Posted at

QUALYS SSL LABSのSSL Server Testに出てくるメッセージ一覧

More than 1 year has passed since last update.

QUALYS SSL LABSのSSL Server Test (https://www.ssllabs.com/ssltest/) は、TLSレイヤのいろいろな脆弱性を検出してくれる便利なツールですが、どういうわけか、診断メッセージの一覧表が見当たらなかったので、以下の表は私が見つけた範囲内での診断メッセージ一覧です。

等級
メッセージ

A+
HTTP Strict Transport Security (HSTS) with long duration deployed on this server. MORE INFO

A
Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings. MORE INFO

A
Certificate has a weak signature and expires after 2015. Upgrade to SHA2 to avoid browser warnings. MORE INFO

A-
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. MORE INFO

A-
There is no support for secure renegotiation. Grade reduced to A-. MORE INFO

B
This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B. MORE INFO

B
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO

B
This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO

B
This server's certificate chain is incomplete. Grade capped to B.

C
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO

C
This server does not mitigate the CRIME attack. Grade capped to C.

C
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO

C
This server uses RC4 with modern protocols. Grade capped to C.

F
Experimental: This server is vulnerable to the DROWN attack. Grade set to F. MORE INFO

F
This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.

F
This server is vulnerable to the Heartbleed attack. Grade set to F.

F
This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.

F
This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

F
This server is vulnerable to the POODLE TLS attack. Patching required. Grade set to F. MORE INFO

F
This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F. MORE INFO

F
This server supports anonymous (insecure) suites (see below for details). Grade set to F.

F
This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam). Grade set to F. MORE INFO

F
This server supports SSL 2, which is obsolete and insecure, and can be used against TLS (DROWN attack). Grade set to F. MORE INFO

T
This server's certificate is not trusted, see below for details.


Q&A

Q. メッセージはこれで全部か。

A. わかりません。あくまで私が見つけたものの一覧なので、抜け漏れはあるかもしれません。

Q. この一覧は最新か。

A. これは、2016年4月~2017年1月くらいの間に私が見つけたものの一覧です。現在は廃止、変更された項目もあるかもしれません。

以上!幸運を祈る。