Ali Rodoplu

Your TLS Is Not as Secure as You Think

Even if your certificate is valid or TLS is active, this could still mean your server poses security risks. We can use a simple yet effective tool called “testssl.sh” to test your server’s security. You can use it by pulling it into a Linux.

Bash
git clone https://github.com/testssl/testssl.sh

Then all you need to do is simply run the script as follows after navigating to the downloaded file.

Bash
cd testssl.sh
./testssl.sh alirodoplu.com

You can customize the command based on the port your server is serving on. For example, for a server serving on port 44365, you can run the script as follows.

Bash
./testssl.sh alirodoplu.com:44365

Or you can also use IP for tests.

If we examine the output step by step;

First of all, it provides us with general information as follows.
Overall Grade: A-

ShellScript
Tool: testssl.sh version 3.3dev
Service: HTTP
Server: IP: 92.205.175.59
Server Software: Apache
Certificate: Provider: Let's Encrypt (R13)
Overall Grade: A-
Grade warning: TLS 1.3 is not supported

Continue to analysis,

ShellScript
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 not offered and downgraded to a weaker protocol
QUIC not offered or timed out
NPN/SPDY not offered
ALPN/HTTP2 h2, http/1.1 (offered)

It is good that SSLv2, SSLv3, TLS 1, TLS1.1 are not offered on the server side, because these are relatively weak protocols.


Now let’s examine which cipher categories the server supports.

ShellScript
 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
 Triple DES Ciphers / IDEA                         not offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            offered
 Strong encryption (AEAD ciphers) with no FS       offered (OK)
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)
  • Null ciphers should not be offered because traffic transmitted without encryption is insecure.
  • Export ciphers are also extremely breakable ciphers today.
  • DES, RC4 and MD5 based ciphers are not offered either, so this is good news.
  • Although 3DES was secure in the past, it is now considered insecure and is not offered.
  • CBCs should not be used because they are susceptible to timing attacks. They should not have been offered here.
  • It is good to use AEDA and Forward secrecy cipher sets because they are considered secure.
  • It is also important that FS is active because even if the key is leaked, past traffic cannot be decrypted with the same key.

Let’s continue,

ShellScript
Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 -
SSLv3
 -
TLSv1
 -
TLSv1.1
 -
TLSv1.2 (server order)
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 xccaa   DHE-RSA-CHACHA20-POLY1305         DH 2048    ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 xc0a3   DHE-RSA-AES256-CCM8               DH 2048    AESCCM8     256      TLS_DHE_RSA_WITH_AES_256_CCM_8
 xc09f   DHE-RSA-AES256-CCM                DH 2048    AESCCM      256      TLS_DHE_RSA_WITH_AES_256_CCM
 xc061   ECDHE-ARIA256-GCM-SHA384          ECDH 253   ARIAGCM     256      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
 xc053   DHE-RSA-ARIA256-GCM-SHA384        DH 2048    ARIAGCM     256      TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
 xc0a2   DHE-RSA-AES128-CCM8               DH 2048    AESCCM8     128      TLS_DHE_RSA_WITH_AES_128_CCM_8
 xc09e   DHE-RSA-AES128-CCM                DH 2048    AESCCM      128      TLS_DHE_RSA_WITH_AES_128_CCM
 xc060   ECDHE-ARIA128-GCM-SHA256          ECDH 253   ARIAGCM     128      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
 xc052   DHE-RSA-ARIA128-GCM-SHA256        DH 2048    ARIAGCM     128      TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
 xc077   ECDHE-RSA-CAMELLIA256-SHA384      ECDH 253   Camellia    256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
 xc4     DHE-RSA-CAMELLIA256-SHA256        DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
 xc076   ECDHE-RSA-CAMELLIA128-SHA256      ECDH 253   Camellia    128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
 xbe     DHE-RSA-CAMELLIA128-SHA256        DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
 x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
 x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
 xc0a1   AES256-CCM8                       RSA        AESCCM8     256      TLS_RSA_WITH_AES_256_CCM_8
 xc09d   AES256-CCM                        RSA        AESCCM      256      TLS_RSA_WITH_AES_256_CCM
 xc051   ARIA256-GCM-SHA384                RSA        ARIAGCM     256      TLS_RSA_WITH_ARIA_256_GCM_SHA384
 xc0a0   AES128-CCM8                       RSA        AESCCM8     128      TLS_RSA_WITH_AES_128_CCM_8
 xc09c   AES128-CCM                        RSA        AESCCM      128      TLS_RSA_WITH_AES_128_CCM
 xc050   ARIA128-GCM-SHA256                RSA        ARIAGCM     128      TLS_RSA_WITH_ARIA_128_GCM_SHA256
 xc0     CAMELLIA256-SHA256                RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
 xba     CAMELLIA128-SHA256                RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
 x84     CAMELLIA256-SHA                   RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
 x41     CAMELLIA128-SHA                   RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLSv1.3

The ciphers above are the ciphers that the server supports with TLS 1.2.

The following are the strongest cipher combinations because they support FS + AEDA.

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-CHACHA20-POLY1305
  • DHE-RSA-CHACHA20-POLY1305
  • ECDHE-RSA-ARIA256/128-GCM-SHA384/SHA256
  • DHE-RSA-ARIA256/128-GCM-SHA384/SHA256

The following are in CBC mode and are not considered very reliable today.

  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA256
  • ECDHE-RSA-CAMELLIA256-SHA384
  • DHE-RSA-ARIA128/256-CBC
  • TLS_RSA_WITH_AES_128_CBC_SHA, ...AES_256_CBC_SHA, ...CAMELLIA...

The following are also RSA-based and do not have FS. Therefore, they should not be preferred.

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_RSA_WITH_ARIA_128_GCM_SHA256
ShellScript
Has server cipher order?     yes (OK)


 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4

 FS is offered (OK)           ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA
                              DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305
                              DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA
                              ECDHE-RSA-CAMELLIA256-SHA384 DHE-RSA-CAMELLIA256-SHA256 DHE-RSA-CAMELLIA256-SHA
                              DHE-RSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256
                              ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256
                              DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA
                              ECDHE-RSA-CAMELLIA128-SHA256 DHE-RSA-CAMELLIA128-SHA256 DHE-RSA-CAMELLIA128-SHA
                              DHE-RSA-ARIA128-GCM-SHA256 ECDHE-ARIA128-GCM-SHA256
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448
 DH group offered:            RFC3526/Oakley Group 14 (2048 bits)
 TLS 1.2 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384
                              RSA+SHA512 RSA+SHA224 RSA+SHA1

This part tests the server’s support for TLS key exchange, cipher sequencing, and Forward Secrecy.

  • “Has server cipher order? yes (OK)” means that the server imposes its own cipher order, which is nice because the order is not determined by the client and thus the weak cipher is not offered by the client.
  • We can see that FS is also recommended, which is nice.
  • Strong FS supported ciphers and elliptic curve set are recommended.
ShellScript
 Testing server defaults (Server Hello)

 TLS extensions (standard)    "server name/#0" "max fragment length/#1" "EC point formats/#11"
                              "application layer protocol negotiation/#16" "encrypt-then-mac/#22"
                              "extended master secret/#23" "session ticket/#35" "renegotiation info/#65281"
 Session Ticket RFC 5077 hint 300 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               Random values, no fingerprinting possible
 Client Authentication        none
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits (exponent is 65537)
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial                       05341F531FC1C0E5ADCA0488DA757E81182F (OK: length 18)
 Fingerprints                 SHA1 1F8537C2CF207CB54CC90DDDC287D23525D333CB
                              SHA256 9D2E25DA76DCDEFA45A6570E34886C485E11F10237C91ABE6867B2732C3D661D
 Common Name (CN)             webdisk.alirodoplu.com  (CN in response to request w/o SNI: *.prod.sxb1.secureserver.net )
 subjectAltName (SAN)         alirodoplu.com autodiscover.alirodoplu.com cpanel.alirodoplu.com mail.alirodoplu.com
                              webdisk.alirodoplu.com webmail.alirodoplu.com www.alirodoplu.com
 Trust (hostname)             Ok via SAN (SNI mandatory)
                              wildcard certificate could be problematic, see other hosts at
                              https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=9D2E25DA76DCDEFA45A6570E34886C485E11F10237C91ABE6867B2732C3D661D
 Chain of trust               Ok
 EV cert (experimental)       no
 Certificate Validity (UTC)   75 >= 30 days (2025-10-02 02:49 --> 2025-12-31 02:49)
 ETS/"eTLS", visibility info  not present
 Certificate Revocation List  http://r13.c.lencr.org/48.crl
 OCSP URI                     --
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     yes (certificate extension)
 Certificates provided        2
 Issuer                       R13 (Let's Encrypt from US)
 Intermediate cert validity   #1: ok > 40 days (2027-03-12 23:59). R13 <-- ISRG Root X1
 Intermediate Bad OCSP (exp.) Ok


 Testing HTTP header response @ "/"

 HTTP Status Code             301 Moved Permanently, redirecting to "https://www.alirodoplu.com/"
 HTTP clock skew              -1 sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                Apache
 Application banner           X-Powered-By: PHP/7.4.33
 Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
 Security headers             Upgrade: h2,h2c
 Reverse Proxy banner         --

We can see that the server supports secure TLS extensions such as:

  • “encrypt-then-mac”
  • “extended master secret”
  • “ALPN”
  • “renegotiation info”

The server also supports daily rotation of keys in a FS-compatible manner.

CN: webdisk.alirodoplu.com
SAN: alirodoplu.com, mail.alirodoplu.com, www.alirodoplu.com vb.
Trust (hostname): OK via SAN

  • We can also see the server certificate and authentication.
  • SAN is correctly defined.
  • Chain is valid via Let’s Encrypt -> ISRF Root X1.

However, a wildcard certificate is visible, which can sometimes be a problem. You should check whether other domains are also using it.

Also,

  • No OSCP Stapling
  • No DNS CAA records
  • Some HTTP security headers are missing, no HSTS, etc.
ShellScript
 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 Opossum (CVE-2025-49812)                  not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, "br" HTTP compression detected. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=9D2E25DA76DCDEFA45A6570E34886C485E11F10237C91ABE6867B2732C3D661D
 LOGJAM (CVE-2015-4000), experimental      common prime with 2048 bits detected: RFC3526/Oakley Group 14 (2048 bits),
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK) - ARIA, CHACHA or CCM ciphers found
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

This part tests whether the server is vulnerable to known TLS/SSL attacks.

The attack is largely secure and none of the old vulnerabilities are active. It is only necessary to pay attention to one or two vulnerabilities such as BREACH.

ShellScript
 Rating (experimental)

 Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
 Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
 Protocol Support (weighted)  100 (30)
 Key Exchange     (weighted)  90 (27)
 Cipher Strength  (weighted)  90 (36)
 Final Score                  93
 Overall Grade                A-
 Grade warning                TLS 1.3 is not supported

Finally, a general summary is presented, and based on three categories, such as

  • Protocol Support
  • Key Exchange
  • Cipher Strength

the server receives a score of 93. This corresponds to an A- grade.

The most important caveat here is that TLS 1.3 is not actually supported by the server.

Posted

in

by

Ali Rodoplu

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *