fmphost.com - main website

[sindarina]

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=fmphost.com (F)

Cipherscan Results

Target: fmphost.com:443

prio  ciphersuite                protocols                    pfs_keysize
1     DHE-RSA-AES256-GCM-SHA384  TLSv1.2                      DH,1024bits
2     DHE-RSA-AES256-SHA256      TLSv1.2                      DH,1024bits
3     DHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
4     DHE-RSA-CAMELLIA256-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
5     AES256-GCM-SHA384          TLSv1.2
6     AES256-SHA256              TLSv1.2
7     AES256-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
8     CAMELLIA256-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2
9     DHE-RSA-AES128-GCM-SHA256  TLSv1.2                      DH,1024bits
10    DHE-RSA-AES128-SHA256      TLSv1.2                      DH,1024bits
11    DHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
12    DHE-RSA-SEED-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
13    DHE-RSA-CAMELLIA128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
14    AES128-GCM-SHA256          TLSv1.2
15    AES128-SHA256              TLSv1.2
16    AES128-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
17    SEED-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
18    CAMELLIA128-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2
19    IDEA-CBC-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2
20    RC4-SHA                    SSLv3,TLSv1,TLSv1.1,TLSv1.2
21    RC4-MD5                    SSLv3,TLSv1,TLSv1.1,TLSv1.2
22    EDH-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
23    DES-CBC3-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2
24    EDH-RSA-DES-CBC-SHA        SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
25    DES-CBC-SHA                SSLv3,TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Client side cipher ordering

Cipherscan Analysis

fmphost.com:443 has bad ssl/tls

Things that are bad:
* remove cipher DHE-RSA-SEED-SHA
* remove cipher SEED-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* don't use an untrusted or self-signed certificate

Changes needed to match the intermediate level:
* remove cipher DHE-RSA-SEED-SHA
* remove cipher SEED-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* disable SSLv3
* consider using a SHA-256 certificate
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering

Changes needed to match the modern level:
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-SEED-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher SEED-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* disable TLSv1
* disable SSLv3
* use a SHA-256 certificate
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering

For more information on updating and making changes, see; https://github.com/isvsecwatch/httpstracker

[sindarina]

There's a discrepancy between the problems reported by the SSL Server Test, and what Cipherscan sees. This suggests that there's a problem with the configuration of the default host, and what's set up for the virtual host this domain runs in. Needs to be reviewed.

[sindarina]

Notified using their contact form; http://fmphost.com/support/contact-us

[sindarina]

Poked on Twitter; https://twitter.com/isvsecwatch/status/611556256759853056

[sindarina]

See also #45.

[sindarina]

See also #46.

[sindarina]

Email notification has been automatically acknowledged by an issue tracker.

[sindarina]

Hmm, they did a great job fixing #45, but didn't go all the way here. Still has RC4 active; https://www.ssllabs.com/ssltest/analyze.html?d=fmphost.com (B)

[sindarina]

No change, and cipherscan results differ from SSL Server Test, which usually means there's a discrepancy between the default host and the virtual host this runs in;

Target: fmphost.com:443

prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits
3     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits
12    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits

Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher ordering

Virtual host still has RC4 active, for example.

[isvsecwatch-report]

No change. Closing as unresolved.