Open rfrovarp opened 4 years ago
Related #690 as that is the condition this is triggering in. Underlying vhost still has 1.1 and 1.0 support.
Hi @rfrovarp
Your server supports No-SNI and it sends a valid response when there is no server name in the ClientHello. For our current grading, we only consider the configuration from the requested domain. For NoSNI it is possible that we are hitting some other domain hence we do not penalize in such a situation.
In the upcoming release, we have started marking the NoSNI protocols on the UI. I will update you once we release this change. In the future, we will consider penalizing for server responding to a NoSNI request as all the new/reference clients support SNI.
Thanks and Regards, Nauman Shah
Funny little thing possibly related - In the nosni case, the cert is aparently not checked or considered at all? Tiktok (don't ask), should be nuked from the planet but alas, it presents a cert that is not trusted by the same devices as the SNI case.
*.snssdk.com
Fingerprint SHA256: ccb50264a3784c130ae49a66da924d04ecd10ef69154504425b9dd4e7fbfca3f
Pin SHA256: 5rnoTVA5+8vys+rqZmk7gesfMcmVhCbQkWiSwGv34VM=
Common names *.snssdk.com
Alternative names *.snssdk.com snssdk.com MISMATCH
Serial Number 0e344ed21f29568e1fe01fbc9afb4328
Valid from Fri, 20 Aug 2021 00:00:00 UTC
Valid until Tue, 20 Sep 2022 23:59:59 UTC (expires in 10 months and 27 days)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
AIA: http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crt
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency Yes (certificate)
OCSP Must Staple No
Revocation information CRL, OCSP
CRL: http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl
OCSP: http://ocsp.digicert.com
Revocation status Good (not revoked)
Trusted No NOT TRUSTED
Mozilla Apple Android Java Windows
.. yet the site receives an A+ rating?
As someone in NA, fInding what in the hell snssdk.com even is leads down some rather bizzare paths.
We received an A+ grade with TLS 1.0 support still enabled. We don't have any ciphers enabled that would work via TLS 1.0, so while the protocol I guess is still on, it couldn't be used. We're fixing the configuration on our side obviously. However, it seemed odd to see that when the grade probably should be capped due to the protocol being enabled.