Closed kyhwana closed 9 years ago
Cipherscan Results
Target: gpg4win.org:443
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits
3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits
5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits
6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
7 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
8 AES256-GCM-SHA384 TLSv1.2
9 AES256-SHA256 TLSv1.2
10 AES256-SHA TLSv1,TLSv1.1,TLSv1.2
11 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2
12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
13 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
14 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
15 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits
16 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits
17 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
18 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
19 AES128-GCM-SHA256 TLSv1.2
20 AES128-SHA256 TLSv1.2
21 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
22 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2
23 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
24 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
25 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
26 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Client side cipher ordering
Cipherscan Results (Analysis)
gpg4win.org:443 has bad ssl/tls
Things that are bad:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* don't use an untrusted or self-signed certificate
Changes needed to match the intermediate level:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher ECDHE-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* consider using a SHA-256 certificate
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
Changes needed to match the modern level:
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher ECDHE-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* use a SHA-256 certificate
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
Notified 'intevation@intevation.de' via email, suggested that they fix this and switch to always-on HTTPS for the entire website, which would also include HSTS. Perhaps they will be more receptive than Werner Koch.
No response, no change.
gpg4win.org:443 has bad ssl/tls
Things that are bad:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* don't use an untrusted or self-signed certificate
Changes needed to match the intermediate level:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher ECDHE-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* consider using a SHA-256 certificate
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
Changes needed to match the modern level:
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher ECDHE-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* use a SHA-256 certificate
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
No change.
No change.
No change.
Unlikely to be resolved, closing it as such.
gpg4win.org which has Windows GnuPG binaries has an untrusted cert: https://www.ssllabs.com/ssltest/analyze.html?d=gpg4win.org
Cert is untrusted, is using SHA1, uses RC4 and has weak DH parameters. It scores a T on SSLLABS. If the trust issues are ignored, it get's a B.