ssllabs / ssllabs-scan

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.
https://www.ssllabs.com/projects/ssllabs-apis/
Apache License 2.0
1.71k stars 243 forks source link

A+ grade with TLS 1.0 on #808

Open rfrovarp opened 4 years ago

rfrovarp commented 4 years ago

We received an A+ grade with TLS 1.0 support still enabled. We don't have any ciphers enabled that would work via TLS 1.0, so while the protocol I guess is still on, it couldn't be used. We're fixing the configuration on our side obviously. However, it seemed odd to see that when the grade probably should be capped due to the protocol being enabled.

rfrovarp commented 4 years ago

Related #690 as that is the condition this is triggering in. Underlying vhost still has 1.1 and 1.0 support.

naumanshah03 commented 4 years ago

Hi @rfrovarp

Your server supports No-SNI and it sends a valid response when there is no server name in the ClientHello. For our current grading, we only consider the configuration from the requested domain. For NoSNI it is possible that we are hitting some other domain hence we do not penalize in such a situation.

In the upcoming release, we have started marking the NoSNI protocols on the UI. I will update you once we release this change. In the future, we will consider penalizing for server responding to a NoSNI request as all the new/reference clients support SNI.

Thanks and Regards, Nauman Shah

h1z1 commented 3 years ago

Funny little thing possibly related - In the nosni case, the cert is aparently not checked or considered at all? Tiktok (don't ask), should be nuked from the planet but alas, it presents a cert that is not trusted by the same devices as the SNI case.

*.snssdk.com
Fingerprint SHA256: ccb50264a3784c130ae49a66da924d04ecd10ef69154504425b9dd4e7fbfca3f
Pin SHA256: 5rnoTVA5+8vys+rqZmk7gesfMcmVhCbQkWiSwGv34VM=
Common names    *.snssdk.com
Alternative names   *.snssdk.com snssdk.com   MISMATCH
Serial Number   0e344ed21f29568e1fe01fbc9afb4328
Valid from  Fri, 20 Aug 2021 00:00:00 UTC
Valid until     Tue, 20 Sep 2022 23:59:59 UTC (expires in 10 months and 27 days)
Key     RSA 2048 bits (e 65537)
Weak key (Debian)   No
Issuer  RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
AIA: http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crt
Signature algorithm     SHA256withRSA
Extended Validation     No
Certificate Transparency    Yes (certificate)
OCSP Must Staple    No
Revocation information  CRL, OCSP
CRL: http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl
OCSP: http://ocsp.digicert.com
Revocation status   Good (not revoked)
Trusted     No   NOT TRUSTED
Mozilla  Apple  Android  Java  Windows  

.. yet the site receives an A+ rating?

As someone in NA, fInding what in the hell snssdk.com even is leads down some rather bizzare paths.