www.kuguagantian.com
|
|
---|---|
|
|
Overview
|
|
|
|
|
|
-
1. The main page references unsafe HTTP resources and is downgraded to B -
2. An untrusted certificate is used and downgraded to T (special level)
-
1. You need to configure an encryption suite that meets the PFS specification. Recommended configurations are:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:! NULL:! aNULL:! MD5:! ADH:! RC4:! DH:! DHE ; -
2. You need to enable TLS1.2 in the server TLS protocol. Recommended configurations: TLSv1 TLSv1.1 TLSv1.2 ; -
3. Ensure that the current domain name matches the certificate used; -
4. It is required to ensure that the certificate is within the validity period; -
5. Certificates that need to use the SHA-2 signature algorithm; -
6. It is necessary to ensure that the certificate issuing authority is a trusted CA authority. -
7. The max age of HSTS (HTTP strict transmission security) should be greater than 15768000 seconds. -
8. 《 HTTPS Security Best Practices 》
Certificate Information
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Certificate chain information
Learn more
Download certificate chain
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Certificate chain information
Learn more
Download certificate chain
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Support Agreement
|
|
||
|
|
||
|
|
||
|
|
|
|
|
|
||
|
|
Supported encryption suite
|
|
|
|
|
|
Agreement Details
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SSL vulnerability
|
|
|
|
---|---|---|---|
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
Client Handshake Simulation
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|||
|
|
|
|
|
|
|
|||
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Certificate compatibility test
|
|
|
---|---|---|
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
Configuration Guide:
-
HTTPS Security Best Practice (I) - SSL/TLS Deployment -
HTTPS Security Best Practices (II) Security Reinforcement -
HTTPS Security Best Practices (III) - Server Software
explain:
-
SNI: Server name indicates that this is a TLS extension that allows servers to deploy multiple certificates on the same IP and port. -
PFS: PFS (perfect forward secure) is completely forward secure. It requires that one key can only be used for one connection. If one key is cracked, the security of other keys will not be affected. -
HPKP: Public key fixation, which is a security mechanism for https websites to prevent attackers from man in the middle attacks using certificates incorrectly issued by CA. -
HSTS: This is a response header used to force the HTTPS protocol to solve the hijacking problem of 301 jump. -
OCSP: Online Certificate Status Protocol. -
OCSP Stapling: OCSP binding transmits the revocation status during TLS handshake to speed up the completion of SSL handshake.