Test TLS server configuration

Ran https://github.com/drwetter/testssl.sh against the starting CCF node. Results below (hard to read without colours, I've <<<<< the 5 lines that show up in red/amber). I don't think there's anything to worry about here.
$ ./testssl.sh --full --add-ca networkcert.pem 127.25.131.82:57516 

###########################################################
    testssl.sh       3.1dev from https://testssl.sh/dev/
    (b0cce84 2020-02-10 20:45:16 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
 on jumaffre:./bin/openssl.Linux.x86_64
 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")

 Start 2020-02-12 15:24:09        -->> 127.25.131.82:57516 (127.25.131.82) <<--

 rDNS (127.25.131.82):   --
 Service detected:       HTTP

 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing for server implementation bugs 

 No bugs found.

 Testing cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     not offered
 Obsolete: SEED + 128+256 Bit CBC cipher       not offered
 Strong encryption (AEAD ciphers)              offered (OK)

 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-ECDSA-AES128-GCM-SHA256 
 Elliptic curves offered:     secp384r1 secp521r1 brainpoolP512r1 

 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Cipher order
    TLSv1.2:   ECDHE-ECDSA-AES128-GCM-SHA256 

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11"
                              "max fragment length/#1" "extended master secret/#23"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID: no
 TLS clock skew               -1 sec from localtime
 Signature Algorithm          ECDSA with SHA384
 Server key size              EC 384 bits
 Server key usage             --
 Server extended key usage    --
 Serial / Fingerprints        4A389B0B457117550BE5EE4EB6E6C617 / SHA1 1D974F6E357835171A72B75BB70F93E679FA515C
                              SHA256 B7DA99D95861DC936CBCF92B1D494A2A7934DA1401F10E477ECEE38DF4D8BDF3
 Common Name (CN)             CCF node 0 
 subjectAltName (SAN)         127.25.131.82 
 Issuer                       CCF Network
 Trust (hostname)             Ok via SAN
 Chain of trust               Ok   
 EV cert (experimental)       no 
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   688 >= 60 days (2019-11-01 00:00 --> 2021-12-31 23:59)
 # of certificates provided   1
 Certificate Revocation List  --
 OCSP URI                     --
                              NOT ok -- neither CRL nor OCSP URI provided   <<<<<<< RED
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered                                       <<<<<<< AMBER
 Certificate Transparency     --

 Testing HTTP header response @ "/" 

 HTTP Status Code             400 Bad Request (Hint: better try another URL)
 HTTP clock skew              Got no HTTP time, maybe try different URL?
 Strict Transport Security    not offered                      <<<<<< AMBER
 Public Key Pinning           --
 Server banner                (no "Server" line in header, interesting!)
 Application banner           --
 Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
 Security headers             --                                         <<<<<< AMBER
 Reverse Proxy banner         --                                     <<<<<< AMBER

 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension
 ROBOT                                     Server does not support any cipher suites that use RSA key transport
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

 Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2  
SSLv3  
TLS 1  
TLS 1.1  
TLS 1.2  
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 521   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            
TLS 1.3  

 Running client simulations (HTTP) via sockets 

 Android 4.4.2                TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Android 5.0.0                TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Android 6.0                  TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Android 7.0                  TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Android 8.1 (native)         TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Android 9.0 (native)         TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Android 10.0 (native)        TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 74 (Win 10)           TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 79 (Win 10)           TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 66 (Win 8.1/10)      TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Firefox 71 (Win 10)          TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 IE 6 XP                      No connection
 IE 8 Win 7                   No connection
 IE 8 XP                      No connection
 IE 11 Win 7                  TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 IE 11 Win 8.1                TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 IE 11 Win Phone 8.1          TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 IE 11 Win 10                 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Edge 15 Win 10               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Edge 17 (Win 10)             TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Opera 66 (Win 10)            TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Safari 9 iOS 9               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Safari 9 OS X 10.11          TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Safari 10 OS X 10.12         TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Safari 12.1 (iOS 12.2)       TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Safari 13.0 (macOS 10.14.6)  TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Apple ATS 9 iOS 9            TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Java 6u45                    No connection
 Java 7u25                    No connection
 Java 8u161                   TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Java 11.0.2 (OpenJDK)        TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Java 12.0.1 (OpenJDK)        TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 OpenSSL 1.1.0l (Debian)      TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 OpenSSL 1.1.1d (Debian)      TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)
 Thunderbird (68.3)           TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 521 bit ECDH (P-521)

 Done 2020-02-12 15:25:00 [  53s] -->> 127.25.131.82:57516 (127.25.131.82) <<--
microsoft / CCF

Test TLS server configuration #626
