##################################################################### testssl version 3.2.3 from https://testssl.sh/ (d9f5bf1 2025-08-31 10:15:57) This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ##################################################################### Using OpenSSL 3.6.2 (Apr 7 2026) [~96 ciphers] on mairon:/usr/bin/openssl Start 2026-04-20 16:10:33 -->> 104.154.89.105:443 (rc4-md5.badssl.com) <<-- rDNS (104.154.89.105): 105.89.154.104.bc.googleusercontent.com. Your OpenSSL cannot connect to 104.154.89.105:443 Service detected: Couldn't determine what's running on port 443, assuming no HTTP service => skipping all HTTP checks Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) offered (NOT ok) Triple DES Ciphers / IDEA not offered Obsoleted CBC ciphers (AES, ARIA etc.) not offered Strong encryption (AEAD ciphers) with no FS not offered Forward Secrecy strong encryption (AEAD ciphers) not offered Testing server's cipher preferences Handshake error!no matching cipher in this list found (pls report this): AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:ADH-AES256-GCM-SHA384:AECDH-AES128-SHA:ECDHE-ECDSA-AES128-SHA . Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 - SSLv3 - TLSv1 (listed by strength) x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5 TLSv1.1 (listed by strength) x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5 TLSv1.2 (listed by strength) x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5 TLSv1.3 - Has server cipher order? unable to determine Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 No ciphers supporting Forward Secrecy (FS) offered Testing server defaults (Server Hello) TLS extensions (standard) "server name/#0" "heartbeat/#15" "application layer protocol negotiation/#16" "session ticket/#35" "next protocol/#13172" "renegotiation info/#65281" Session Ticket RFC 5077 hint no -- no lifetime advertised SSL Session ID support no Session Resumption Tickets no, ID: no TLS clock skew Random values, no fingerprinting possible Client Authentication none Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits (exponent is 65537) Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication Serial 0531B491C91BEF4E68435B230842F08BDD3F (OK: length 18) Fingerprints SHA1 7CC926D7D504C520708E4B5835C50F74DAB09BA8 SHA256 EE520FE205333B8DE45A97992826533C2EF74EEB66544A6FF770E8373E4D2983 Common Name (CN) *.badssl.com (CN in response to request w/o SNI: badssl-fallback-unknown-subdomain-or-no-sni ) subjectAltName (SAN) *.badssl.com badssl.com Trust (hostname) Ok via SAN wildcard and CN wildcard (SNI mandatory) wildcard certificate could be problematic, see other hosts at https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=EE520FE205333B8DE45A97992826533C2EF74EEB66544A6FF770E8373E4D2983 Chain of trust Ok EV cert (experimental) no Certificate Validity (UTC) 63 >= 30 days (2026-03-24 20:02 --> 2026-06-22 20:02) ETS/"eTLS", visibility info not present Certificate Revocation List http://r13.c.lencr.org/64.crl OCSP URI -- OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) not offered Certificate Transparency yes (certificate extension) Certificates provided 2 Issuer R13 (Let's Encrypt from US) Intermediate cert validity #1: ok > 40 days (2027-03-12 23:59). R13 <-- ISRG Root X1 Intermediate Bad OCSP (exp.) Ok Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), timed out CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. (applicable only for HTTP service) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) OpenSSL handshake didn't succeed Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway) POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=EE520FE205333B8DE45A97992826533C2EF74EEB66544A6FF770E8373E4D2983 LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) no CBC ciphers found for any protocol (OK) LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) Winshock (CVE-2014-6321), experimental not vulnerable (OK) - no HTTP or RDP RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-MD5 Could not determine the protocol, only simulating generic clients. Running client simulations via sockets Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy ------------------------------------------------------------------------------------------------ Android 7.0 (native) No connection Android 8.1 (native) No connection Android 9.0 (native) No connection Android 10.0 (native) No connection Android 11/12 (native) No connection Android 13/14 (native) No connection Android 15 (native) No connection Chrome 101 (Win 10) No connection Chromium 137 (Win 11) No connection Firefox 100 (Win 10) No connection Firefox 137 (Win 11) No connection IE 8 Win 7 TLSv1.0 RC4-MD5 No FS IE 11 Win 7 No connection IE 11 Win 8.1 No connection IE 11 Win Phone 8.1 No connection IE 11 Win 10 No connection Edge 15 Win 10 No connection Edge 101 Win 10 21H2 No connection Edge 133 Win 11 23H2 No connection Safari 18.4 (iOS 18.4) No connection Safari 15.4 (macOS 12.3.1) No connection Safari 18.4 (macOS 15.4) No connection Java 7u25 TLSv1.0 RC4-MD5 No FS Java 8u442 (OpenJDK) No connection Java 11.0.2 (OpenJDK) No connection Java 17.0.3 (OpenJDK) No connection Java 21.0.6 (OpenJDK) No connection go 1.17.8 No connection LibreSSL 3.3.6 (macOS) TLSv1.2 RC4-MD5 No FS OpenSSL 1.0.2e TLSv1.2 RC4-MD5 No FS OpenSSL 1.1.1d (Debian) No connection OpenSSL 3.0.15 (Debian) No connection OpenSSL 3.5.0 (git) No connection Apple Mail (16.0) No connection Thunderbird (91.9) No connection Rating (experimental) Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16) Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide Protocol Support (weighted) 95 (28) Key Exchange (weighted) 90 (27) Cipher Strength (weighted) 80 (32) Final Score 87 Overall Grade B Grade cap reasons Grade capped to B. TLS 1.1 offered Grade capped to B. TLS 1.0 offered Grade capped to B. RC4 ciphers offered Grade capped to B. Forward Secrecy (FS) is not supported Grade warning TLS 1.3 is not supported Done 2026-04-20 16:12:23 [ 112s] -->> 104.154.89.105:443 (rc4-md5.badssl.com) <<--