Subject — https://www.imperialviolet.org/
Qualys SSL Labs - Projects / SSL Server Test / imperialviolet.org
Google Chrome shows this:
SSL Labs shows this:
Where is the truth?
Another subject — Qualys SSL Labs - Projects / SSL Server Test / howsmyssl.com
Also didn't expect such bad results from these two servers: TLS_FALLBACK_SCSV not supported, Forward Secrecy With some browsers Session resumption (caching) No (IDs empty). What's happening?
TLS_FALLBACK_SCSV not supported:
That server doesn't support TLS Fallback SCSV:
$ openssl s_client -connect howsmyssl.com:443 -servername howsmyssl.com -fallback_scsv -ssl3
The connection is established normally instead of the server sending an inappropriate fallback TLS alert error.
Forward Secrecy With some browsers:
That server only supports ECDHE and no DHE cipher-suites, as you can see in the cipher suite listing or with openssl:
$ openssl s_client -connect howsmyssl.com:443 -servername howsmyssl.com -cipher 'EDH'
140022186018688:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
It's also possible that this is because the server uses secp521r1 ECDH domain parameters, whereas secp256r1 is more commonly supported among clients.
Session resumption is more of a performance than a security feature.
openssl shows that the server indeed supports server-side secure renegotiation:
$ openssl s_client -connect www.imperialviolet.org:443 -servername www.imperialviolet.org
Secure Renegotiation IS supported
I took a quick glance at the handshake in wireshark and only noticed that Chrome doesn't send the TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Cipher-Suite in its Client Hello message, but that shouldn't be a problem since it includes the renegotiation_info extension instead and this is not a problem with other sites. Openssl just sends the SCSV cipher-suite.
Connecting with OpenSSL, it shows that secure renegotiation is supported:
I can observe the renego extension in server's response. However, when connecting using Chrome (others have reported the same with Firefox), the server apparently doesn't send the extension. Not sure why?
Noticed also that these servers are tolerant to all nonexistent TLS versions and aren't compatible with SSL 2 handshake. Even ssllabs.com didn't manage to deal with such issues.
I am setting up a new web-server and would like it to be TLS version tolerant and without SSL 2 handshake compatibility, but definitely would not like it to have those regressions.
Retrieving data ...