$ testssl smtp.yahoo.com:465 No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1e 17 Mar 2020" [~80 ciphers] on thinkcentre1:/usr/bin/openssl (built: "Mar 18 10:21:52 2020", platform: "linux-x86_64") Testing all IPv4 addresses (port 465): 216.145.54.173 98.139.253.105 216.145.54.171 216.145.54.172 98.139.253.104 216.145.54.155 216.145.54.154 -------------------------------------------------------------- Start 2020-03-28 22:28:15 -->> 216.145.54.173:465 (smtp.yahoo.com) <<-- Further IP addresses: 216.145.54.172 98.139.253.105 98.139.253.104 216.145.54.171 216.145.54.154 216.145.54.155 rDNS (216.145.54.173): mrout3.yahoo.com.^C/usr/bin/testssl: connect: Interrupted system call /usr/bin/testssl: line 10319: /dev/tcp/216.145.54.173/465: Interrupted system call $ testssl --starttls imap smtp.yahoo.com No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1e 17 Mar 2020" [~80 ciphers] on thinkcentre1:/usr/bin/openssl (built: "Mar 18 10:21:52 2020", platform: "linux-x86_64") Testing all IPv4 addresses (port 443): 216.145.54.172 98.139.253.105 98.139.253.104 216.145.54.155 216.145.54.154 216.145.54.171 216.145.54.173 -------------------------------------------------------------- Start 2020-03-28 22:39:46 -->> 216.145.54.172:443 (smtp.yahoo.com) <<-- Further IP addresses: 98.139.253.105 216.145.54.155 216.145.54.171 216.145.54.173 216.145.54.154 98.139.253.104 rDNS (216.145.54.172): mrout2.yahoo.com./usr/bin/testssl: connect: Connection timed out /usr/bin/testssl: line 10319: /dev/tcp/216.145.54.172/443: Connection timed out Oops: TCP connect problem Unable to open a socket to 216.145.54.172:443. Fatal error: Couldn't connect to 216.145.54.172:443, proceeding with next IP (if any) Done 2020-03-28 22:41:56 [ 138s] -->> 216.145.54.172:443 (smtp.yahoo.com) <<-- -------------------------------------------------------------- Start 2020-03-28 22:41:56 -->> 98.139.253.105:443 (smtp.yahoo.com) <<-- Further IP addresses: 216.145.54.172 216.145.54.155 216.145.54.171 216.145.54.173 216.145.54.154 98.139.253.104 rDNS (98.139.253.105): mrout2-b.corp.bf1.yahoo.com.^C/usr/bin/testssl: connect: Interrupted system call /usr/bin/testssl: line 10319: /dev/tcp/98.139.253.105/443: Interrupted system call $ testssl --starttls imap smtp.yahoo.com:993 No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1e 17 Mar 2020" [~80 ciphers] on thinkcentre1:/usr/bin/openssl (built: "Mar 18 10:21:52 2020", platform: "linux-x86_64") Testing all IPv4 addresses (port 993): 216.145.54.154 216.145.54.173 98.139.253.104 216.145.54.172 216.145.54.155 98.139.253.105 216.145.54.171 -------------------------------------------------------------- Start 2020-03-28 22:43:03 -->> 216.145.54.154:993 (smtp.yahoo.com) <<-- Further IP addresses: 216.145.54.171 216.145.54.155 98.139.253.105 216.145.54.172 216.145.54.173 98.139.253.104 rDNS (216.145.54.154): mrout5.yahoo.com.^C/usr/bin/testssl: connect: Interrupted system call /usr/bin/testssl: line 10319: /dev/tcp/216.145.54.154/993: Interrupted system call $ testssl smtp.yahoo.com:993 No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1e 17 Mar 2020" [~80 ciphers] on thinkcentre1:/usr/bin/openssl (built: "Mar 18 10:21:52 2020", platform: "linux-x86_64") Testing all IPv4 addresses (port 993): 216.145.54.154 216.145.54.155 216.145.54.171 216.145.54.173 98.139.253.104 216.145.54.172 98.139.253.105 -------------------------------------------------------------- Start 2020-03-28 22:43:49 -->> 216.145.54.154:993 (smtp.yahoo.com) <<-- Further IP addresses: 216.145.54.171 216.145.54.155 98.139.253.104 216.145.54.172 216.145.54.173 98.139.253.105 rDNS (216.145.54.154): mrout5.yahoo.com.^C/usr/bin/testssl: connect: Interrupted system call /usr/bin/testssl: line 10319: /dev/tcp/216.145.54.154/993: Interrupted system call $ testssl smtp.posteo.de:465 No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1e 17 Mar 2020" [~80 ciphers] on thinkcentre1:/usr/bin/openssl (built: "Mar 18 10:21:52 2020", platform: "linux-x86_64") Fatal error: No IPv4/IPv6 address(es) for "smtp.posteo.de" available $ testssl posteo.de:465 No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1e 17 Mar 2020" [~80 ciphers] on thinkcentre1:/usr/bin/openssl (built: "Mar 18 10:21:52 2020", platform: "linux-x86_64") Start 2020-03-28 22:48:37 -->> 185.67.36.145:465 (posteo.de) <<-- Further IP addresses: 2a05:bc0:1000::145:1 rDNS (185.67.36.145): -- Service detected: Couldn't determine what's running on port 465, assuming no HTTP service => skipping all HTTP checks Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsolete: SEED + 128+256 Bit CBC cipher offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA Elliptic curves offered: prime256v1 brainpoolP256r1 X25519 DH group offered: ffdhe3072 Testing server preferences Has server cipher order? yes (OK) -- TLS 1.3 and below Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Cipher order TLSv1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA TLSv1.1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 Testing server defaults (Server Hello) TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "status request/#5" "supported versions/#43" "key share/#51" "supported_groups/#10" "max fragment length/#1" "encrypt-then-mac/#22" "extended master secret/#23" Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily SSL Session ID support yes Session Resumption Tickets no, ID: no TLS clock skew Random values, no fingerprinting possible Signature Algorithm SHA256 with RSA Server key size RSA 3072 bits Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Serial / Fingerprints 0D167A00ADE2325A31F7889FF0C0E281 / SHA1 AB5F2276527805DC5B5CB3EC34B3C11AFE586285 SHA256 0DE9933662E6B739F335A8AC147037295FE7C4B5DB3E6C55AC2162F682CA6305 Common Name (CN) posteo.de subjectAltName (SAN) posteo.de www.posteo.de autodiscover.posteo.de lists.posteo.de m.posteo.de Issuer GeoTrust EV RSA CA 2018 (DigiCert Inc from US) Trust (hostname) Ok via SAN (same w/o SNI) Chain of trust Ok EV cert (experimental) yes ETS/"eTLS", visibility info not present Certificate Validity (UTC) 299 >= 60 days (2020-01-01 19:00 --> 2021-01-22 07:00) # of certificates provided 3 Certificate Revocation List http://cdp.geotrust.com/GeoTrustEVRSACA2018.crl OCSP URI http://status.geotrust.com OCSP stapling offered, not revoked OCSP must staple extension -- DNS CAA RR (experimental) available - please check for match with "Issuer" above iodef=mailto:hostmaster@posteo.de, issue=d-trust.net, issue=geotrust.com, issuewild=d-trust.net, issuewild=geotrust.com Certificate Transparency yes (certificate extension) Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. -- (applicable only for HTTPS) ROBOT Server does not support any cipher suites that use RSA key transport Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway) POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=0DE9933662E6B739F335A8AC147037295FE7C4B5DB3E6C55AC2162F682CA6305 could help you to find out LOGJAM (CVE-2015-4000), experimental common prime with 3072 bits detected: RFC7919/ffdhe3072 (3072 bits), but no DH EXPORT ciphers BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9f DHE-RSA-AES256-GCM-SHA384 DH 3072 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 x6b DHE-RSA-AES256-SHA256 DH 3072 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x39 DHE-RSA-AES256-SHA DH 3072 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x33 DHE-RSA-AES128-SHA DH 3072 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Could not determine the protocol, only simulating generic clients. Running client simulations via sockets Android 4.4.2 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 5.0.0 TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 6.0 TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) Android 7.0 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Chrome 74 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Chrome 79 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Firefox 71 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) IE 6 XP No connection IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 8 XP No connection IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) Edge 17 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) Opera 66 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 12.1 (iOS 12.2) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 6u45 No connection Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Java 8u161 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Java 12.0.1 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (brainpoolP256r1) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Thunderbird (68.3) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Done 2020-03-28 22:53:37 [ 308s] -->> 185.67.36.145:465 (posteo.de) <<--