Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 25 results

SSL 2	0 0%
SSL 3	2 8%
TLS 1.0	9 36%
TLS 1.1	8 32%
TLS 1.2	24 96%

Grades 25 results

A	21 84%
B	3 12%
C	1 4%
D	0 0%
E	0 0%
F	0 0%

Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size	Count
2048	12 52.2%
4096	11 47.8%

StartTLS

Type	Client to server	Server to server
Required	15 88.2%	4 50%
Allowed	2 11.8%	4 50%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

	Trusted	Untrusted
Valid	20 66.7%	4 13.3%
Invalid	3 10%	3 10%

SASL mechanisms 17 results

Mechanism	# times offered before TLS	# times offered after TLS
PLAIN	3 17.6%	16 94.1%
SCRAM-SHA-1	2 11.8%	13 76.5%
SCRAM-SHA-1-PLUS	0 0%	8 47.1%
X-OAUTH2	1 5.9%	4 23.5%
DIGEST-MD5	2 11.8%	4 23.5%
SCRAM-SHA-256	0 0%	2 11.8%
SCRAM-SHA-256-PLUS	0 0%	2 11.8%
SCRAM-SHA-512	0 0%	2 11.8%
SCRAM-SHA-512-PLUS	0 0%	2 11.8%
CRAM-MD5	1 5.9%	1 5.9%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target	Type	When

Servers supporting SSL 2 0 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target	Type	When

CAs used Top 30

Name/Organization	SHA1	Count
R3	48:50:4E:97:4C:0D:AC:5B:5C:D4:76:C8:20:22:74:B2:4C:8C:71:72	12
SwissSign Server Gold CA 2014 - G22	AD:F2:89:73:16:71:8B:45:25:CE:37:00:82:D9:F1:23:D4:93:8F:98	1
jabber.strategyobject.net	7B:22:EF:BA:C7:B7:34:15:56:36:FD:21:AC:4B:17:BD:13:F9:5F:4C	1
grompe.org.ru	43:DE:21:4C:85:67:B7:00:14:7C:8C:2A:BC:2E:93:14:66:8E:C1:68	1
localhost	B9:B3:E3:1F:26:CC:BF:DF:1E:78:9D:CA:61:A7:40:C5:FF:9C:E9:83	1
Go Daddy Secure Certificate Authority - G2	27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8	1
Sectigo RSA Domain Validation Secure Server CA	33:E4:E8:08:07:20:4C:2B:61:82:A3:A1:4B:59:1A:CD:25:B5:F0:DB	1
DigiCert SHA2 Extended Validation Server CA	7E:2F:3A:4F:8F:E8:FA:8A:57:30:AE:CA:02:96:96:63:7E:98:6F:3F	1
cPanel, Inc. Certification Authority	76:4D:2F:A5:9E:D1:23:F9:C9:55:70:C4:03:C9:2F:EF:33:8E:A7:45	1
ejabberd	85:19:95:FD:24:F8:35:DB:B0:80:EE:48:BB:CE:AA:35:5D:7E:E8:CF	1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 0 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target	Type	When	Issuer

Servers with DNSSEC signed SRV records 8 results

Target	Type	When
c3l.lu	client to server	2021-04-13T13:54:58+00:00
die.one	client to server	2021-04-14T00:15:40+00:00
jabber.systemli.org	client to server	2021-04-14T05:29:37+00:00
lingruby.ovh	client to server	2021-04-14T06:31:12+00:00
lingruby.ovh	server to server	2021-04-14T06:38:07+00:00
mailbox.org	client to server	2021-04-14T00:16:20+00:00
wiuwiu.de	client to server	2021-04-13T13:40:16+00:00
xmpp.is	client to server	2021-04-14T08:42:27+00:00

Servers with DNSSEC signed DANE records 0 results

Target	Type	When

Servers with a hidden service 0 results

Target	Type	When

Servers not offering encryption 0 results

Target	Type	When

Servers sharing private keys 0 results

Target	SHA256(SPKI)