QUALYS SSL LABSのSSL Server Test (https://www.ssllabs.com/ssltest/) は、TLSレイヤのいろいろな脆弱性を検出してくれる便利なツールですが、どういうわけか、診断メッセージの一覧表が見当たらなかったので、以下の表は私が見つけた範囲内での診断メッセージ一覧です。
|等級|メッセージ|
|--:|:--|:--|
|A+|HTTP Strict Transport Security (HSTS) with long duration deployed on this server. MORE INFO|
|A|Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings. MORE INFO |
|A|Certificate has a weak signature and expires after 2015. Upgrade to SHA2 to avoid browser warnings. MORE INFO |
|A-|The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. MORE INFO |
|A-|There is no support for secure renegotiation. Grade reduced to A-. MORE INFO |
|B|This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B. MORE INFO |
|B|This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO |
|B|This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO |
|B|This server's certificate chain is incomplete. Grade capped to B. |
|C|The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO |
|C|This server does not mitigate the CRIME attack. Grade capped to C. |
|C|This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO |
|C|This server uses RC4 with modern protocols. Grade capped to C. |
|F|Experimental: This server is vulnerable to the DROWN attack. Grade set to F. MORE INFO |
|F|This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F. |
|F|This server is vulnerable to the Heartbleed attack. Grade set to F. |
|F|This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F. |
|F|This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.|
|F|This server is vulnerable to the POODLE TLS attack. Patching required. Grade set to F. MORE INFO |
|F|This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F. MORE INFO |
|F|This server supports anonymous (insecure) suites (see below for details). Grade set to F. |
|F|This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam). Grade set to F. MORE INFO |
|F|This server supports SSL 2, which is obsolete and insecure, and can be used against TLS (DROWN attack). Grade set to F. MORE INFO |
|T|This server's certificate is not trusted, see below for details. |
Q&A
Q. メッセージはこれで全部か。
A. わかりません。あくまで私が見つけたものの一覧なので、抜け漏れはあるかもしれません。
Q. この一覧は最新か。
A. これは、2016年4月~2017年1月くらいの間に私が見つけたものの一覧です。現在は廃止、変更された項目もあるかもしれません。
以上!幸運を祈る。