Hardenize Report: gnu.org

Web Security Overview

HTTPS

Web sites need to use encryption to help their visitors know they're in the right place, as well as provide confidentiality and content integrity. Sites that don't support HTTPS may expose sensitive data and have their pages modified and subverted.
There are issues with this site's HTTPS configuration.

For all sites VERY IMPORTANT medium EFFORT

HTTPS Redirection

To deploy HTTPS properly, web sites must redirect all unsafe (plaintext) traffic to the encrypted variant. This approach ensures that no sensitive data is exposed and that further security technologies can be activated.

For all sites VERY IMPORTANT low EFFORT

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an HTTPS extension that instructs browsers to remember sites that use encryption and enforce strict security requirements. Without HSTS, active network attacks are easy to carry out.
There are issues with this site's HSTS configuration.

For important sites VERY IMPORTANT medium EFFORT

HSTS Preloaded

HSTS Preloading is informing browsers in advance about a site's use of HSTS, which means that strict security can be enforced even on the first visit. This approach provides best HTTPS security available today.

For important sites VERY IMPORTANT medium EFFORT

Content Security Policy

Content Security Policy (CSP) is an additional security layer that enables web sites to control browser behavior, creating a safety net that can counter attacks such as cross-site scripting.

For important sites IMPORTANT high EFFORT

Email Security Overview

STARTTLS

All hosts that receive email need encryption to ensure confidentiality of email messages. Email servers thus need to support STARTTLS, as well as provide decent TLS configuration and correct certificates.

For all sites VERY IMPORTANT low EFFORT

SPF

Sender Policy Framework (SPF) enables organizations to designate servers that are allowed to send email messages on their behalf. With SPF in place, spam is easier to identify.

For important sites IMPORTANT low EFFORT

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism that allows organizations to specify how unauthenticated email (identified using SPF and DKIM) should be handled.
There are issues with this site's DMARC configuration.

For important sites IMPORTANT low EFFORT

Domain Registration

Your security begins with the security of your domain name. If someone takes control of your domain name then they can update the name server configuration to send users elsewhere, or they can transfer the domain name to another party. For best results, fully lock your domain names at registry and registrar levels.

Test passed

Everything seems to be well configured. Well done.

Registration Data Access Protocol (RDAP)

The RDAP protocol enables users to access current registration data and was created as an eventual replacement for the WHOIS protocol. RDAP has several advantages over the WHOIS protocol, including support for internationalization, secure access to data, and the ability to provide differentiated access to registration data.

Parsed Raw Data Model

Registrant	Free Software Foundation
Lookup Time	26 Apr 2024 00:37 UTC
Source	https://rdap.publicinterestregistry.org/rdap/domain/gnu.org
Registrar
Registrar	Gandi SAS
Registrar IANA ID	81
Events
Registration	24 Nov 1995 05:00 UTC
Update	28 Oct 2023 02:10 UTC
Expiration	23 Nov 2024 05:00 UTC
Configuration
Statuses	clientTransferProhibited
Registrar Lock
Registry Lock
Nameservers	ns4.gnu.org 188.165.235.157 2001:41d0:2:b69d:0:0:0:1 ns1.gnu.org 192.99.37.66 2607:5300:60:4c42:0:0:0:1 ns2.gnu.org 192.99.35.98 2607:5300:60:4a62:0:0:0:1 ns3.gnu.org 185.199.142.2
Contacts
Registrant	Free Software Foundation US
Technical
Administrative
Registrar	Gandi SAS
Abuse	Email: abuse@support.gandi.net Phone: +33.170377661

{
  "meta": {
    "timestamp": "2024-04-26T00:37:31Z",
    "id": "15f7959a-9359-433a-923a-0a12e53df232",
    "type": "HZ_REGISTRABLE_DOMAIN",
    "schemaVersion": "2022-02-02",
    "producer": "whois-rdap-clients/2022-03-23",
    "source": "NET",
    "status": "OK",
    "duration": "0.254s"
  },
  "name": "gnu.org",
  "punyName": "gnu.org",
  "source": "SOURCE_RDAP",
  "sourceLocation": "https://rdap.publicinterestregistry.org/rdap/domain/gnu.org",
  "sourceRaw": "{\n  \"rdapConformance\": [\n    \"rdap_level_0\",\n    \"icann_rdap_response_profile_0\",\n    \"icann_rdap_technical_implementation_guide_0\"\n  ],\n  \"notices\": [\n    {\n      \"title\": \"Terms of Service\",\n      \"description\": [\n        \"Public Interest Registry provides this RDAP service for informational purposes only, and to assist persons in obtaining information about or related to a domain name registration record. Public Interest Registry does not guarantee its accuracy. Users accessing the Public Interest Registry RDAP service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar\u0027s own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Public Interest Registry or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Public Interest Registry RDAP service, please consider the following: the RDAP service is not a replacement for standard EPP commands to the SRS service. RDAP is not considered authoritative for registered domain objects. The RDAP service may be scheduled for downtime during production or OT\u0026E maintenance periods. Queries to the RDAP services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of RDAP service access. Abuse of the RDAP system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the RDAP records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request to WHOISrequest@pir.org. Public Interest Registry Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.\"\n      ],\n      \"links\": [\n        {\n          \"value\": \"https://rdap.publicinterestregistry.org/rdap/domain/gnu.org\",\n          \"rel\": \"alternate\",\n          \"href\": \"https://thenew.org/org-people/about-pir/policies/\",\n          \"type\": \"text/html\"\n        }\n      ]\n    },\n    {\n      \"title\": \"Status Codes\",\n      \"description\": [\n        \"For more information on domain status codes, please visit https://icann.org/epp\"\n      ],\n      \"links\": [\n        {\n          \"value\": \"https://icann.org/epp\",\n          \"rel\": \"self\",\n          \"href\": \"https://icann.org/epp\",\n          \"type\": \"application/rdap+json\"\n        }\n      ]\n    },\n    {\n      \"title\": \"RDDS Inaccuracy Complaint Form\",\n      \"description\": [\n        \"URL of the ICANN RDDS Inaccuracy Complaint Form: https://www.icann.org/wicf\"\n      ],\n      \"links\": [\n        {\n          \"value\": \"https://www.icann.org/wicf\",\n          \"rel\": \"self\",\n          \"href\": \"https://www.icann.org/wicf\",\n          \"type\": \"application/rdap+json\"\n        }\n      ]\n    }\n  ],\n  \"ldhName\": \"gnu.org\",\n  \"unicodeName\": \"gnu.org\",\n  \"nameservers\": [\n    {\n      \"ldhName\": \"ns4.gnu.org\",\n      \"unicodeName\": \"ns4.gnu.org\",\n      \"ipAddresses\": {\n        \"v4\": [\n          \"188.165.235.157\"\n        ],\n        \"v6\": [\n          \"2001:41d0:2:b69d::1\"\n        ]\n      },\n      \"objectClassName\": \"nameserver\",\n      \"handle\": \"4966d598932747418f20226911a05ad5-LROR\",\n      \"status\": [\n        \"associated\"\n      ]\n    },\n    {\n      \"ldhName\": \"ns1.gnu.org\",\n      \"unicodeName\": \"ns1.gnu.org\",\n      \"ipAddresses\": {\n        \"v4\": [\n          \"192.99.37.66\"\n        ],\n        \"v6\": [\n          \"2607:5300:60:4c42::1\"\n        ]\n      },\n      \"objectClassName\": \"nameserver\",\n      \"handle\": \"2e8875826dbe4fc784d309b8200bb9ec-LROR\",\n      \"status\": [\n        \"associated\"\n      ]\n    },\n    {\n      \"ldhName\": \"ns2.gnu.org\",\n      \"unicodeName\": \"ns2.gnu.org\",\n      \"ipAddresses\": {\n        \"v4\": [\n          \"192.99.35.98\"\n        ],\n        \"v6\": [\n          \"2607:5300:60:4a62::1\"\n        ]\n      },\n      \"objectClassName\": \"nameserver\",\n      \"handle\": \"563501eb4bce42b3a03468f7d7aa9517-LROR\",\n      \"status\": [\n        \"associated\"\n      ]\n    },\n    {\n      \"ldhName\": \"ns3.gnu.org\",\n      \"unicodeName\": \"ns3.gnu.org\",\n      \"ipAddresses\": {\n        \"v4\": [\n          \"185.199.142.2\"\n        ]\n      },\n      \"objectClassName\": \"nameserver\",\n      \"handle\": \"7169489b93bd4d82b00b9db415f60e3f-LROR\",\n      \"status\": [\n        \"associated\"\n      ]\n    }\n  ],\n  \"publicIds\": [\n    {\n      \"type\": \"IANA Registrar ID\",\n      \"identifier\": \"81\"\n    }\n  ],\n  \"objectClassName\": \"domain\",\n  \"handle\": \"b890491ca78240c19c0ecb066a193ed0-LROR\",\n  \"status\": [\n    \"client transfer prohibited\"\n  ],\n  \"events\": [\n    {\n      \"eventAction\": \"expiration\",\n      \"eventDate\": \"2024-11-23T05:00:00Z\"\n    },\n    {\n      \"eventAction\": \"registration\",\n      \"eventDate\": \"1995-11-24T05:00:00.743Z\"\n    },\n    {\n      \"eventAction\": \"last changed\",\n      \"eventDate\": \"2023-10-28T02:10:13.606Z\"\n    },\n    {\n      \"eventAction\": \"last update of RDAP database\",\n      \"eventDate\": \"2024-04-26T00:37:30.697Z\"\n    }\n  ],\n  \"entities\": [\n    {\n      \"vcardArray\": [\n        \"vcard\",\n        [\n          [\n            \"version\",\n            {},\n            \"text\",\n            \"4.0\"\n          ],\n          [\n            \"org\",\n            {\n              \"type\": \"work\"\n            },\n            \"text\",\n            \"Free Software Foundation\"\n          ],\n          [\n            \"adr\",\n            {},\n            \"text\",\n            [\n              \"\",\n              \"\",\n              \"\",\n              \"\",\n              \"MA\",\n              \"\",\n              \"US\"\n            ]\n          ]\n        ]\n      ],\n      \"roles\": [\n        \"registrant\"\n      ],\n      \"objectClassName\": \"entity\",\n      \"remarks\": [\n        {\n          \"title\": \"REDACTED FOR PRIVACY\",\n          \"type\": \"object redacted due to authorization\",\n          \"description\": [\n            \"Some of the data in this object has been removed.\"\n          ]\n        },\n        {\n          \"title\": \"EMAIL REDACTED FOR PRIVACY\",\n          \"type\": \"object redacted due to authorization\",\n          \"description\": [\n            \"Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant of the queried domain name.\"\n          ]\n        }\n      ],\n      \"events\": [\n        {\n          \"eventAction\": \"last update of RDAP database\",\n          \"eventDate\": \"2024-04-26T00:37:30.697Z\"\n        }\n      ]\n    },\n    {\n      \"vcardArray\": [\n        \"vcard\",\n        [\n          [\n            \"version\",\n            {},\n            \"text\",\n            \"4.0\"\n          ]\n        ]\n      ],\n      \"roles\": [\n        \"technical\"\n      ],\n      \"objectClassName\": \"entity\",\n      \"remarks\": [\n        {\n          \"title\": \"REDACTED FOR PRIVACY\",\n          \"type\": \"object redacted due to authorization\",\n          \"description\": [\n            \"Some of the data in this object has been removed.\"\n          ]\n        },\n        {\n          \"title\": \"EMAIL REDACTED FOR PRIVACY\",\n          \"type\": \"object redacted due to authorization\",\n          \"description\": [\n            \"Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant of the queried domain name.\"\n          ]\n        }\n      ],\n      \"events\": [\n        {\n          \"eventAction\": \"last update of RDAP database\",\n          \"eventDate\": \"2024-04-26T00:37:30.697Z\"\n        }\n      ]\n    },\n    {\n      \"vcardArray\": [\n        \"vcard\",\n        [\n          [\n            \"version\",\n            {},\n            \"text\",\n            \"4.0\"\n          ]\n        ]\n      ],\n      \"roles\": [\n        \"administrative\"\n      ],\n      \"objectClassName\": \"entity\",\n      \"remarks\": [\n        {\n          \"title\": \"REDACTED FOR PRIVACY\",\n          \"type\": \"object redacted due to authorization\",\n          \"description\": [\n            \"Some of the data in this object has been removed.\"\n          ]\n        },\n        {\n          \"title\": \"EMAIL REDACTED FOR PRIVACY\",\n          \"type\": \"object redacted due to authorization\",\n          \"description\": [\n            \"Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant of the queried domain name.\"\n          ]\n        }\n      ],\n      \"events\": [\n        {\n          \"eventAction\": \"last update of RDAP database\",\n          \"eventDate\": \"2024-04-26T00:37:30.697Z\"\n        }\n      ]\n    },\n    {\n      \"vcardArray\": [\n        \"vcard\",\n        [\n          [\n            \"version\",\n            {},\n            \"text\",\n            \"4.0\"\n          ],\n          [\n            \"fn\",\n            {},\n            \"text\",\n            \"Gandi SAS\"\n          ]\n        ]\n      ],\n      \"roles\": [\n        \"registrar\"\n      ],\n      \"publicIds\": [\n        {\n          \"type\": \"IANA Registrar ID\",\n          \"identifier\": \"81\"\n        }\n      ],\n      \"objectClassName\": \"entity\",\n      \"handle\": \"81\",\n      \"entities\": [\n        {\n          \"vcardArray\": [\n            \"vcard\",\n            [\n              [\n                \"version\",\n                {},\n                \"text\",\n                \"4.0\"\n              ],\n              [\n                \"tel\",\n                {\n                  \"type\": \"voice\"\n                },\n                \"uri\",\n                \"tel:+33.170377661\"\n              ],\n              [\n                \"email\",\n                {},\n                \"text\",\n                \"abuse@support.gandi.net\"\n              ]\n            ]\n          ],\n          \"roles\": [\n            \"abuse\"\n          ],\n          \"objectClassName\": \"entity\",\n          \"handle\": \"ffba2eccf7e1438e9ddc9d520fe1bd1f-DONUTS\"\n        }\n      ],\n      \"links\": [\n        {\n          \"value\": \"https://rdap.publicinterestregistry.org/rdap/entity/81\",\n          \"rel\": \"self\",\n          \"href\": \"https://rdap.publicinterestregistry.org/rdap/entity/81\",\n          \"type\": \"application/rdap+json\"\n        }\n      ]\n    }\n  ],\n  \"links\": [\n    {\n      \"value\": \"https://rdap.gandi.net/domain/gnu.org\",\n      \"rel\": \"related\",\n      \"href\": \"https://rdap.gandi.net/domain/gnu.org\",\n      \"type\": \"application/rdap+json\"\n    },\n    {\n      \"value\": \"https://rdap.publicinterestregistry.org/rdap/domain/gnu.org\",\n      \"rel\": \"self\",\n      \"href\": \"https://rdap.publicinterestregistry.org/rdap/domain/gnu.org\",\n      \"type\": \"application/rdap+json\"\n    }\n  ]\n}",
  "tld": "org",
  "suffix": "org",
  "createTime": "1995-11-24T05:00:00Z",
  "expireTime": "2024-11-23T05:00:00Z",
  "updateTime": "2023-10-28T02:10:13Z",
  "registrarLock": true,
  "registryLock": false,
  "registrarName": "Gandi SAS",
  "registrarIanaId": "81",
  "registrant": "Free Software Foundation",
  "nameservers": [{
    "name": "ns4.gnu.org",
    "punyName": "ns4.gnu.org",
    "addresses": ["188.165.235.157", "2001:41d0:2:b69d:0:0:0:1"]
  }, {
    "name": "ns1.gnu.org",
    "punyName": "ns1.gnu.org",
    "addresses": ["192.99.37.66", "2607:5300:60:4c42:0:0:0:1"]
  }, {
    "name": "ns2.gnu.org",
    "punyName": "ns2.gnu.org",
    "addresses": ["192.99.35.98", "2607:5300:60:4a62:0:0:0:1"]
  }, {
    "name": "ns3.gnu.org",
    "punyName": "ns3.gnu.org",
    "addresses": ["185.199.142.2"]
  }],
  "statuses": ["clientTransferProhibited"],
  "sourceStatuses": ["client transfer prohibited"],
  "contacts": [{
    "type": "CONTACT_REGISTRANT",
    "organization": "Free Software Foundation",
    "country": "US"
  }, {
    "type": "CONTACT_TECHNICAL"
  }, {
    "type": "CONTACT_ADMINISTRATIVE"
  }, {
    "type": "CONTACT_REGISTRAR",
    "organization": "Gandi SAS"
  }, {
    "type": "CONTACT_ABUSE",
    "email": "abuse@support.gandi.net",
    "phone": "+33.170377661"
  }]
}

{
  "rdapConformance": [
    "rdap_level_0",
    "icann_rdap_response_profile_0",
    "icann_rdap_technical_implementation_guide_0"
  ],
  "notices": [
    {
      "title": "Terms of Service",
      "description": [
        "Public Interest Registry provides this RDAP service for informational purposes only, and to assist persons in obtaining information about or related to a domain name registration record. Public Interest Registry does not guarantee its accuracy. Users accessing the Public Interest Registry RDAP service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar\u0027s own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Public Interest Registry or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Public Interest Registry RDAP service, please consider the following: the RDAP service is not a replacement for standard EPP commands to the SRS service. RDAP is not considered authoritative for registered domain objects. The RDAP service may be scheduled for downtime during production or OT\u0026E maintenance periods. Queries to the RDAP services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of RDAP service access. Abuse of the RDAP system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the RDAP records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data. Access to this data can be requested by submitting a request to WHOISrequest@pir.org. Public Interest Registry Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy."
      ],
      "links": [
        {
          "value": "https://rdap.publicinterestregistry.org/rdap/domain/gnu.org",
          "rel": "alternate",
          "href": "https://thenew.org/org-people/about-pir/policies/",
          "type": "text/html"
        }
      ]
    },
    {
      "title": "Status Codes",
      "description": [
        "For more information on domain status codes, please visit https://icann.org/epp"
      ],
      "links": [
        {
          "value": "https://icann.org/epp",
          "rel": "self",
          "href": "https://icann.org/epp",
          "type": "application/rdap+json"
        }
      ]
    },
    {
      "title": "RDDS Inaccuracy Complaint Form",
      "description": [
        "URL of the ICANN RDDS Inaccuracy Complaint Form: https://www.icann.org/wicf"
      ],
      "links": [
        {
          "value": "https://www.icann.org/wicf",
          "rel": "self",
          "href": "https://www.icann.org/wicf",
          "type": "application/rdap+json"
        }
      ]
    }
  ],
  "ldhName": "gnu.org",
  "unicodeName": "gnu.org",
  "nameservers": [
    {
      "ldhName": "ns4.gnu.org",
      "unicodeName": "ns4.gnu.org",
      "ipAddresses": {
        "v4": [
          "188.165.235.157"
        ],
        "v6": [
          "2001:41d0:2:b69d::1"
        ]
      },
      "objectClassName": "nameserver",
      "handle": "4966d598932747418f20226911a05ad5-LROR",
      "status": [
        "associated"
      ]
    },
    {
      "ldhName": "ns1.gnu.org",
      "unicodeName": "ns1.gnu.org",
      "ipAddresses": {
        "v4": [
          "192.99.37.66"
        ],
        "v6": [
          "2607:5300:60:4c42::1"
        ]
      },
      "objectClassName": "nameserver",
      "handle": "2e8875826dbe4fc784d309b8200bb9ec-LROR",
      "status": [
        "associated"
      ]
    },
    {
      "ldhName": "ns2.gnu.org",
      "unicodeName": "ns2.gnu.org",
      "ipAddresses": {
        "v4": [
          "192.99.35.98"
        ],
        "v6": [
          "2607:5300:60:4a62::1"
        ]
      },
      "objectClassName": "nameserver",
      "handle": "563501eb4bce42b3a03468f7d7aa9517-LROR",
      "status": [
        "associated"
      ]
    },
    {
      "ldhName": "ns3.gnu.org",
      "unicodeName": "ns3.gnu.org",
      "ipAddresses": {
        "v4": [
          "185.199.142.2"
        ]
      },
      "objectClassName": "nameserver",
      "handle": "7169489b93bd4d82b00b9db415f60e3f-LROR",
      "status": [
        "associated"
      ]
    }
  ],
  "publicIds": [
    {
      "type": "IANA Registrar ID",
      "identifier": "81"
    }
  ],
  "objectClassName": "domain",
  "handle": "b890491ca78240c19c0ecb066a193ed0-LROR",
  "status": [
    "client transfer prohibited"
  ],
  "events": [
    {
      "eventAction": "expiration",
      "eventDate": "2024-11-23T05:00:00Z"
    },
    {
      "eventAction": "registration",
      "eventDate": "1995-11-24T05:00:00.743Z"
    },
    {
      "eventAction": "last changed",
      "eventDate": "2023-10-28T02:10:13.606Z"
    },
    {
      "eventAction": "last update of RDAP database",
      "eventDate": "2024-04-26T00:37:30.697Z"
    }
  ],
  "entities": [
    {
      "vcardArray": [
        "vcard",
        [
          [
            "version",
            {},
            "text",
            "4.0"
          ],
          [
            "org",
            {
              "type": "work"
            },
            "text",
            "Free Software Foundation"
          ],
          [
            "adr",
            {},
            "text",
            [
              "",
              "",
              "",
              "",
              "MA",
              "",
              "US"
            ]
          ]
        ]
      ],
      "roles": [
        "registrant"
      ],
      "objectClassName": "entity",
      "remarks": [
        {
          "title": "REDACTED FOR PRIVACY",
          "type": "object redacted due to authorization",
          "description": [
            "Some of the data in this object has been removed."
          ]
        },
        {
          "title": "EMAIL REDACTED FOR PRIVACY",
          "type": "object redacted due to authorization",
          "description": [
            "Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant of the queried domain name."
          ]
        }
      ],
      "events": [
        {
          "eventAction": "last update of RDAP database",
          "eventDate": "2024-04-26T00:37:30.697Z"
        }
      ]
    },
    {
      "vcardArray": [
        "vcard",
        [
          [
            "version",
            {},
            "text",
            "4.0"
          ]
        ]
      ],
      "roles": [
        "technical"
      ],
      "objectClassName": "entity",
      "remarks": [
        {
          "title": "REDACTED FOR PRIVACY",
          "type": "object redacted due to authorization",
          "description": [
            "Some of the data in this object has been removed."
          ]
        },
        {
          "title": "EMAIL REDACTED FOR PRIVACY",
          "type": "object redacted due to authorization",
          "description": [
            "Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant of the queried domain name."
          ]
        }
      ],
      "events": [
        {
          "eventAction": "last update of RDAP database",
          "eventDate": "2024-04-26T00:37:30.697Z"
        }
      ]
    },
    {
      "vcardArray": [
        "vcard",
        [
          [
            "version",
            {},
            "text",
            "4.0"
          ]
        ]
      ],
      "roles": [
        "administrative"
      ],
      "objectClassName": "entity",
      "remarks": [
        {
          "title": "REDACTED FOR PRIVACY",
          "type": "object redacted due to authorization",
          "description": [
            "Some of the data in this object has been removed."
          ]
        },
        {
          "title": "EMAIL REDACTED FOR PRIVACY",
          "type": "object redacted due to authorization",
          "description": [
            "Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant of the queried domain name."
          ]
        }
      ],
      "events": [
        {
          "eventAction": "last update of RDAP database",
          "eventDate": "2024-04-26T00:37:30.697Z"
        }
      ]
    },
    {
      "vcardArray": [
        "vcard",
        [
          [
            "version",
            {},
            "text",
            "4.0"
          ],
          [
            "fn",
            {},
            "text",
            "Gandi SAS"
          ]
        ]
      ],
      "roles": [
        "registrar"
      ],
      "publicIds": [
        {
          "type": "IANA Registrar ID",
          "identifier": "81"
        }
      ],
      "objectClassName": "entity",
      "handle": "81",
      "entities": [
        {
          "vcardArray": [
            "vcard",
            [
              [
                "version",
                {},
                "text",
                "4.0"
              ],
              [
                "tel",
                {
                  "type": "voice"
                },
                "uri",
                "tel:+33.170377661"
              ],
              [
                "email",
                {},
                "text",
                "abuse@support.gandi.net"
              ]
            ]
          ],
          "roles": [
            "abuse"
          ],
          "objectClassName": "entity",
          "handle": "ffba2eccf7e1438e9ddc9d520fe1bd1f-DONUTS"
        }
      ],
      "links": [
        {
          "value": "https://rdap.publicinterestregistry.org/rdap/entity/81",
          "rel": "self",
          "href": "https://rdap.publicinterestregistry.org/rdap/entity/81",
          "type": "application/rdap+json"
        }
      ]
    }
  ],
  "links": [
    {
      "value": "https://rdap.gandi.net/domain/gnu.org",
      "rel": "related",
      "href": "https://rdap.gandi.net/domain/gnu.org",
      "type": "application/rdap+json"
    },
    {
      "value": "https://rdap.publicinterestregistry.org/rdap/domain/gnu.org",
      "rel": "self",
      "href": "https://rdap.publicinterestregistry.org/rdap/domain/gnu.org",
      "type": "application/rdap+json"
    }
  ]
}

Analysis

Consider locking this domain name at registry level

Some domain name locks are better than others. Most registrars can configure a lock that they control, which we call a registrar lock. This lock is useful, but at the next level there is the registry lock, which requires a further interaction with the registry for any changes. Registry locks should be used wherever possible for business-critical domain names.

WHOIS

WHOIS is a TCP-based transaction-oriented query/response protocol that is widely used to provide information services to Internet users. While originally used to provide "white pages" services and information about registered domain names, current deployments cover a much broader range of information services.

Parsed Raw Data Model

Registrant	Free Software Foundation
Lookup Time	26 Apr 2024 00:37 UTC
Source	whois.gandi.net:43
Registrar
Registrar	GANDI SAS
Registrar IANA ID	81
Events
Registration	23 Nov 1995 23:00 UTC
Update	23 Oct 2023 02:12 UTC
Expiration	23 Nov 2024 05:00 UTC
Configuration
Statuses	clientTransferProhibited
Registrar Lock
Registry Lock
Nameservers	ns1.gnu.org ns3.gnu.org ns4.gnu.org ns2.gnu.org
Contacts
Registrar	GANDI SAS GANDI SAS
Abuse	Email: abuse@support.gandi.net Phone: +33.170377661
Registrant	Free Software Foundation US Email: 18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net
Administrative	Email: 18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net
Technical	Email: 18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net

{
  "meta": {
    "timestamp": "2024-04-26T00:37:34Z",
    "id": "02962d8b-7c4f-415f-a93a-6e51bbbe4264",
    "type": "HZ_REGISTRABLE_DOMAIN",
    "schemaVersion": "2022-02-02",
    "producer": "whois-rdap-clients/2022-03-23",
    "source": "NET",
    "status": "OK",
    "duration": "0.314s"
  },
  "name": "gnu.org",
  "punyName": "gnu.org",
  "source": "SOURCE_WHOIS",
  "sourceLocation": "whois.gandi.net:43",
  "sourceRaw": "Domain Name: gnu.org\nRegistry Domain ID: D899661-LROR\nRegistrar WHOIS Server: whois.gandi.net\nRegistrar URL: http://www.gandi.net\nUpdated Date: 2023-10-23T02:12:16Z\nCreation Date: 1995-11-23T23:00:00Z\nRegistrar Registration Expiration Date: 2024-11-23T05:00:00Z\nRegistrar: GANDI SAS\nRegistrar IANA ID: 81\nRegistrar Abuse Contact Email: abuse@support.gandi.net\nRegistrar Abuse Contact Phone: +33.170377661\nReseller: \nDomain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited\nDomain Status: \nDomain Status: \nDomain Status: \nDomain Status: \nRegistry Registrant ID: REDACTED FOR PRIVACY\nRegistrant Name: REDACTED FOR PRIVACY\nRegistrant Organization: Free Software Foundation\nRegistrant Street: REDACTED FOR PRIVACY\nRegistrant City: REDACTED FOR PRIVACY\nRegistrant State/Province: Massachusetts\nRegistrant Postal Code: REDACTED FOR PRIVACY\nRegistrant Country: US\nRegistrant Phone: REDACTED FOR PRIVACY\nRegistrant Phone Ext:\nRegistrant Fax: REDACTED FOR PRIVACY\nRegistrant Fax Ext:\nRegistrant Email: 18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net\nRegistry Admin ID: REDACTED FOR PRIVACY\nAdmin Name: REDACTED FOR PRIVACY\nAdmin Organization: REDACTED FOR PRIVACY\nAdmin Street: REDACTED FOR PRIVACY\nAdmin City: REDACTED FOR PRIVACY\nAdmin State/Province: REDACTED FOR PRIVACY\nAdmin Postal Code: REDACTED FOR PRIVACY\nAdmin Country: REDACTED FOR PRIVACY\nAdmin Phone: REDACTED FOR PRIVACY\nAdmin Phone Ext:\nAdmin Fax: REDACTED FOR PRIVACY\nAdmin Fax Ext:\nAdmin Email: 18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net\nRegistry Tech ID: REDACTED FOR PRIVACY\nTech Name: REDACTED FOR PRIVACY\nTech Organization: REDACTED FOR PRIVACY\nTech Street: REDACTED FOR PRIVACY\nTech City: REDACTED FOR PRIVACY\nTech State/Province: REDACTED FOR PRIVACY\nTech Postal Code: REDACTED FOR PRIVACY\nTech Country: REDACTED FOR PRIVACY\nTech Phone: REDACTED FOR PRIVACY\nTech Phone Ext:\nTech Fax: REDACTED FOR PRIVACY\nTech Fax Ext:\nTech Email: 18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net\nName Server: NS1.GNU.ORG\nName Server: NS3.GNU.ORG\nName Server: NS4.GNU.ORG\nName Server: NS2.GNU.ORG\nName Server: \nName Server: \nName Server: \nName Server: \nName Server: \nName Server: \nDNSSEC: Unsigned\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\n\u003e\u003e\u003e Last update of WHOIS database: 2024-04-26T00:37:33Z \u003c\u003c\u003c\n\nFor more information on Whois status codes, please visit\nhttps://www.icann.org/epp\n\nReseller Email: \nReseller URL: \n\nPersonal data access and use are governed by French law, any use for the purpose of unsolicited mass commercial advertising as well as any mass or automated inquiries (for any intent other than the registration or modification of a domain name) are strictly forbidden. Copy of whole or part of our database without Gandi\u0027s endorsement is strictly forbidden.\nA dispute over the ownership of a domain name may be subject to the alternate procedure established by the Registry in question or brought before the courts.\nFor additional information, please contact us via the following form:\n https://www.gandi.net/support/contacter/mail/\n",
  "tld": "org",
  "suffix": "org",
  "createTime": "1995-11-23T23:00:00Z",
  "expireTime": "2024-11-23T05:00:00Z",
  "updateTime": "2023-10-23T02:12:16Z",
  "privacy": true,
  "registrarLock": true,
  "registryLock": false,
  "registrarName": "GANDI SAS",
  "registrarIanaId": "81",
  "registrarUrl": "http://www.gandi.net",
  "registrant": "Free Software Foundation",
  "nameservers": [{
    "name": "ns1.gnu.org",
    "punyName": "",
    "addresses": []
  }, {
    "name": "ns3.gnu.org",
    "punyName": "",
    "addresses": []
  }, {
    "name": "ns4.gnu.org",
    "punyName": "",
    "addresses": []
  }, {
    "name": "ns2.gnu.org",
    "punyName": "",
    "addresses": []
  }],
  "statuses": ["clientTransferProhibited"],
  "sourceStatuses": ["clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited"],
  "contacts": [{
    "type": "CONTACT_REGISTRAR",
    "firstName": "GANDI SAS",
    "organization": "GANDI SAS"
  }, {
    "type": "CONTACT_ABUSE",
    "email": "abuse@support.gandi.net",
    "phone": "+33.170377661"
  }, {
    "type": "CONTACT_REGISTRANT",
    "organization": "Free Software Foundation",
    "state": "Massachusetts",
    "country": "US",
    "email": "18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net"
  }, {
    "type": "CONTACT_ADMINISTRATIVE",
    "email": "18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net"
  }, {
    "type": "CONTACT_TECHNICAL",
    "email": "18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net"
  }]
}

Domain Name: gnu.org
Registry Domain ID: D899661-LROR
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2023-10-23T02:12:16Z
Creation Date: 1995-11-23T23:00:00Z
Registrar Registration Expiration Date: 2024-11-23T05:00:00Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Reseller: 
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: 
Domain Status: 
Domain Status: 
Domain Status: 
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Free Software Foundation
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Massachusetts
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext:
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext:
Registrant Email: 18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext:
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext:
Admin Email: 18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext:
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext:
Tech Email: 18365d2cf132b16b2d7dc820f6b750b3-188686@contact.gandi.net
Name Server: NS1.GNU.ORG
Name Server: NS3.GNU.ORG
Name Server: NS4.GNU.ORG
Name Server: NS2.GNU.ORG
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2024-04-26T00:37:33Z <<<

For more information on Whois status codes, please visit
https://www.icann.org/epp

Reseller Email: 
Reseller URL: 

Personal data access and use are governed by French law, any use for the purpose of unsolicited mass commercial advertising as well as any mass or automated inquiries (for any intent other than the registration or modification of a domain name) are strictly forbidden. Copy of whole or part of our database without Gandi's endorsement is strictly forbidden.
A dispute over the ownership of a domain name may be subject to the alternate procedure established by the Registry in question or brought before the courts.
For additional information, please contact us via the following form:
 https://www.gandi.net/support/contacter/mail/

Analysis

Consider locking this domain name at registry level

Some domain name locks are better than others. Most registrars can configure a lock that they control, which we call a registrar lock. This lock is useful, but at the next level there is the registry lock, which requires a further interaction with the registry for any changes. Registry locks should be used wherever possible for business-critical domain names.

DNS Zone

The global DNS infrastructure is organized as a series of hierarchical DNS zones. The root zone hosts a number of global and country TLDs, which in turn host further zones that are delegated to their customers. Each organization that controls a zone can delegate parts of its namespace to other zones. In this test we perform detailed inspection of a DNS zone, but only if the host being tested matches the zone.

Test passed

Everything seems to be well configured. Well done.

Nameserver Names

Nameservers can be referred to by name and by address. In this section we show the names, which can appear in the NS records, the referrals from the parent zone, and the SOA record. In some situations, servers from the parent zone respond authoritatively, in which case we will include them in the list as well.

Nameserver	Operational	IPv4	IPv6	Sources
ns1.gnu.org. PRIMARY 192.99.37.66 2607:5300:60:4c42::1				SOA NS REFERRAL
ns2.gnu.org. 192.99.35.98 2607:5300:60:4a62::1				NS REFERRAL
ns3.gnu.org. 185.199.142.2				NS REFERRAL
ns4.gnu.org. 188.165.235.157 2001:41d0:2:b69d::1				NS REFERRAL

Nameserver Addresses

This section shows the configuration of all discovered nameservers by their IP address. To find all applicable nameservers, we inspect the parent zone nameservers for names and glue and then the tested zone nameservers for NS records. We then resolve all discovered names to IP addresses. Finally, we test each address individually.

Nameserver	Sources	Payload Size
185.199.142.2 ns3.gnu.org. PTR: fsf0.ded.vikings.net.	NAME, GLUE	4096
188.165.235.157 ns4.gnu.org. PTR: ns4.gnu.org.	NAME, GLUE	1232
192.99.35.98 ns2.gnu.org. PTR: ns2.gnu.org.	NAME, GLUE	1232
192.99.37.66 PRIMARY ns1.gnu.org. PTR: ns1.gnu.org.	NAME, GLUE	1232
2001:41d0:2:b69d::1 ns4.gnu.org.	NAME, GLUE	1232
2607:5300:60:4a62::1 ns2.gnu.org.	NAME, GLUE	1232
2607:5300:60:4c42::1 PRIMARY ns1.gnu.org.	NAME, GLUE	1232

Start of Authority (SOA) Record

Start of Authority (SOA) records contain administrative information pertaining to one DNS zone, especially the configuration that's used for zone transfers between the primary nameserver and the secondaries. Only one SOA record should exist, with all nameservers providing the same information.

The domain name of the primary nameserver for the zone. Also known as MNAME.Primary nameserver	ns1.gnu.org.
Email address of the persons responsible for this zone. Also known as RNAME.Admin email	hostmaster.gnu.org.
Zone serial or version number.Serial number	2023120600
The length of time secondary nameservers should wait before querying the primary for changes.Refresh interval	3,600 seconds (about 1 hour)
The length of time secondary nameservers should wait before querying an unresponsive primary again.Retry interval	120 seconds (about 2 minutes)
The length of time after which secondary nameservers should stop responding to queries for a zone, assuming no updates were obtained from the primary.Expire interval	1,209,600 seconds (about 14 days)
TTL for purposes of negative response caching. Negative cache TTL	3,600 seconds (about 1 hour)
Time To Live (TTL) indicates for how long a record remains valid. SOA record TTL	1,800 seconds (about 30 minutes)

Analysis

Nameserver addresses should have reverse names

According to RFC 1912, having reverse DNS configuration in place for every nameserver is a best practice that maximizes the chances of correct DNS operation. Further, some anti-spam techniques use reverse name resolution to allow traffic.

Nameserver A and AAAA records should have matching reverse records

According to RFC 1912, nameserver's PTR records must match their A and AAAA records to ensure maximum interoperability.

Improve IPv6 support

The Internet is in a slow transition to supporting IPv6 widely. Although at this time it is expected that most recursive DNS servers will use IPv4, adding support for IPv6 will enable transition to networks that use IPv6 exclusively.

No problems detected with the zone configuration

Excellent. This DNS zone is in a good working order. No problems detected.

Backing DNS Queries

Below are all DNS queries we submitted during the zone inspection.

	ID	Server	Transport	Question Name	Type	Status

DNS Records

Correctly functioning name servers are necessary to hold and distribute information that's necessary for your domain name to operate correctly. Examples include converting names to IP addresses, determining where email should go, and so on. More recently, the DNS is being used to communicate email and other security policies.

Test passed

Everything seems to be well configured. Well done.

DNS Records

These are the results of individual DNS queries against your nameserver for common resource record types.

Name	TTL	Type	Data
gnu.org.	1800	A	209.51.188.116
www.gnu.org.	1800	A	209.51.188.116
gnu.org.	1800	AAAA	2001:470:142:5:0:0:0:116
www.gnu.org.	1800	AAAA	2001:470:142:5:0:0:0:116
gnu.org.	1800	CAA	0 issue "letsencrypt.org"
gnu.org.	1800	MX	10 eggs.gnu.org.
gnu.org.	1800	NS	ns3.gnu.org.
gnu.org.	1800	NS	ns2.gnu.org.
gnu.org.	1800	NS	ns1.gnu.org.
gnu.org.	1800	NS	ns4.gnu.org.
gnu.org.	1800	SOA	ns1.gnu.org. hostmaster.gnu.org. 2023120600 3600 120 1209600 3600
gnu.org.	1800	SSHFP	1 1 A2B0FA94793B921FC7A835A313CE8557F8D989E1
gnu.org.	1800	TXT	"v=spf1 ip4:209.51.188.0/24 ip4:74.94.156.208/28 ip6:2001:470:142::/48 ip6:2603:3005:71a:2e00::/64 ~all"
_dmarc.gnu.org.	1800	TXT	"v=DMARC1; p=none; rua=mailto:dmarc-rua@fsf.org"

Backing DNS Queries

Below are all DNS queries we submitted while inspecting the resource records.

	ID	Server	Question Name	Type	Status

DNSSEC

DNSSEC is an extension of the DNS protocol that provides cryptographic assurance of the authenticity and integrity of responses; it's intended as a defense against network attackers who are able to manipulate DNS to redirect their victims to servers of their choice. DNSSEC is controversial, with the industry split largely between those who think it's essential and those who believe that it's problematic and unnecessary.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Useful DNSSEC Tools

Certification Authority Authorization

CAA (RFC 8659) is a new standard that allows domain name owners to restrict which CAs are allowed to issue certificates for their domains. This can help to reduce the chance of misissuance, either accidentally or maliciously. In September 2017, CAA became mandatory for CAs to implement.

Test passed

Everything seems to be well configured. Well done.

CAA Policy Information

The DNS hostname where this policy is located.Policy host	gnu.org
The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers.issue	letsencrypt.org flags: 0

Analysis

CAA policy found

Good. This domain name uses CAA to restrict which CAs are allowed to issue certificates for it.

Policy doesn't use reporting

This policy doesn't use reporting, which means that there is no way to contact you when a violation is detected. The CAA RFC defines the iodef property that can be used for this purpose. Do note that you're not guaranteed to be notified, given that CAs generally don't support notifications yet.

Email (SMTP)

An internet hostname can be served by zero or more mail servers, as specified by MX (mail exchange) DNS resource records. Each server can further resolve to multiple IP addresses, for example to handle IPv4 and IPv6 clients. Thus, in practice, hosts that wish to receive email reliably are supported by many endpoint.

Test passed

Everything seems to be well configured. Well done.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

Server

Preference

Operational

STARTTLS

TLS

PKI

DNSSEC

DANE

eggs.gnu.org
2001:470:142:3:0:0:0:10
PTR: eggs.gnu.org

10

eggs.gnu.org
209.51.188.92
PTR: eggs.gnu.org

10

Analysis

Some SMTP server assessments have been retrieved from cache

Some SMTP server assessment results have been retrieved from our cache. Because many hosts point to the same SMTP servers, we use a short-term cache to avoid testing the same SMTP servers over and over again.

Latest cache timestamp: 21 Apr 2024 00:56 UTC

Earliest cache timestamp: 21 Apr 2024 00:56 UTC

Some SMTP server assessments contain partial information

Comprehensive TLS assessments require many connections, which is exactly what many SMTP servers don't like. We implement a two-tier assessment approach. To give you some results as fast as possible, we perform shallow assessments that use only one connection per SMTP server. We then have a background process that performs complete assessments slowly, trying to accommodate each server individually. The results presented here contain partial information. If you come back later we may be able to provide complete assessment resuls.

Email TLS (SMTP)

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Test passed

Everything seems to be well configured. Well done.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

TLS Configuration: eggs.gnu.org (2001:470:142:3:0:0:0:10) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp256r1 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	21 Apr 2024 00:56 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

TLS Configuration: eggs.gnu.org (209.51.188.92) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp256r1 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	21 Apr 2024 00:56 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

Email Certificates (SMTP)

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Test passed

Everything seems to be well configured. Well done.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

Certificate #1 Cached

Leaf certificate

eggs.gnu.org
Issuer: Let's Encrypt
Not Before: 02 Mar 2024 12:10:15 UTC
Not After: 31 May 2024 12:10:14 UTC (expires in 1 month 5 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
View details

Names	eggs.gnu.org
Subject DN	CN=eggs.gnu.org
Subject Key Identifier	c6268528f649658b057eea7b590de26d055fef16
Serial	30c8e80b0a80dcbcc9229b89d9a5152ed93
Not Before	02 Mar 2024 12:10:15 UTC
Not After	31 May 2024 12:10:14 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Mar 2024 13:10:15 UTC \| DigiCert Yeti2024 Log \| Qualified 02 Mar 2024 13:10:15 UTC \| Let's Encrypt 'Oak2024H1' log \| Qualified
Fingerprints
SHA1	bc797534e341beccc2e44d65f844a7cf2c2845f0
SHA256	8cb0ff0ae2cc61c8930af143586bad96353c3ddcebfd627e2427b4b4e202b992
SPKI SHA256	2598fa92046e317022e0b777633cd55eb4d915e883446ed670505b00196d89da

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Chain

Leaf certificate

eggs.gnu.org | 8cb0ff0
Not After: 31 May 2024 12:10:14 UTC (expires in 1 month 5 days)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Names	eggs.gnu.org
Subject DN	CN=eggs.gnu.org
Subject Key Identifier	c6268528f649658b057eea7b590de26d055fef16
Serial	30c8e80b0a80dcbcc9229b89d9a5152ed93
Not Before	02 Mar 2024 12:10:15 UTC
Not After	31 May 2024 12:10:14 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Mar 2024 13:10:15 UTC \| DigiCert Yeti2024 Log \| Qualified 02 Mar 2024 13:10:15 UTC \| Let's Encrypt 'Oak2024H1' log \| Qualified
Fingerprints
SHA1	bc797534e341beccc2e44d65f844a7cf2c2845f0
SHA256	8cb0ff0ae2cc61c8930af143586bad96353c3ddcebfd627e2427b4b4e202b992
SPKI SHA256	2598fa92046e317022e0b777633cd55eb4d915e883446ed670505b00196d89da

Intermediate certificate

R3 | 67add11
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 4 months)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Subject DN	CN=R3, O=Let's Encrypt, C=US
Subject Key Identifier	142eb317b75856cbae500940e61faf9d8b14c2c6
Serial	912b084acf0c18a753f6d62e25a75f5a
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:79b459e67bb6e5e40173800888c81a58f6e99b6e
Parent Certificate	http://x1.i.lencr.org/
CRL	http://x1.c.lencr.org/
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	a053375bfe84e8b748782c7cee15827a6af5a405
SHA256	67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
SPKI SHA256	8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d

Root certificate

ISRG Root X1 | 96bcec0
Not After: 04 Jun 2035 11:04:38 UTC (expires in 11 years 1 month)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject Key Identifier	79b459e67bb6e5e40173800888c81a58f6e99b6e
Serial	8210cfb0d240e3594463e0bb63828b00
Not Before	04 Jun 2015 11:04:38 UTC
Not After	04 Jun 2035 11:04:38 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	cabd2a79a1076a31f21d253635cb039d4329a5e8
SHA256	96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
SPKI SHA256	0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Email DANE (SMTP)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

SPF

Sender Policy Framework (SPF) is a protocol that allows domain name owners to control which internet hosts are allowed to send email on their behalf. This simple mechanism can be used to reduce the effect of email spoofing and cut down on spam.

Test passed

Everything seems to be well configured. Well done.

SPF Policy Information Main policy

Host where this policy is located.Location	gnu.org
SPF version used by this policy.v	spf1
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	209.51.188.0/24
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	74.94.156.208/28
This mechanism tests whether the IP address being tested is contained within a given IPv6 network. ip6	2001:470:142::/48
This mechanism tests whether the IP address being tested is contained within a given IPv6 network. ip6	2603:3005:71a:2e00::/64
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. ~all

Analysis

SPF policy found

Policy text: v=spf1 ip4:209.51.188.0/24 ip4:74.94.156.208/28 ip6:2001:470:142::/48 ip6:2603:3005:71a:2e00::/64 ~all

Location: gnu.org

SPF policy is valid

Good. Your SPF policy is syntactically valid.

Policy DNS lookups under limit

Good. Your policy stays under the limit of up to 10 DNS queries. The SPF specification Section 4.6.4. requires implementations to limit the total number of DNS queries. Policies that exceed the limit should not be used and may not work in practice.

Lookups: 0

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Test failed

We've detected serious problems that require your immediate attention.

DMARC Policy Information

The location from which we obtained this policy.Policy location	_dmarc.gnu.org
DMARC version used by this policy.v	DMARC1
Indicates the policy to be enacted by the receiver at the request of the domain owner. Possible values are: none, quarantine, and reject.p	none
Addresses to which aggregate feedback is to be sent.rua	mailto:dmarc-rua@fsf.org

Analysis

DMARC policy found

Policy: v=DMARC1; p=none; rua=mailto:dmarc-rua@fsf.org

Host: _dmarc.gnu.org

Invalid external destination

This policy uses an external report destination that is not authorized because the permission record doesn't exist. Please refer to RFC 7489, Section 7.1, for instructions how to correct this problem.

Expected permission record location: gnu.org._report._dmarc.fsf.org

External destination: mailto:dmarc-rua@fsf.org

DMARC policy is invalid

Your DMARC policy is invalid.

MTA Strict Transport Security

SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

SMTP TLS Reporting

SMTP TLS Reporting (RFC 8460), or TLS-RPT for short, describes a reporting mechanism and format by which systems sending email can share statistics and specific information about potential failures with recipient domains. Recipient domains can then use this information to both detect potential attacks and diagnose unintentional misconfigurations. TLS-RPT can be used with DANE or MTA-STS.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

HTTP (80)

To observe your HTTP implementation, we submit a request to the homepage of your site on port 80, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers.

Test failed

We've detected serious problems that require your immediate attention.

URL: http://gnu.org/

1

http://gnu.org/

HTTP/1.1 301 Moved Permanently

Date	Fri, 26 Apr 2024 00:37:34 GMT
Server	Apache/2.4.29
Strict-Transport-Security	max-age=63072000; includeSubDomains; preload
X-Frame-Options	sameorigin
X-Content-Type-Options	nosniff
Location	http://www.gnu.org/
Content-Length	291
Keep-Alive	timeout=5, max=100
Connection	Keep-Alive
Content-Type	text/html; charset=iso-8859-1

2

http://www.gnu.org/

HTTP/1.1 200 OK

Date	Fri, 26 Apr 2024 00:37:34 GMT
Server	Apache/2.4.29
Content-Location	home.html
Vary	negotiate,accept-language,Accept-Encoding
TCN	choice
Strict-Transport-Security	max-age=63072000; includeSubDomains; preload
X-Frame-Options	sameorigin
X-Content-Type-Options	nosniff
Access-Control-Allow-Origin	(null)
Accept-Ranges	bytes
Cache-Control	max-age=0
Expires	Fri, 26 Apr 2024 00:37:34 GMT
Keep-Alive	timeout=5, max=100
Connection	Keep-Alive
Content-Type	text/html
Content-Language	en

Analysis

Plaintext HTTP server doesn't redirect to HTTPS

This plaintext HTTP server doesn't redirect to HTTPS, leaving its user vulnerable to content sniffing and active network attacks. From late July 2018, Chrome marks plaintext web sites as 'not secure'. We recommend that a redirection is added as soon as possible.

URL: http://www.gnu.org/

1

http://www.gnu.org/

HTTP/1.1 200 OK

Date	Fri, 26 Apr 2024 00:37:34 GMT
Server	Apache/2.4.29
Content-Location	home.html
Vary	negotiate,accept-language,Accept-Encoding
TCN	choice
Strict-Transport-Security	max-age=63072000; includeSubDomains; preload
X-Frame-Options	sameorigin
X-Content-Type-Options	nosniff
Access-Control-Allow-Origin	(null)
Accept-Ranges	bytes
Cache-Control	max-age=0
Expires	Fri, 26 Apr 2024 00:37:34 GMT
Keep-Alive	timeout=5, max=100
Connection	Keep-Alive
Content-Type	text/html
Content-Language	en

Analysis

Plaintext HTTP server doesn't redirect to HTTPS

This plaintext HTTP server doesn't redirect to HTTPS, leaving its user vulnerable to content sniffing and active network attacks. From late July 2018, Chrome marks plaintext web sites as 'not secure'. We recommend that a redirection is added as soon as possible.

HTTP (443)

To observe your HTTPS implementation, we submit a request to the homepage of your site on port 443, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers. We use the most recent set of headers returned from the tested hostname for further tests such as HSTS and HPKP.

Test passed

Everything seems to be well configured. Well done.

URL: https://gnu.org/

1

https://gnu.org/

HTTP/1.1 301 Moved Permanently

Date	Fri, 26 Apr 2024 00:37:34 GMT
Server	Apache/2.4.29
Strict-Transport-Security	max-age=63072000; includeSubDomains; preload
X-Frame-Options	sameorigin
X-Content-Type-Options	nosniff
Location	https://www.gnu.org/
Content-Length	293
Keep-Alive	timeout=5, max=100
Connection	Keep-Alive
Content-Type	text/html; charset=iso-8859-1

2

https://www.gnu.org/

HTTP/1.1 200 OK

Date	Fri, 26 Apr 2024 00:37:34 GMT
Server	Apache/2.4.29
Content-Location	home.html
Vary	negotiate,accept-language,Accept-Encoding
TCN	choice
Strict-Transport-Security	max-age=63072000
X-Frame-Options	sameorigin
X-Content-Type-Options	nosniff
Access-Control-Allow-Origin	(null)
Accept-Ranges	bytes
Cache-Control	max-age=0
Expires	Fri, 26 Apr 2024 00:37:34 GMT
Keep-Alive	timeout=5, max=100
Connection	Keep-Alive
Content-Type	text/html
Content-Language	en

URL: https://www.gnu.org/

1

https://www.gnu.org/

HTTP/1.1 200 OK

Date	Fri, 26 Apr 2024 00:37:34 GMT
Server	Apache/2.4.29
Content-Location	home.html
Vary	negotiate,accept-language,Accept-Encoding
TCN	choice
Strict-Transport-Security	max-age=63072000
X-Frame-Options	sameorigin
X-Content-Type-Options	nosniff
Access-Control-Allow-Origin	(null)
Accept-Ranges	bytes
Cache-Control	max-age=0
Expires	Fri, 26 Apr 2024 00:37:34 GMT
Keep-Alive	timeout=5, max=100
Connection	Keep-Alive
Content-Type	text/html
Content-Language	en

WWW TLS

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Test passed, but there are warnings

Some aspect of your site's configuration require your attention.

TLS Configuration: gnu.org (2001:470:142:5:0:0:0:116)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2 TLS v1.1 TLS v1.0
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 Suite ID: 0xc061 Cipher name: ARIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 Suite ID: 0xc060 Cipher name: ARIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 Suite ID: 0xc077 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 Suite ID: 0xc076 Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CCM_8 Suite ID: 0xc0a1 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CCM_8 256 bits Suite: TLS_RSA_WITH_AES_256_CCM Suite ID: 0xc09d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CCM 256 bits Suite: TLS_RSA_WITH_ARIA_256_GCM_SHA384 Suite ID: 0xc051 Cipher name: ARIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_ARIA_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_128_CCM_8 Suite ID: 0xc0a0 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CCM_8 128 bits Suite: TLS_RSA_WITH_AES_128_CCM Suite ID: 0xc09c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CCM 128 bits Suite: TLS_RSA_WITH_ARIA_128_GCM_SHA256 Suite ID: 0xc050 Cipher name: ARIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_ARIA_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 Suite ID: 0xc0 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 Suite ID: 0xba Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Suite ID: 0x84 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Suite ID: 0x41 Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 bits
Shows cipher suite configuration for this protocol version.TLS v1.1 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Suite ID: 0x84 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Suite ID: 0x41 Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 bits
Shows cipher suite configuration for this protocol version.TLS v1.0 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Suite ID: 0x84 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Suite ID: 0x41 Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 bits

Analysis

Deprecated protocols supported

TLS 1.0 and TLS 1.1 are deprecated protocols that should be disabled if possible. TLS 1.0, in particular, is a weak older protocol that has many weaknesses. Sites that aim at a wide audience might still need to support TLS 1.0 for the time being, because many older clients don't support newer protocol versions. Sites with a modern user base might be able to disable TLS 1.0 even now. We recommend that you enable logging of encryption parameters, after which you can examine your protocol usage and make a decision with confidence. As of July 2018, PCI DSS doesn't allow use of TLS 1.0. Exceptions apply in some cases.

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Reconfigure server to use forward secrecy and authenticated encryption

Even though this server supports TLS 1.2, the cipher suite configuration is suboptimal. We recommend that you reconfigure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite.

Server enforces cipher suite preferences

Excellent. This server enforces server cipher suite preference, which means that it is able to select the best suite from the options submitted by clients. Combined with a well designed list of supported cipher suites, this settings enables negotiation of best security.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: gnu.org (209.51.188.116)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2 TLS v1.1 TLS v1.0
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 Suite ID: 0xc061 Cipher name: ARIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 Suite ID: 0xc060 Cipher name: ARIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 Suite ID: 0xc077 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 Suite ID: 0xc076 Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CCM_8 Suite ID: 0xc0a1 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CCM_8 256 bits Suite: TLS_RSA_WITH_AES_256_CCM Suite ID: 0xc09d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CCM 256 bits Suite: TLS_RSA_WITH_ARIA_256_GCM_SHA384 Suite ID: 0xc051 Cipher name: ARIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_ARIA_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_128_CCM_8 Suite ID: 0xc0a0 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CCM_8 128 bits Suite: TLS_RSA_WITH_AES_128_CCM Suite ID: 0xc09c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CCM 128 bits Suite: TLS_RSA_WITH_ARIA_128_GCM_SHA256 Suite ID: 0xc050 Cipher name: ARIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_ARIA_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 Suite ID: 0xc0 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 Suite ID: 0xba Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Suite ID: 0x84 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Suite ID: 0x41 Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 bits
Shows cipher suite configuration for this protocol version.TLS v1.1 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Suite ID: 0x84 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Suite ID: 0x41 Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 bits
Shows cipher suite configuration for this protocol version.TLS v1.0 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Suite ID: 0x84 Cipher name: CAMELLIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Suite ID: 0x41 Cipher name: CAMELLIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 bits

Analysis

Deprecated protocols supported

TLS 1.0 and TLS 1.1 are deprecated protocols that should be disabled if possible. TLS 1.0, in particular, is a weak older protocol that has many weaknesses. Sites that aim at a wide audience might still need to support TLS 1.0 for the time being, because many older clients don't support newer protocol versions. Sites with a modern user base might be able to disable TLS 1.0 even now. We recommend that you enable logging of encryption parameters, after which you can examine your protocol usage and make a decision with confidence. As of July 2018, PCI DSS doesn't allow use of TLS 1.0. Exceptions apply in some cases.

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Reconfigure server to use forward secrecy and authenticated encryption

Even though this server supports TLS 1.2, the cipher suite configuration is suboptimal. We recommend that you reconfigure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite.

Server enforces cipher suite preferences

Excellent. This server enforces server cipher suite preference, which means that it is able to select the best suite from the options submitted by clients. Combined with a well designed list of supported cipher suites, this settings enables negotiation of best security.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.gnu.org (2001:470:142:5:0:0:0:116)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2 TLS v1.1 TLS v1.0
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9e Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9f Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (DHE 2048 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x67 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x33 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x6b Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 256 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x39 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits (DHE 2048 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
Shows cipher suite configuration for this protocol version.TLS v1.1 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x33 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x39 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits (DHE 2048 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
Shows cipher suite configuration for this protocol version.TLS v1.0 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x33 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x39 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits (DHE 2048 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits

Analysis

Deprecated protocols supported

TLS 1.0 and TLS 1.1 are deprecated protocols that should be disabled if possible. TLS 1.0, in particular, is a weak older protocol that has many weaknesses. Sites that aim at a wide audience might still need to support TLS 1.0 for the time being, because many older clients don't support newer protocol versions. Sites with a modern user base might be able to disable TLS 1.0 even now. We recommend that you enable logging of encryption parameters, after which you can examine your protocol usage and make a decision with confidence. As of July 2018, PCI DSS doesn't allow use of TLS 1.0. Exceptions apply in some cases.

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Server prefers forward secrecy and authenticated encryption suites

Excellent. Not only does this server enforce its server preference, but it also has at the top of the list suites that support both forward secrecy and authenticated encryption. This is the best TLS 1.2 can offer.

Server enforces cipher suite preferences

Excellent. This server enforces server cipher suite preference, which means that it is able to select the best suite from the options submitted by clients. Combined with a well designed list of supported cipher suites, this settings enables negotiation of best security.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE server parameter not reused

This server does not reuse the private value used for the Diffie-Hellman key exchange.

TLS Configuration: www.gnu.org (209.51.188.116)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2 TLS v1.1 TLS v1.0
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9e Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9f Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (DHE 2048 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x67 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x33 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x6b Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 256 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x39 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits (DHE 2048 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
Shows cipher suite configuration for this protocol version.TLS v1.1 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x33 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x39 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits (DHE 2048 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
Shows cipher suite configuration for this protocol version.TLS v1.0 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x33 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 bits (DHE 2048 bits) Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x39 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: DHE_RSA Key exchange strength: 2048 bits Forward secrecy: Yes PRF: SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 bits (DHE 2048 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits

Analysis

Deprecated protocols supported

TLS 1.0 and TLS 1.1 are deprecated protocols that should be disabled if possible. TLS 1.0, in particular, is a weak older protocol that has many weaknesses. Sites that aim at a wide audience might still need to support TLS 1.0 for the time being, because many older clients don't support newer protocol versions. Sites with a modern user base might be able to disable TLS 1.0 even now. We recommend that you enable logging of encryption parameters, after which you can examine your protocol usage and make a decision with confidence. As of July 2018, PCI DSS doesn't allow use of TLS 1.0. Exceptions apply in some cases.

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Server prefers forward secrecy and authenticated encryption suites

Excellent. Not only does this server enforce its server preference, but it also has at the top of the list suites that support both forward secrecy and authenticated encryption. This is the best TLS 1.2 can offer.

Server enforces cipher suite preferences

Excellent. This server enforces server cipher suite preference, which means that it is able to select the best suite from the options submitted by clients. Combined with a well designed list of supported cipher suites, this settings enables negotiation of best security.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE server parameter not reused

This server does not reuse the private value used for the Diffie-Hellman key exchange.

WWW Certificates

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Test passed

Everything seems to be well configured. Well done.

Certificate: www.gnu.org

Leaf certificate

wildebeest1p.gnu.org
Issuer: Let's Encrypt
Not Before: 17 Apr 2024 05:43:16 UTC
Not After: 16 Jul 2024 05:43:15 UTC (expires in 2 months 20 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
View details

Names	archive.gnewsense.org beta.gnewsense.org bloodnok.gnewsense.org bofh.gnewsense.org bugs.gnewsense.org bzr.gnewsense.org cdimage.gnewsense.org classpath.org config.gnewsense.org digitalspeech.org donate.digitalspeech.org dotgnu.org eccles.gnewsense.org emacs.org glibc.gnu.org gnewsense.org gnu.org gnukids.org gplfaq.org hurd.gnu.org ipv6.nongnu.org kindleswindle.org nongnu.org patch-tracker.gnewsense.org playfreedom.org playogg.com playogg.net playogg.org rsync.gnewsense.org seagoon.gnewsense.org security.gnewsense.org smalltalk.gnu.org torrent.gnewsense.org upgradefromwindows.com upgradefromwindows.org upgradefromwindows8.com upgradefromwindows8.org us.archive.gnewsense.org vcdimager.org wiki.gnewsense.org wildebeest.ipv6.gnu.org wildebeest1p.gnu.org www.classpath.org www.digitalspeech.org www.dotgnu.org www.emacs.org www.gnewsense.org www.gnu.org www.gnukids.org www.gplfaq.org www.hurd.gnu.org www.ipv6.gnu.org www.ipv6.nongnu.org www.kindleswindle.org www.nongnu.org www.playfreedom.org www.playogg.com www.playogg.net www.playogg.org www.upgradefromwindows.com www.upgradefromwindows.org www.upgradefromwindows8.com www.upgradefromwindows8.org www.vcdimager.org www6.gnu.org www6.nongnu.org x86-32.gnewsense.org x86-64.gnewsense.org
Subject DN	CN=wildebeest1p.gnu.org
Subject Key Identifier	bf0212ef4353c3f2e5b316a1d9099fd477df0074
Serial	40a59b120fcc0ad7134cbcf8c6d21159e92
Not Before	17 Apr 2024 05:43:16 UTC
Not After	16 Jul 2024 05:43:15 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	17 Apr 2024 06:43:16 UTC \| Let's Encrypt 'Oak2024H2' log \| Qualified 17 Apr 2024 06:43:16 UTC \| Sectigo 'Mammoth2024h2' \| Qualified
Fingerprints
SHA1	a68b0bb06c82d704d1e75533cd5be53def56a938
SHA256	f7ef9ba6bcf34ae43092599e089cd61028b92da86358085943c6c284d3f7f042
SPKI SHA256	23a9b7de053328ef51680b9146a146e4075ee83bcb19869d528e61e25993672d

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

wildebeest1p.gnu.org | f7ef9ba
Not After: 16 Jul 2024 05:43:15 UTC (expires in 2 months 20 days)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Names	archive.gnewsense.org beta.gnewsense.org bloodnok.gnewsense.org bofh.gnewsense.org bugs.gnewsense.org bzr.gnewsense.org cdimage.gnewsense.org classpath.org config.gnewsense.org digitalspeech.org donate.digitalspeech.org dotgnu.org eccles.gnewsense.org emacs.org glibc.gnu.org gnewsense.org gnu.org gnukids.org gplfaq.org hurd.gnu.org ipv6.nongnu.org kindleswindle.org nongnu.org patch-tracker.gnewsense.org playfreedom.org playogg.com playogg.net playogg.org rsync.gnewsense.org seagoon.gnewsense.org security.gnewsense.org smalltalk.gnu.org torrent.gnewsense.org upgradefromwindows.com upgradefromwindows.org upgradefromwindows8.com upgradefromwindows8.org us.archive.gnewsense.org vcdimager.org wiki.gnewsense.org wildebeest.ipv6.gnu.org wildebeest1p.gnu.org www.classpath.org www.digitalspeech.org www.dotgnu.org www.emacs.org www.gnewsense.org www.gnu.org www.gnukids.org www.gplfaq.org www.hurd.gnu.org www.ipv6.gnu.org www.ipv6.nongnu.org www.kindleswindle.org www.nongnu.org www.playfreedom.org www.playogg.com www.playogg.net www.playogg.org www.upgradefromwindows.com www.upgradefromwindows.org www.upgradefromwindows8.com www.upgradefromwindows8.org www.vcdimager.org www6.gnu.org www6.nongnu.org x86-32.gnewsense.org x86-64.gnewsense.org
Subject DN	CN=wildebeest1p.gnu.org
Subject Key Identifier	bf0212ef4353c3f2e5b316a1d9099fd477df0074
Serial	40a59b120fcc0ad7134cbcf8c6d21159e92
Not Before	17 Apr 2024 05:43:16 UTC
Not After	16 Jul 2024 05:43:15 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	17 Apr 2024 06:43:16 UTC \| Let's Encrypt 'Oak2024H2' log \| Qualified 17 Apr 2024 06:43:16 UTC \| Sectigo 'Mammoth2024h2' \| Qualified
Fingerprints
SHA1	a68b0bb06c82d704d1e75533cd5be53def56a938
SHA256	f7ef9ba6bcf34ae43092599e089cd61028b92da86358085943c6c284d3f7f042
SPKI SHA256	23a9b7de053328ef51680b9146a146e4075ee83bcb19869d528e61e25993672d

Intermediate certificate

R3 | 67add11
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 4 months)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Subject DN	CN=R3, O=Let's Encrypt, C=US
Subject Key Identifier	142eb317b75856cbae500940e61faf9d8b14c2c6
Serial	912b084acf0c18a753f6d62e25a75f5a
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:79b459e67bb6e5e40173800888c81a58f6e99b6e
Parent Certificate	http://x1.i.lencr.org/
CRL	http://x1.c.lencr.org/
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	a053375bfe84e8b748782c7cee15827a6af5a405
SHA256	67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
SPKI SHA256	8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d

Root certificate

ISRG Root X1 | 96bcec0
Not After: 04 Jun 2035 11:04:38 UTC (expires in 11 years 1 month)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject Key Identifier	79b459e67bb6e5e40173800888c81a58f6e99b6e
Serial	8210cfb0d240e3594463e0bb63828b00
Not Before	04 Jun 2015 11:04:38 UTC
Not After	04 Jun 2035 11:04:38 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	cabd2a79a1076a31f21d253635cb039d4329a5e8
SHA256	96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
SPKI SHA256	0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Certificate: gnu.org

Leaf certificate

wildebeest1p.gnu.org
Issuer: Let's Encrypt
Not Before: 17 Apr 2024 05:43:16 UTC
Not After: 16 Jul 2024 05:43:15 UTC (expires in 2 months 20 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
View details

Names	archive.gnewsense.org beta.gnewsense.org bloodnok.gnewsense.org bofh.gnewsense.org bugs.gnewsense.org bzr.gnewsense.org cdimage.gnewsense.org classpath.org config.gnewsense.org digitalspeech.org donate.digitalspeech.org dotgnu.org eccles.gnewsense.org emacs.org glibc.gnu.org gnewsense.org gnu.org gnukids.org gplfaq.org hurd.gnu.org ipv6.nongnu.org kindleswindle.org nongnu.org patch-tracker.gnewsense.org playfreedom.org playogg.com playogg.net playogg.org rsync.gnewsense.org seagoon.gnewsense.org security.gnewsense.org smalltalk.gnu.org torrent.gnewsense.org upgradefromwindows.com upgradefromwindows.org upgradefromwindows8.com upgradefromwindows8.org us.archive.gnewsense.org vcdimager.org wiki.gnewsense.org wildebeest.ipv6.gnu.org wildebeest1p.gnu.org www.classpath.org www.digitalspeech.org www.dotgnu.org www.emacs.org www.gnewsense.org www.gnu.org www.gnukids.org www.gplfaq.org www.hurd.gnu.org www.ipv6.gnu.org www.ipv6.nongnu.org www.kindleswindle.org www.nongnu.org www.playfreedom.org www.playogg.com www.playogg.net www.playogg.org www.upgradefromwindows.com www.upgradefromwindows.org www.upgradefromwindows8.com www.upgradefromwindows8.org www.vcdimager.org www6.gnu.org www6.nongnu.org x86-32.gnewsense.org x86-64.gnewsense.org
Subject DN	CN=wildebeest1p.gnu.org
Subject Key Identifier	bf0212ef4353c3f2e5b316a1d9099fd477df0074
Serial	40a59b120fcc0ad7134cbcf8c6d21159e92
Not Before	17 Apr 2024 05:43:16 UTC
Not After	16 Jul 2024 05:43:15 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	17 Apr 2024 06:43:16 UTC \| Let's Encrypt 'Oak2024H2' log \| Qualified 17 Apr 2024 06:43:16 UTC \| Sectigo 'Mammoth2024h2' \| Qualified
Fingerprints
SHA1	a68b0bb06c82d704d1e75533cd5be53def56a938
SHA256	f7ef9ba6bcf34ae43092599e089cd61028b92da86358085943c6c284d3f7f042
SPKI SHA256	23a9b7de053328ef51680b9146a146e4075ee83bcb19869d528e61e25993672d

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

wildebeest1p.gnu.org | f7ef9ba
Not After: 16 Jul 2024 05:43:15 UTC (expires in 2 months 20 days)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Names	archive.gnewsense.org beta.gnewsense.org bloodnok.gnewsense.org bofh.gnewsense.org bugs.gnewsense.org bzr.gnewsense.org cdimage.gnewsense.org classpath.org config.gnewsense.org digitalspeech.org donate.digitalspeech.org dotgnu.org eccles.gnewsense.org emacs.org glibc.gnu.org gnewsense.org gnu.org gnukids.org gplfaq.org hurd.gnu.org ipv6.nongnu.org kindleswindle.org nongnu.org patch-tracker.gnewsense.org playfreedom.org playogg.com playogg.net playogg.org rsync.gnewsense.org seagoon.gnewsense.org security.gnewsense.org smalltalk.gnu.org torrent.gnewsense.org upgradefromwindows.com upgradefromwindows.org upgradefromwindows8.com upgradefromwindows8.org us.archive.gnewsense.org vcdimager.org wiki.gnewsense.org wildebeest.ipv6.gnu.org wildebeest1p.gnu.org www.classpath.org www.digitalspeech.org www.dotgnu.org www.emacs.org www.gnewsense.org www.gnu.org www.gnukids.org www.gplfaq.org www.hurd.gnu.org www.ipv6.gnu.org www.ipv6.nongnu.org www.kindleswindle.org www.nongnu.org www.playfreedom.org www.playogg.com www.playogg.net www.playogg.org www.upgradefromwindows.com www.upgradefromwindows.org www.upgradefromwindows8.com www.upgradefromwindows8.org www.vcdimager.org www6.gnu.org www6.nongnu.org x86-32.gnewsense.org x86-64.gnewsense.org
Subject DN	CN=wildebeest1p.gnu.org
Subject Key Identifier	bf0212ef4353c3f2e5b316a1d9099fd477df0074
Serial	40a59b120fcc0ad7134cbcf8c6d21159e92
Not Before	17 Apr 2024 05:43:16 UTC
Not After	16 Jul 2024 05:43:15 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	17 Apr 2024 06:43:16 UTC \| Let's Encrypt 'Oak2024H2' log \| Qualified 17 Apr 2024 06:43:16 UTC \| Sectigo 'Mammoth2024h2' \| Qualified
Fingerprints
SHA1	a68b0bb06c82d704d1e75533cd5be53def56a938
SHA256	f7ef9ba6bcf34ae43092599e089cd61028b92da86358085943c6c284d3f7f042
SPKI SHA256	23a9b7de053328ef51680b9146a146e4075ee83bcb19869d528e61e25993672d

Intermediate certificate

R3 | 67add11
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 4 months)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Subject DN	CN=R3, O=Let's Encrypt, C=US
Subject Key Identifier	142eb317b75856cbae500940e61faf9d8b14c2c6
Serial	912b084acf0c18a753f6d62e25a75f5a
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:79b459e67bb6e5e40173800888c81a58f6e99b6e
Parent Certificate	http://x1.i.lencr.org/
CRL	http://x1.c.lencr.org/
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	a053375bfe84e8b748782c7cee15827a6af5a405
SHA256	67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
SPKI SHA256	8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d

Root certificate

ISRG Root X1 | 96bcec0
Not After: 04 Jun 2035 11:04:38 UTC (expires in 11 years 1 month)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject Key Identifier	79b459e67bb6e5e40173800888c81a58f6e99b6e
Serial	8210cfb0d240e3594463e0bb63828b00
Not Before	04 Jun 2015 11:04:38 UTC
Not After	04 Jun 2035 11:04:38 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	cabd2a79a1076a31f21d253635cb039d4329a5e8
SHA256	96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
SPKI SHA256	0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

DANE (443)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Cookies

Cookies are small chunks of text that are sent between your browser and a website. They are often essential to the operation of the site and sometimes contain sensitive information. Session cookies sent from secure sites must be explicitly marked as secure to prevent being obtained by active network attackers.

Test passed

Everything seems to be well configured. Well done.

Mixed Content

On virtually all web sites, HTML markup, images, style sheets, JavaScript, and other page resources arrive not only over multiple connections but possibly from multiple servers and sites spread across the entire Internet. For a page to be properly encrypted, it’s necessary that all the content is retrieved over HTTPS. In practice, that’s very often not the case, leading to mixed content security problems.

Test passed, but there are warnings

Some aspect of your site's configuration require your attention.

Embedded Resources

In this section we look at the security of all embedded resources. Mixed active content occurs when there are unprotected scripts or styles embedded in a page. This is typically not allowed by modern browsers. Mixed passive content (images, videos and such) are typically allowed, but shouldn't be present.

0 script(s)
0 out of 0 are secure

2 CSS file(s)
2 out of 2 are secure View all

Status	Link
Encrypted	https://www.gnu.org/layout.min.css
Encrypted	https://www.gnu.org/print.min.css

21 media file(s)
21 out of 21 are secure View all

Status	Link
Encrypted	https://www.gnu.org/...gnu.transp.small.png
Encrypted	https://www.gnu.org/...ics/icons/search.png
Encrypted	https://www.gnu.org/...ons/translations.png
Encrypted	https://static.gnu.org/...to-freedom-720p.webm
Encrypted	https://static.gnu.org/...-to-freedom-720p.ogv
Encrypted	https://static.gnu.org/...-to-freedom-720p.mp4
Encrypted	https://static.gnu.org/...pe-to-freedom_en.vtt
Encrypted	https://static.gnu.org/...pe-to-freedom_es.vtt
Encrypted	https://www.gnu.org/...pe-to-freedom_fr.vtt
Encrypted	https://static.gnu.org/...pe-to-freedom_zh.vtt
Encrypted	https://www.gnu.org/...agora-tde-medium.jpg
Encrypted	https://www.gnu.org/...ragora-tde-thumb.jpg
Encrypted	https://www.gnu.org/...xSD-gnome3-thumb.jpg
Encrypted	https://www.gnu.org/...perbola-i3-thumb.jpg
Encrypted	https://www.gnu.org/...a2020-lxde-thumb.jpg
Encrypted	https://www.gnu.org/...ots/gnome3-thumb.jpg
Encrypted	https://www.gnu.org/...uel10-mate-thumb.jpg
Encrypted	https://www.gnu.org/...snowflake-purple.png
Encrypted	https://www.gnu.org/feed-icon-10x10.png
Encrypted	https://www.gnu.org/...100/pspp.250x100.png
Encrypted	https://www.gnu.org/...ogo-notext-small.png

Outbound Links

Ideally, an encrypted page should only have links that lead to other encrypted pages. If plaintext links are used, passive network attackers can see where people go after they visit your web site. It's also possible that some sensitive information is leaked in the Referer header.

23 link(s)
20 out of 23 are encrypted

http://www.fsf.org/...ew-with-david-wilson

http://www.fsf.org

http://creativecommons.org/licenses/by-nd/4.0/

View all

Status	Link
Encrypted	https://www.fsf.org/...iate/support_freedom
Encrypted	https://h-node.org/
Encrypted	https://www.fsf.org/...re-escape-to-freedom
Encrypted	https://dragora.org/index.html
Encrypted	https://www.trinitydesktop.org/
Encrypted	https://directory.fsf.org/...oftware_replacements
Encrypted	https://www.fsf.org
Encrypted	https://snowflake.torproject.org/
Encrypted	https://www.fsf.org/givingguide/v14/
Encrypted	https://planet.gnu.org/
Encrypted	https://planet.gnu.org/rss20.xml
Plaintext	http://www.fsf.org/...ew-with-david-wilson
Encrypted	https://savannah.gnu.org/news/
Encrypted	https://savannah.gnu.org/news/
Encrypted	https://www.fsf.org/campaigns
Encrypted	https://my.fsf.org/...students-userfreedom
Encrypted	https://libreplanet.org/...:Copilot_Watch_Group
Encrypted	https://www.fsf.org/
Encrypted	https://fsfe.org/
Encrypted	https://www.fsfla.org/ikiwiki/
Encrypted	https://fsf.org.in/
Plaintext	http://www.fsf.org
Plaintext	http://creativecommons.org/licenses/by-nd/4.0/

Analysis

Plaintext outbound links in HTTPS page

When outbound links are not encrypted, a passive network attacker can see where your users go after visiting your web site.

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) vastly improves security of the network encryption layer. With HSTS enabled, browsers no longer allow clicking through certificate warnings errors, which are typically trivial to exploit. Additionally, they will no longer submit insecure (plaintext) requests to the site in question, even if asked.

Test passed, but there are warnings

Some aspect of your site's configuration require your attention.

HSTS Policy Main host

URL from which this policy was obtained.Location	https://www.gnu.org/
Specifies policy duration. Once activated, HSTS stays in force until this time lapses. Browsers update policy cache duration every time they receive a new HSTS header from a site.max‑age	63,072,000 seconds (about 2 years)
When present, this directive forces HSTS activation on allsubdomains. For best security, HSTS should be deployed on the bare domain name (e.g., example.com) and all its subdomains.includeSubDomains
Presence of this directive indicates that a web site wishes to permanently use HSTS and that its policy information should be preloaded (embedded in browsers).preload

Analysis

Policy is valid

OK. Your HSTS policy uses correct syntax.

Long policy age

Your HSTS policy has a long max-age value, which offers better protection.

No subdomains

This HSTS policy doesn't cover subdomains. Without full coverage, HSTS can't protect from certain cookie attacks that typically allow active network attackers to inject cookies into an application. Additionally, subdomain coverage is one of the requirements to allow preloading.

Preload directive has no effect here

This policy doesn't enable preloading, but that's all right. The preload directive doesn't have any effect unless it's used on an apex hostname.

Missing redirection

This host uses HSTS, but doesn't have a redirection from HTTP on port 80 to HTTPS on port 443. As a result, clients who visit the plaintext host won't notice and activate HSTS.

Starting point: http://www.gnu.org

Expected redirection: https://www.gnu.org

HSTS Policy Apex host

URL from which this policy was obtained.Location	https://gnu.org/
Specifies policy duration. Once activated, HSTS stays in force until this time lapses. Browsers update policy cache duration every time they receive a new HSTS header from a site.max‑age	63,072,000 seconds (about 2 years)
When present, this directive forces HSTS activation on allsubdomains. For best security, HSTS should be deployed on the bare domain name (e.g., example.com) and all its subdomains.includeSubDomains
Presence of this directive indicates that a web site wishes to permanently use HSTS and that its policy information should be preloaded (embedded in browsers).preload

Analysis

Policy is valid

OK. Your HSTS policy uses correct syntax.

Long policy age

Your HSTS policy has a long max-age value, which offers better protection.

Policy covers subdomains

When subdomains are included, network attackers are unable to manufacture arbitrary subdomains to manipulate cookies and trick users.

Preload intent declared

Good. With the preload directive set, browsers have a green light to embed the HSTS policy.

Missing redirection

This host uses HSTS, but doesn't have a redirection from HTTP on port 80 to HTTPS on port 443. As a result, clients who visit the plaintext host won't notice and activate HSTS.

Starting point: http://gnu.org

Current redirection: http://www.gnu.org/

Expected redirection: https://gnu.org

Policy not preloaded

When hostname is preloaded, that means that browsers embed your HSTS policy and apply it even to the first request sent to your web site. This server indicates preloading in its policy, but the domain name isn't actually preloaded. We classify this as a warning because it's a common problem to place the 'preload' keyword in the policy even though the infrastructure is not ready for preloading. This is dangerous because, in this situation, anyone can submit this domain name for preloading just by visiting hstspreload.org. We recommend that you either preload this domain name yourself—if it's ready—or remove the preloading indicator from the policy until it is ready.

Preload policy doesn't satisfy preload requirements

This HSTS policy specifies the preload directive but doesn't satisfy one or more preload conditions.

Analysis

Policy set on plaintext port

HSTS policies must not be transmitted over insecure channels.

Location: http://gnu.org/

Policy set on plaintext port

HSTS policies must not be transmitted over insecure channels.

Location: http://www.gnu.org/

Policy set on plaintext port

HSTS policies must not be transmitted over insecure channels.

Location: http://www.gnu.org/

HTTP Public Key Pinning

HTTP Public Key Pinning (HPKP) enables site operators to restrict which certificates are considered valid for their domain names. With a valid HPKP configuration, sites can defeat man in the middle (MITM) attacks using fraudulent or misissued certificates. HPKP is an advanced feature, suitable for use by only high-profile web sites.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Content Security Policy

Content Security Policy (CSP) is a security mechanism that allows web sites control how browsers process their pages. In essence, sites can restrict what types of resources are loaded and from where. CSP policies can be used to defend against cross-site scripting, prevent mixed content issues, as well as report violations for investigation.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Subresource Integrity

Subresource Integrity (SRI) is a new standard that enables browsers to verify the integrity of embedded page resources (e.g., scripts and stylesheets) when they are loaded from third-party web sites. With SRI deployed, remote resources can be used safely, without fear of them being modified by malicious parties.

Test passed

Everything seems to be well configured. Well done.

No external scripts
SRI not needed

2 CSS file(s)
2 out of 2 are secure View all

Status	Link
Local	/layout.min.css
Local	/print.min.css

Analysis

No remote resources

The homepage of this site doesn't contain any remote resources so SRI is not needed.

Expect CT

Expect-CT is a deprecated response HTTP header designed to enable web sites to monitor problems related to their Certificate Transparency (CT) compliance. Should any CT issues arise, browsers that supported this header will submit reports to the specified reporting endpoint. Chrome was the browser that introduced support for this response header, but later deprecated it and removed it in version 107.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Analysis

Deploy Expect-CT to enable reporting

An Expect-CT policy enables web sites to monitor for any problems related to their Expect-CT compliance, detecting potentially serious issues quickly. When issues arise, compliant browsers will submit reports to the specified reporting endpoints. Before CT became required for all public certificates the Expect-CT was also used to require CT, but that use case no longer applies.

Frame Options

The X-Frame-Options header controls page framing, which occurs when a page is incorporated into some other page, possibly on a different site. If framing is allowed, attackers can employ clever tricks to make victims perform arbitrary actions on your site; they do this by showing their web site while forwarding the victim's clicks to yours.

Test passed

Everything seems to be well configured. Well done.

Analysis

Header information

Name: X-Frame-Options

Value: sameorigin

Framing allowed from the same origin only

OK. Your site allows page framing only from itself. This should generally be safe, except maybe on sites that host user content.

XSS Protection

Some browsers ship with so-called XSS Auditors, built-in defenses against XSS. Although these defenses work against simple reflective XSS attacks, they can be abused by skillful attackers to add weaknesses to otherwise secure web sites. These dangers are present in both filtering and blocking modes. At this time, the Safari browser ships with its XSS defenses enabled by default. For this reason, the best approach is to explicitly disable this functionality.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Analysis

Explicitly disable browser XSS protection

For best security, every web site should explicitly disable browser-based XSS protection. This is because this type of functionality can be used to introduce vulnerabilities into otherwise error-free web sites.

Content Type Options

Some browsers use a technique called content sniffing to override response MIME types provided by HTTP servers and interpret responses as something else (usually HTML). This behavior, which could potentially lead to security issues, should be disabled by attaching an X-Content-Type-Options header to all responses.

Test passed

Everything seems to be well configured. Well done.

Analysis

Header information

Name: X-Content-Type-Options

Value: nosniff

Valid configuration

Good. Your configuration is valid. This means that browsers won't try to guess file MIME type on this web site.

Public Report | gnu.org

gnu.org

Domain Name System

Email

WWW

Domain Registration

Registration Data Access Protocol (RDAP)

Analysis

WHOIS

Analysis

DNS Zone

Nameserver Names

Nameserver Addresses

Start of Authority (SOA) Record

Analysis

Backing DNS Queries

DNS Records

DNS Records

Backing DNS Queries

DNSSEC

Useful DNSSEC Tools

Certification Authority Authorization

CAA Policy Information

Analysis

Email (SMTP)

Analysis

Email TLS (SMTP)

TLS Configuration: eggs.gnu.org (2001:470:142:3:0:0:0:10) Cached

Analysis

TLS Configuration: eggs.gnu.org (209.51.188.92) Cached

Analysis

Email Certificates (SMTP)

Certificate #1 Cached

Analysis

Certificate Chain

Analysis

Email DANE (SMTP)

SPF

SPF Policy Information Main policy

Analysis

DMARC

DMARC Policy Information

Analysis

MTA Strict Transport Security

SMTP TLS Reporting

HTTP (80)

URL: http://gnu.org/

Analysis

URL: http://www.gnu.org/

Analysis

HTTP (443)

URL: https://gnu.org/

URL: https://www.gnu.org/

WWW TLS

TLS Configuration: gnu.org (2001:470:142:5:0:0:0:116)

Analysis

TLS Configuration: gnu.org (209.51.188.116)

Analysis

TLS Configuration: www.gnu.org (2001:470:142:5:0:0:0:116)

Analysis

TLS Configuration: www.gnu.org (209.51.188.116)

Analysis

WWW Certificates

Certificate: www.gnu.org

Analysis

Certificate Trust

Certificate Chain

Analysis

Certificate: gnu.org

Analysis

Certificate Trust

Certificate Chain

Analysis

DANE (443)

Cookies

Mixed Content

Embedded Resources

Outbound Links

Analysis

HTTP Strict Transport Security