QUALYS SSL LABSのSSL Server Test (https://www.ssllabs.com/ssltest/) は、TLSレイヤのいろいろな脆弱性を検出してくれる便利なツールですが、どういうわけか、診断メッセージの一覧表が見当たらなかったので、以下の表は私が見つけた範囲内での診断メッセージ一覧です。
| 等級 | メッセージ |
|---|---|
| A+ | HTTP Strict Transport Security (HSTS) with long duration deployed on this server. MORE INFO |
| A | Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings. MORE INFO |
| A | Certificate has a weak signature and expires after 2015. Upgrade to SHA2 to avoid browser warnings. MORE INFO |
| A- | The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. MORE INFO |
| A- | There is no support for secure renegotiation. Grade reduced to A-. MORE INFO |
| B | This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B. MORE INFO |
| B | This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO |
| B | This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO |
| B | This server's certificate chain is incomplete. Grade capped to B. |
| C | The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO |
| C | This server does not mitigate the CRIME attack. Grade capped to C. |
| C | This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO |
| C | This server uses RC4 with modern protocols. Grade capped to C. |
| F | Experimental: This server is vulnerable to the DROWN attack. Grade set to F. MORE INFO |
| F | This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F. |
| F | This server is vulnerable to the Heartbleed attack. Grade set to F. |
| F | This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F. |
| F | This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F. |
| F | This server is vulnerable to the POODLE TLS attack. Patching required. Grade set to F. MORE INFO |
| F | This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F. MORE INFO |
| F | This server supports anonymous (insecure) suites (see below for details). Grade set to F. |
| F | This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam). Grade set to F. MORE INFO |
| F | This server supports SSL 2, which is obsolete and insecure, and can be used against TLS (DROWN attack). Grade set to F. MORE INFO |
| T | This server's certificate is not trusted, see below for details. |
Q&A
Q. メッセージはこれで全部か。
A. わかりません。あくまで私が見つけたものの一覧なので、抜け漏れはあるかもしれません。
Q. この一覧は最新か。
A. これは、2016年4月~2017年1月くらいの間に私が見つけたものの一覧です。現在は廃止、変更された項目もあるかもしれません。
以上!幸運を祈る。