2024-04-29 11:53:55 UTC
You must be logged in to monitor hosts.
down arrow

Crypto Services Discovered

Below we list all of the machines detected. For each machine, we list the cryptographic services found. For each service, we give the reasons behind the grading. To see the full details of the cryptography offered by a service, click on "show details".

weneedafence.ca

IP address 173.255.231.250
Last scan 2024-04-29 11:53:54 UTC
TLS FTP (port 21)
Rules applicable 17
D
A
A!
B
C
D
F
6 1 0 7 3 0
SSH (port 22)
Rules applicable 0
A
A
A!
B
C
D
F
0 0 0 0 0 0
TLS HTTP (port 443)
Rules applicable 17
D
A
A!
B
C
D
F
7 2 1 5 2 0

TLS (port 21 – FTP)

Show scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDH_anon_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_MD5 TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (Postfix 2048-bit): 0xf2ea0a012bb967db1d155744be940e859bdba474fb6be6442ab52ef8546703dbf32b7b869fa8241b0acb13fc1c59cc5c2cee7a98063dd648a8add2876584d6f0a62aeb8d7a6c0dc9aceb41c2266f7920171baa5af924a48370e7ea22b6acc69da3cb36cb531351840343c2ecaa760eac7bf9e757cfd2432aeeff5b574aebf746c5e783f9e1115d54a331f36afbea7e6012db1536c54a6d369ba1bdf06558dd082225495a6e9866162576eedb314f174ded6923fccc31ab67d8c2558f9c128538cf586b5a01d3b68bdf8685bc8b550b36b19f38e71d3331a12bf56db8853a44c2aa7c2e8e86664b31dfdf6b7229e63a064561a7976a044042b6f40449c46ed403
  • Generator: 0x5
Certificate start date 2024-01-15 00:00:00 UTC
Certificate expiration date 2025-01-15 23:59:59 UTC
Certificate serial number 6641180403045079872233749531306882564
Certificate issuer CN=RapidSSL TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US
Certificate subject CN=*.niner.net
Certificate SANs
  • *.niner.net
  • niner.net
D
Broken cryptography
R4: Avoid SSLv2, SSLv3, TLS 1.0 and TLS 1.1
Trigger TLS 1.0, TLS 1.1 among the protocols offered by TLS server.
Context

Recommendation R4 (ANSSI recommendations for TLS)

R5: Authenticate the server with a key exchange
Trigger The server supports anonymous cipher suites.
Context

Recommendation R5 (ANSSI recommendations for TLS)

R28: Present an appropriate ExtendedKeyUsage
Trigger The ExtendedKeyUsage extension is marked as non-critical and has the following values: clientAuth, serverAuth.
Context

Recommendation R28 (ANSSI recommendations for TLS)

C
Weak cryptography
R6: Always enable perfect forward secrecy (PFS)
Trigger The server supports some cipher suites that do not provide forward secrecy.
Context

Recommendation R6 (ANSSI recommendations for TLS)

R7: Exchange keys with ECDHE, or at least DHE
Trigger The server can exchange keys with an algorithm that is neither ECDHE or DHE.
Context

Recommendation R7 (ANSSI recommendations for TLS)

R8: Authenticate the server with a certificate
Trigger The server can be authenticated with: none, RSA.
Context

Recommendation R8 (ANSSI recommendations for TLS)

R9: Prefer AES or ChaCha20
Trigger The server can encrypt bulk data with a mechanism that is not AES, ChaCha20, Camellia or ARIA.
Context

Recommendation R9 (ANSSI recommendations for TLS)

R10: Use an authenticated mode of encryption
Trigger The server can encrypt bulk data with a mechanism that is not GCM or CCM.
Context

Recommendation R10 (ANSSI recommendations for TLS)

R11: Use SHA-2 as hashing function
Trigger The server can hash data with a hash function that is not of the SHA-2 family.
Context

Recommendation R11 (ANSSI recommendations for TLS)

R13: Prefer server order of cipher suites
Trigger Client order is preferred.
Context

Recommendation R13 (ANSSI recommendations for TLS)

A!
Borderline Compliance Warnings
R3: Prefer TLS 1.3 and accept TLS 1.2
Trigger TLS 1.2 supported by the server.
Context

Recommendation R3 (ANSSI recommendations for TLS)

A
Passed
R19: Don't use TLS compression
Trigger This service supports the following compression algorithms: NULL.
Context

Recommendation R19 (ANSSI recommendations for TLS)

R24: Present a certificate signed with SHA-2
Trigger The certificate is signed with SHA-2
Context

Recommendation R24 (ANSSI recommendations for TLS)

R25: Present a certificate valid for 3 years (825 days) or less
Trigger The expiration date of this certificate is 2025-01-15 23:59:59 UTC.
Context

Recommendation R25 (ANSSI recommendations for TLS)

R26: Use keys of sufficient length
Trigger The certificate's RSA key has a length of 2048 bits and an exponent of 65537.
Context

Recommendation R26 (ANSSI recommendations for TLS)

R27: Present an appropriate KeyUsage
Trigger The KeyUsage extension is marked as critical and has the following values: keyEncipherment, digitalSignature
Context

Recommendation R27 (ANSSI recommendations for TLS)

R33: Present a certificate with revocation sources
Trigger Both CRLDP and AIA extensions are present and marked as non-critical.
Context

Recommendation R33 (ANSSI recommendations for TLS)

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN0tuooyTmop1SMOlpgFZUq+7TUEo3f1zcNrHYjaze44DhysbFSGUKT86BBZS0pGDyjgI2kMCWV7mWaOP+EJa90=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION+OpWD39dI5deAPtpVjg9qK/2Tk2EXT/6Ji+SxG0R7
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwcgm8X7SHrAxa2OyjW/YSlw4G/pkxuGjVlELA84hsKCr3TQBp6tseILcsRX8lfF95AN/uP26Fh7ForuG2eafqJ8J9KWXlshqnGf4ddGhEGWRyN2wzRo0zQF9eNbaYS+LGFG0r0Jthy2BGcm20HGQ2SHE0XPRDUkOy/G5mTZYb29sTZ2GbbfT8h9HfWzICytERv/6uP1L0vS86+JorweiAisdZLtf6Pv+dH5uTIa6qgWKb8YFFTKFT5YDmkFHIAa5XIkkJfhUbcGTOwvmH6U4ZdKmOPqOAXAytWjoxuZLjl9j/eW/I0fl8tshPttVRZA80Zmm12Gzvwx4Btc4dgg0v test this key

TLS (port 443 – HTTP)

Show scan details
Versions SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate start date 2024-01-15 00:00:00 UTC
Certificate expiration date 2025-01-15 23:59:59 UTC
Certificate serial number 6641180403045079872233749531306882564
Certificate issuer CN=RapidSSL TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US
Certificate subject CN=*.niner.net
Certificate SANs
  • *.niner.net
  • niner.net
D
Broken cryptography
R4: Avoid SSLv2, SSLv3, TLS 1.0 and TLS 1.1
Trigger TLS 1.0, SSL 3.0, TLS 1.1 among the protocols offered by TLS server.
Context

Recommendation R4 (ANSSI recommendations for TLS)

R28: Present an appropriate ExtendedKeyUsage
Trigger The ExtendedKeyUsage extension is marked as non-critical and has the following values: clientAuth, serverAuth.
Context

Recommendation R28 (ANSSI recommendations for TLS)

C
Weak cryptography
R6: Always enable perfect forward secrecy (PFS)
Trigger The server supports some cipher suites that do not provide forward secrecy.
Context

Recommendation R6 (ANSSI recommendations for TLS)

R7: Exchange keys with ECDHE, or at least DHE
Trigger The server can exchange keys with an algorithm that is neither ECDHE or DHE.
Context

Recommendation R7 (ANSSI recommendations for TLS)

R10: Use an authenticated mode of encryption
Trigger The server can encrypt bulk data with a mechanism that is not GCM or CCM.
Context

Recommendation R10 (ANSSI recommendations for TLS)

R11: Use SHA-2 as hashing function
Trigger The server can hash data with a hash function that is not of the SHA-2 family.
Context

Recommendation R11 (ANSSI recommendations for TLS)

R13: Prefer server order of cipher suites
Trigger Client order is preferred.
Context

Recommendation R13 (ANSSI recommendations for TLS)

B
Warnings
R9: Prefer AES or ChaCha20
Trigger The server can encrypt bulk data with Camellia or ARIA.
Context

Recommendation R9 (ANSSI recommendations for TLS)

A!
Borderline Compliance Warnings
R3: Prefer TLS 1.3 and accept TLS 1.2
Trigger TLS 1.2 supported by the server.
Context

Recommendation R3 (ANSSI recommendations for TLS)

R8: Authenticate the server with a certificate
Trigger The server can be authenticated with: RSA.
Context

Recommendation R8 (ANSSI recommendations for TLS)

A
Passed
R5: Authenticate the server with a key exchange
Trigger The server doesn't support any anonymous cipher suite.
Context

Recommendation R5 (ANSSI recommendations for TLS)

R19: Don't use TLS compression
Trigger This service supports the following compression algorithms: NULL.
Context

Recommendation R19 (ANSSI recommendations for TLS)

R24: Present a certificate signed with SHA-2
Trigger The certificate is signed with SHA-2
Context

Recommendation R24 (ANSSI recommendations for TLS)

R25: Present a certificate valid for 3 years (825 days) or less
Trigger The expiration date of this certificate is 2025-01-15 23:59:59 UTC.
Context

Recommendation R25 (ANSSI recommendations for TLS)

R26: Use keys of sufficient length
Trigger The certificate's RSA key has a length of 2048 bits and an exponent of 65537.
Context

Recommendation R26 (ANSSI recommendations for TLS)

R27: Present an appropriate KeyUsage
Trigger The KeyUsage extension is marked as critical and has the following values: keyEncipherment, digitalSignature
Context

Recommendation R27 (ANSSI recommendations for TLS)

R33: Present a certificate with revocation sources
Trigger Both CRLDP and AIA extensions are present and marked as non-critical.
Context

Recommendation R33 (ANSSI recommendations for TLS)

weneedafence.ca

IP address 2600:3c03::f03c:91ff:fe08:94f3
Last scan 2024-04-29 11:53:54 UTC
TLS FTP (port 21)
Rules applicable 17
D
A
A!
B
C
D
F
6 1 0 7 3 0
SSH (port 22)
Rules applicable 0
A
A
A!
B
C
D
F
0 0 0 0 0 0
TLS HTTP (port 443)
Rules applicable 17
D
A
A!
B
C
D
F
7 2 1 5 2 0

TLS (port 21 – FTP)

Show scan details
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDH_anon_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_IDEA_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_MD5 TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_SEED_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (Postfix 2048-bit): 0xf2ea0a012bb967db1d155744be940e859bdba474fb6be6442ab52ef8546703dbf32b7b869fa8241b0acb13fc1c59cc5c2cee7a98063dd648a8add2876584d6f0a62aeb8d7a6c0dc9aceb41c2266f7920171baa5af924a48370e7ea22b6acc69da3cb36cb531351840343c2ecaa760eac7bf9e757cfd2432aeeff5b574aebf746c5e783f9e1115d54a331f36afbea7e6012db1536c54a6d369ba1bdf06558dd082225495a6e9866162576eedb314f174ded6923fccc31ab67d8c2558f9c128538cf586b5a01d3b68bdf8685bc8b550b36b19f38e71d3331a12bf56db8853a44c2aa7c2e8e86664b31dfdf6b7229e63a064561a7976a044042b6f40449c46ed403
  • Generator: 0x5
Certificate start date 2024-01-15 00:00:00 UTC
Certificate expiration date 2025-01-15 23:59:59 UTC
Certificate serial number 6641180403045079872233749531306882564
Certificate issuer CN=RapidSSL TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US
Certificate subject CN=*.niner.net
Certificate SANs
  • *.niner.net
  • niner.net
D
Broken cryptography
R4: Avoid SSLv2, SSLv3, TLS 1.0 and TLS 1.1
Trigger TLS 1.0, TLS 1.1 among the protocols offered by TLS server.
Context

Recommendation R4 (ANSSI recommendations for TLS)

R5: Authenticate the server with a key exchange
Trigger The server supports anonymous cipher suites.
Context

Recommendation R5 (ANSSI recommendations for TLS)

R28: Present an appropriate ExtendedKeyUsage
Trigger The ExtendedKeyUsage extension is marked as non-critical and has the following values: clientAuth, serverAuth.
Context

Recommendation R28 (ANSSI recommendations for TLS)

C
Weak cryptography
R6: Always enable perfect forward secrecy (PFS)
Trigger The server supports some cipher suites that do not provide forward secrecy.
Context

Recommendation R6 (ANSSI recommendations for TLS)

R7: Exchange keys with ECDHE, or at least DHE
Trigger The server can exchange keys with an algorithm that is neither ECDHE or DHE.
Context

Recommendation R7 (ANSSI recommendations for TLS)

R8: Authenticate the server with a certificate
Trigger The server can be authenticated with: none, RSA.
Context

Recommendation R8 (ANSSI recommendations for TLS)

R9: Prefer AES or ChaCha20
Trigger The server can encrypt bulk data with a mechanism that is not AES, ChaCha20, Camellia or ARIA.
Context

Recommendation R9 (ANSSI recommendations for TLS)

R10: Use an authenticated mode of encryption
Trigger The server can encrypt bulk data with a mechanism that is not GCM or CCM.
Context

Recommendation R10 (ANSSI recommendations for TLS)

R11: Use SHA-2 as hashing function
Trigger The server can hash data with a hash function that is not of the SHA-2 family.
Context

Recommendation R11 (ANSSI recommendations for TLS)

R13: Prefer server order of cipher suites
Trigger Client order is preferred.
Context

Recommendation R13 (ANSSI recommendations for TLS)

A!
Borderline Compliance Warnings
R3: Prefer TLS 1.3 and accept TLS 1.2
Trigger TLS 1.2 supported by the server.
Context

Recommendation R3 (ANSSI recommendations for TLS)

A
Passed
R19: Don't use TLS compression
Trigger This service supports the following compression algorithms: NULL.
Context

Recommendation R19 (ANSSI recommendations for TLS)

R24: Present a certificate signed with SHA-2
Trigger The certificate is signed with SHA-2
Context

Recommendation R24 (ANSSI recommendations for TLS)

R25: Present a certificate valid for 3 years (825 days) or less
Trigger The expiration date of this certificate is 2025-01-15 23:59:59 UTC.
Context

Recommendation R25 (ANSSI recommendations for TLS)

R26: Use keys of sufficient length
Trigger The certificate's RSA key has a length of 2048 bits and an exponent of 65537.
Context

Recommendation R26 (ANSSI recommendations for TLS)

R27: Present an appropriate KeyUsage
Trigger The KeyUsage extension is marked as critical and has the following values: keyEncipherment, digitalSignature
Context

Recommendation R27 (ANSSI recommendations for TLS)

R33: Present a certificate with revocation sources
Trigger Both CRLDP and AIA extensions are present and marked as non-critical.
Context

Recommendation R33 (ANSSI recommendations for TLS)

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN0tuooyTmop1SMOlpgFZUq+7TUEo3f1zcNrHYjaze44DhysbFSGUKT86BBZS0pGDyjgI2kMCWV7mWaOP+EJa90=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION+OpWD39dI5deAPtpVjg9qK/2Tk2EXT/6Ji+SxG0R7
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwcgm8X7SHrAxa2OyjW/YSlw4G/pkxuGjVlELA84hsKCr3TQBp6tseILcsRX8lfF95AN/uP26Fh7ForuG2eafqJ8J9KWXlshqnGf4ddGhEGWRyN2wzRo0zQF9eNbaYS+LGFG0r0Jthy2BGcm20HGQ2SHE0XPRDUkOy/G5mTZYb29sTZ2GbbfT8h9HfWzICytERv/6uP1L0vS86+JorweiAisdZLtf6Pv+dH5uTIa6qgWKb8YFFTKFT5YDmkFHIAa5XIkkJfhUbcGTOwvmH6U4ZdKmOPqOAXAytWjoxuZLjl9j/eW/I0fl8tshPttVRZA80Zmm12Gzvwx4Btc4dgg0v test this key

TLS (port 443 – HTTP)

Show scan details
Versions SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate start date 2024-01-15 00:00:00 UTC
Certificate expiration date 2025-01-15 23:59:59 UTC
Certificate serial number 6641180403045079872233749531306882564
Certificate issuer CN=RapidSSL TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US
Certificate subject CN=*.niner.net
Certificate SANs
  • *.niner.net
  • niner.net
D
Broken cryptography
R4: Avoid SSLv2, SSLv3, TLS 1.0 and TLS 1.1
Trigger TLS 1.0, SSL 3.0, TLS 1.1 among the protocols offered by TLS server.
Context

Recommendation R4 (ANSSI recommendations for TLS)

R28: Present an appropriate ExtendedKeyUsage
Trigger The ExtendedKeyUsage extension is marked as non-critical and has the following values: clientAuth, serverAuth.
Context

Recommendation R28 (ANSSI recommendations for TLS)

C
Weak cryptography
R6: Always enable perfect forward secrecy (PFS)
Trigger The server supports some cipher suites that do not provide forward secrecy.
Context

Recommendation R6 (ANSSI recommendations for TLS)

R7: Exchange keys with ECDHE, or at least DHE
Trigger The server can exchange keys with an algorithm that is neither ECDHE or DHE.
Context

Recommendation R7 (ANSSI recommendations for TLS)

R10: Use an authenticated mode of encryption
Trigger The server can encrypt bulk data with a mechanism that is not GCM or CCM.
Context

Recommendation R10 (ANSSI recommendations for TLS)

R11: Use SHA-2 as hashing function
Trigger The server can hash data with a hash function that is not of the SHA-2 family.
Context

Recommendation R11 (ANSSI recommendations for TLS)

R13: Prefer server order of cipher suites
Trigger Client order is preferred.
Context

Recommendation R13 (ANSSI recommendations for TLS)

B
Warnings
R9: Prefer AES or ChaCha20
Trigger The server can encrypt bulk data with Camellia or ARIA.
Context

Recommendation R9 (ANSSI recommendations for TLS)

A!
Borderline Compliance Warnings
R3: Prefer TLS 1.3 and accept TLS 1.2
Trigger TLS 1.2 supported by the server.
Context

Recommendation R3 (ANSSI recommendations for TLS)

R8: Authenticate the server with a certificate
Trigger The server can be authenticated with: RSA.
Context

Recommendation R8 (ANSSI recommendations for TLS)

A
Passed
R5: Authenticate the server with a key exchange
Trigger The server doesn't support any anonymous cipher suite.
Context

Recommendation R5 (ANSSI recommendations for TLS)

R19: Don't use TLS compression
Trigger This service supports the following compression algorithms: NULL.
Context

Recommendation R19 (ANSSI recommendations for TLS)

R24: Present a certificate signed with SHA-2
Trigger The certificate is signed with SHA-2
Context

Recommendation R24 (ANSSI recommendations for TLS)

R25: Present a certificate valid for 3 years (825 days) or less
Trigger The expiration date of this certificate is 2025-01-15 23:59:59 UTC.
Context

Recommendation R25 (ANSSI recommendations for TLS)

R26: Use keys of sufficient length
Trigger The certificate's RSA key has a length of 2048 bits and an exponent of 65537.
Context

Recommendation R26 (ANSSI recommendations for TLS)

R27: Present an appropriate KeyUsage
Trigger The KeyUsage extension is marked as critical and has the following values: keyEncipherment, digitalSignature
Context

Recommendation R27 (ANSSI recommendations for TLS)

R33: Present a certificate with revocation sources
Trigger Both CRLDP and AIA extensions are present and marked as non-critical.
Context

Recommendation R33 (ANSSI recommendations for TLS)

mx.niner.net

IP address 178.62.195.26
Last scan 2024-04-29 11:53:55 UTC
SSH (port 22)
Rules applicable 0
A
A
A!
B
C
D
F
0 0 0 0 0 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYYd+kBO6jwjLNoj3TAQSFYJYz86NtX6L3QcipDf3BFGbPitRMsi0eNzil1FSCqwMIB9R/JcRszjwxBxYzSjLc=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAO6YHy4s5QEufeo5VbXfDKtyHVuAkiYn4lJifWdUtoA
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDHPJDW8jaJw9GWogXC8gmYDdLGcOw+tGwZ7R6i+uonoGdP4IRI85Gm80zVtD1L2w3iMM2Lzq0Zdlg4Ck2WzEKmpoUISq3Hl+3c5TAmY8/ixiFxiRFtZ2wWenZp8rK+BFxKfRmOZN3nJJeBhI6eAcWCMaaSyS2I8BV/oSXM1/oi4S3RGd9GTCUUwP1gBJsxxd8qqBCHXMNT7jtLTUtakIlnANDLmfP/kzJ/U0LFw3WlWb5FJOhncfQf+fCbukuFbbBMYRQ8qjXHepH+aGxTIVhnizki5r0wEWuGWv8QP+9N9wUL5aTOeU9gquNVrK57C42icje4h9ujGLRgh+9t8TT test this key

ns1.niner.net

IP address 159.203.0.217
Last scan 2024-04-29 11:53:55 UTC
SSH (port 22)
Rules applicable 0
A
A
A!
B
C
D
F
0 0 0 0 0 0
TLS HTTP (port 443)
Rules applicable 17
D
A
A!
B
C
D
F
7 2 0 6 2 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHHbPHnJjHn7qSYZv0iDxXxCgGOCaTopbLVB6MpCLCygT3KMcYEJUYCRU+U3mrez03eXgKM4jsFUiqJKaqO0UO4=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWJRjQ5AbCkXVk1zPPhvHKnzZdrMfCF9XbXPHecv+zg
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSlxXWaY1TubE61mcktR+Wo32EMGG8M5ADLgBTNZIZQLi2idMBjhpEZ9I7jrndSVoXUPmd2GAW20i236oGoSw7kmlgMF6XxrUaQ0MO/iMZ00k3Xlvj3EPWm6/h2g9QrzDwmd1pjyJYsn28KpoMj5pkZQK7XKc/BTwec7P/LcwCpqy7IvRYgRPMxbHa8XSYheBeHn8bPKdVWT/DtzeNO04ROSwiK3XMoq34fZLkFAd/vyje+yLxek8XUmiJGVYnUAY4WnmHPxcCvkCLB36DGvjPXHx/BRTQJBIvVAIuOfS0979yfNb43XGeeQQbH1nLDdvKr0IWwC4DoQbjEn3tyETR test this key

TLS (port 443 – HTTP)

Show scan details
Versions SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate start date 2024-01-15 00:00:00 UTC
Certificate expiration date 2025-01-15 23:59:59 UTC
Certificate serial number 6641180403045079872233749531306882564
Certificate issuer CN=RapidSSL TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US
Certificate subject CN=*.niner.net
Certificate SANs
  • *.niner.net
  • niner.net
D
Broken cryptography
R4: Avoid SSLv2, SSLv3, TLS 1.0 and TLS 1.1
Trigger TLS 1.0, SSL 3.0, TLS 1.1 among the protocols offered by TLS server.
Context

Recommendation R4 (ANSSI recommendations for TLS)

R28: Present an appropriate ExtendedKeyUsage
Trigger The ExtendedKeyUsage extension is marked as non-critical and has the following values: clientAuth, serverAuth.
Context

Recommendation R28 (ANSSI recommendations for TLS)

C
Weak cryptography
R6: Always enable perfect forward secrecy (PFS)
Trigger The server supports some cipher suites that do not provide forward secrecy.
Context

Recommendation R6 (ANSSI recommendations for TLS)

R7: Exchange keys with ECDHE, or at least DHE
Trigger The server can exchange keys with an algorithm that is neither ECDHE or DHE.
Context

Recommendation R7 (ANSSI recommendations for TLS)

R9: Prefer AES or ChaCha20
Trigger The server can encrypt bulk data with a mechanism that is not AES, ChaCha20, Camellia or ARIA.
Context

Recommendation R9 (ANSSI recommendations for TLS)

R10: Use an authenticated mode of encryption
Trigger The server can encrypt bulk data with a mechanism that is not GCM or CCM.
Context

Recommendation R10 (ANSSI recommendations for TLS)

R11: Use SHA-2 as hashing function
Trigger The server can hash data with a hash function that is not of the SHA-2 family.
Context

Recommendation R11 (ANSSI recommendations for TLS)

R13: Prefer server order of cipher suites
Trigger Client order is preferred.
Context

Recommendation R13 (ANSSI recommendations for TLS)

A!
Borderline Compliance Warnings
R3: Prefer TLS 1.3 and accept TLS 1.2
Trigger TLS 1.2 supported by the server.
Context

Recommendation R3 (ANSSI recommendations for TLS)

R8: Authenticate the server with a certificate
Trigger The server can be authenticated with: RSA.
Context

Recommendation R8 (ANSSI recommendations for TLS)

A
Passed
R5: Authenticate the server with a key exchange
Trigger The server doesn't support any anonymous cipher suite.
Context

Recommendation R5 (ANSSI recommendations for TLS)

R19: Don't use TLS compression
Trigger This service supports the following compression algorithms: NULL.
Context

Recommendation R19 (ANSSI recommendations for TLS)

R24: Present a certificate signed with SHA-2
Trigger The certificate is signed with SHA-2
Context

Recommendation R24 (ANSSI recommendations for TLS)

R25: Present a certificate valid for 3 years (825 days) or less
Trigger The expiration date of this certificate is 2025-01-15 23:59:59 UTC.
Context

Recommendation R25 (ANSSI recommendations for TLS)

R26: Use keys of sufficient length
Trigger The certificate's RSA key has a length of 2048 bits and an exponent of 65537.
Context

Recommendation R26 (ANSSI recommendations for TLS)

R27: Present an appropriate KeyUsage
Trigger The KeyUsage extension is marked as critical and has the following values: keyEncipherment, digitalSignature
Context

Recommendation R27 (ANSSI recommendations for TLS)

R33: Present a certificate with revocation sources
Trigger Both CRLDP and AIA extensions are present and marked as non-critical.
Context

Recommendation R33 (ANSSI recommendations for TLS)

ns1.niner.net

IP address 2604:a880:cad:d0::6813:4001
Last scan 2024-04-29 11:53:55 UTC
SSH (port 22)
Rules applicable 0
A
A
A!
B
C
D
F
0 0 0 0 0 0
TLS HTTP (port 443)
Rules applicable 17
D
A
A!
B
C
D
F
7 2 0 6 2 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHHbPHnJjHn7qSYZv0iDxXxCgGOCaTopbLVB6MpCLCygT3KMcYEJUYCRU+U3mrez03eXgKM4jsFUiqJKaqO0UO4=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWJRjQ5AbCkXVk1zPPhvHKnzZdrMfCF9XbXPHecv+zg
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSlxXWaY1TubE61mcktR+Wo32EMGG8M5ADLgBTNZIZQLi2idMBjhpEZ9I7jrndSVoXUPmd2GAW20i236oGoSw7kmlgMF6XxrUaQ0MO/iMZ00k3Xlvj3EPWm6/h2g9QrzDwmd1pjyJYsn28KpoMj5pkZQK7XKc/BTwec7P/LcwCpqy7IvRYgRPMxbHa8XSYheBeHn8bPKdVWT/DtzeNO04ROSwiK3XMoq34fZLkFAd/vyje+yLxek8XUmiJGVYnUAY4WnmHPxcCvkCLB36DGvjPXHx/BRTQJBIvVAIuOfS0979yfNb43XGeeQQbH1nLDdvKr0IWwC4DoQbjEn3tyETR test this key

TLS (port 443 – HTTP)

Show scan details
Versions SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate start date 2024-01-15 00:00:00 UTC
Certificate expiration date 2025-01-15 23:59:59 UTC
Certificate serial number 6641180403045079872233749531306882564
Certificate issuer CN=RapidSSL TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US
Certificate subject CN=*.niner.net
Certificate SANs
  • *.niner.net
  • niner.net
D
Broken cryptography
R4: Avoid SSLv2, SSLv3, TLS 1.0 and TLS 1.1
Trigger TLS 1.0, SSL 3.0, TLS 1.1 among the protocols offered by TLS server.
Context

Recommendation R4 (ANSSI recommendations for TLS)

R28: Present an appropriate ExtendedKeyUsage
Trigger The ExtendedKeyUsage extension is marked as non-critical and has the following values: clientAuth, serverAuth.
Context

Recommendation R28 (ANSSI recommendations for TLS)

C
Weak cryptography
R6: Always enable perfect forward secrecy (PFS)
Trigger The server supports some cipher suites that do not provide forward secrecy.
Context

Recommendation R6 (ANSSI recommendations for TLS)

R7: Exchange keys with ECDHE, or at least DHE
Trigger The server can exchange keys with an algorithm that is neither ECDHE or DHE.
Context

Recommendation R7 (ANSSI recommendations for TLS)

R9: Prefer AES or ChaCha20
Trigger The server can encrypt bulk data with a mechanism that is not AES, ChaCha20, Camellia or ARIA.
Context

Recommendation R9 (ANSSI recommendations for TLS)

R10: Use an authenticated mode of encryption
Trigger The server can encrypt bulk data with a mechanism that is not GCM or CCM.
Context

Recommendation R10 (ANSSI recommendations for TLS)

R11: Use SHA-2 as hashing function
Trigger The server can hash data with a hash function that is not of the SHA-2 family.
Context

Recommendation R11 (ANSSI recommendations for TLS)

R13: Prefer server order of cipher suites
Trigger Client order is preferred.
Context

Recommendation R13 (ANSSI recommendations for TLS)

A!
Borderline Compliance Warnings
R3: Prefer TLS 1.3 and accept TLS 1.2
Trigger TLS 1.2 supported by the server.
Context

Recommendation R3 (ANSSI recommendations for TLS)

R8: Authenticate the server with a certificate
Trigger The server can be authenticated with: RSA.
Context

Recommendation R8 (ANSSI recommendations for TLS)

A
Passed
R5: Authenticate the server with a key exchange
Trigger The server doesn't support any anonymous cipher suite.
Context

Recommendation R5 (ANSSI recommendations for TLS)

R19: Don't use TLS compression
Trigger This service supports the following compression algorithms: NULL.
Context

Recommendation R19 (ANSSI recommendations for TLS)

R24: Present a certificate signed with SHA-2
Trigger The certificate is signed with SHA-2
Context

Recommendation R24 (ANSSI recommendations for TLS)

R25: Present a certificate valid for 3 years (825 days) or less
Trigger The expiration date of this certificate is 2025-01-15 23:59:59 UTC.
Context

Recommendation R25 (ANSSI recommendations for TLS)

R26: Use keys of sufficient length
Trigger The certificate's RSA key has a length of 2048 bits and an exponent of 65537.
Context

Recommendation R26 (ANSSI recommendations for TLS)

R27: Present an appropriate KeyUsage
Trigger The KeyUsage extension is marked as critical and has the following values: keyEncipherment, digitalSignature
Context

Recommendation R27 (ANSSI recommendations for TLS)

R33: Present a certificate with revocation sources
Trigger Both CRLDP and AIA extensions are present and marked as non-critical.
Context

Recommendation R33 (ANSSI recommendations for TLS)

ns2.niner.net

IP address 159.203.55.78
Last scan 2024-04-29 11:53:55 UTC
SSH (port 22)
Rules applicable 0
A
A
A!
B
C
D
F
0 0 0 0 0 0
TLS HTTP (port 443)
Rules applicable 17
D
A
A!
B
C
D
F
7 2 0 6 2 0

SSH (port 22)

Show scan details
Version string SSH-2.0-OpenSSH_7.4
Encryption algorithms
  • 3des-cbc
  • aes128-cbc
  • aes128-ctr
  • aes128-gcm@openssh.com
  • aes192-cbc
  • aes192-ctr
  • aes256-cbc
  • aes256-ctr
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com
Compression algorithms
  • none
  • zlib@openssh.com
MAC algorithms
  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com
  • umac-128-etm@openssh.com
  • umac-128@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com
Server host key algorithms
  • ecdsa-sha2-nistp256
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-ed25519
  • ssh-rsa
Key exchange algorithms
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group14-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
Server keys
ECDSA secp256r1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHHbPHnJjHn7qSYZv0iDxXxCgGOCaTopbLVB6MpCLCygT3KMcYEJUYCRU+U3mrez03eXgKM4jsFUiqJKaqO0UO4=
Ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWJRjQ5AbCkXVk1zPPhvHKnzZdrMfCF9XbXPHecv+zg
RSA 2048-bit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSlxXWaY1TubE61mcktR+Wo32EMGG8M5ADLgBTNZIZQLi2idMBjhpEZ9I7jrndSVoXUPmd2GAW20i236oGoSw7kmlgMF6XxrUaQ0MO/iMZ00k3Xlvj3EPWm6/h2g9QrzDwmd1pjyJYsn28KpoMj5pkZQK7XKc/BTwec7P/LcwCpqy7IvRYgRPMxbHa8XSYheBeHn8bPKdVWT/DtzeNO04ROSwiK3XMoq34fZLkFAd/vyje+yLxek8XUmiJGVYnUAY4WnmHPxcCvkCLB36DGvjPXHx/BRTQJBIvVAIuOfS0979yfNb43XGeeQQbH1nLDdvKr0IWwC4DoQbjEn3tyETR test this key

TLS (port 443 – HTTP)

Show scan details
Versions SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Supported
Ciphers
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
  • TLS_RSA_WITH_RC4_128_SHA SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Cipher order Client
Compression
  • NULL SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
Certificate key RSA 2048-bit test this key
Hash algorithm SHA-256
Diffie-Hellman
  • Group (2048-bit MODP from RFC 3526): 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca18217c32905e462e36ce3be39e772c180e86039b2783a2ec07a28fb5c55df06f4c52c9de2bcbf6955817183995497cea956ae515d2261898fa051015728e5a8aacaa68ffffffffffffffff
  • Generator: 0x2
Certificate start date 2024-01-15 00:00:00 UTC
Certificate expiration date 2025-01-15 23:59:59 UTC
Certificate serial number 6641180403045079872233749531306882564
Certificate issuer CN=RapidSSL TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US
Certificate subject CN=*.niner.net
Certificate SANs
  • *.niner.net
  • niner.net
D
Broken cryptography
R4: Avoid SSLv2, SSLv3, TLS 1.0 and TLS 1.1
Trigger TLS 1.0, SSL 3.0, TLS 1.1 among the protocols offered by TLS server.
Context

Recommendation R4 (ANSSI recommendations for TLS)

R28: Present an appropriate ExtendedKeyUsage
Trigger The ExtendedKeyUsage extension is marked as non-critical and has the following values: clientAuth, serverAuth.
Context

Recommendation R28 (ANSSI recommendations for TLS)

C
Weak cryptography
R6: Always enable perfect forward secrecy (PFS)
Trigger The server supports some cipher suites that do not provide forward secrecy.
Context

Recommendation R6 (ANSSI recommendations for TLS)

R7: Exchange keys with ECDHE, or at least DHE
Trigger The server can exchange keys with an algorithm that is neither ECDHE or DHE.
Context

Recommendation R7 (ANSSI recommendations for TLS)

R9: Prefer AES or ChaCha20
Trigger The server can encrypt bulk data with a mechanism that is not AES, ChaCha20, Camellia or ARIA.
Context

Recommendation R9 (ANSSI recommendations for TLS)

R10: Use an authenticated mode of encryption
Trigger The server can encrypt bulk data with a mechanism that is not GCM or CCM.
Context

Recommendation R10 (ANSSI recommendations for TLS)

R11: Use SHA-2 as hashing function
Trigger The server can hash data with a hash function that is not of the SHA-2 family.
Context

Recommendation R11 (ANSSI recommendations for TLS)

R13: Prefer server order of cipher suites
Trigger Client order is preferred.
Context

Recommendation R13 (ANSSI recommendations for TLS)

A!
Borderline Compliance Warnings
R3: Prefer TLS 1.3 and accept TLS 1.2
Trigger TLS 1.2 supported by the server.
Context

Recommendation R3 (ANSSI recommendations for TLS)

R8: Authenticate the server with a certificate
Trigger The server can be authenticated with: RSA.
Context

Recommendation R8 (ANSSI recommendations for TLS)

A
Passed
R5: Authenticate the server with a key exchange
Trigger The server doesn't support any anonymous cipher suite.
Context

Recommendation R5 (ANSSI recommendations for TLS)

R19: Don't use TLS compression
Trigger This service supports the following compression algorithms: NULL.
Context

Recommendation R19 (ANSSI recommendations for TLS)

R24: Present a certificate signed with SHA-2
Trigger The certificate is signed with SHA-2
Context

Recommendation R24 (ANSSI recommendations for TLS)

R25: Present a certificate valid for 3 years (825 days) or less
Trigger The expiration date of this certificate is 2025-01-15 23:59:59 UTC.
Context

Recommendation R25 (ANSSI recommendations for TLS)

R26: Use keys of sufficient length
Trigger The certificate's RSA key has a length of 2048 bits and an exponent of 65537.
Context

Recommendation R26 (ANSSI recommendations for TLS)

R27: Present an appropriate KeyUsage
Trigger The KeyUsage extension is marked as critical and has the following values: keyEncipherment, digitalSignature
Context

Recommendation R27 (ANSSI recommendations for TLS)

R33: Present a certificate with revocation sources
Trigger Both CRLDP and AIA extensions are present and marked as non-critical.
Context

Recommendation R33 (ANSSI recommendations for TLS)