Various reports of all servers tested

Report for december 2013 | Results of the last day | Results of the last week | Results of the last month

TLS versions 24 results

SSL 2	0 0%
SSL 3	0 0%
TLS 1.0	10 41.7%
TLS 1.1	10 41.7%
TLS 1.2	24 100%

Grades 24 results

A	22 91.7%
B	2 8.3%
C	0 0%
D	0 0%
E	0 0%
F	0 0%

Does not penalize untrusted certificates.

RSA key sizes for domain certificates

RSA key size	Count
2048	18 78.3%
4096	5 21.7%

StartTLS

Type	Client to server	Server to server
Required	17 94.4%	4 66.7%
Allowed	1 5.6%	2 33.3%

Trust

To do authenticated encryption, a certificate needs to be both trusted and valid. Trusted means it is issued by a well-known CA and valid means it is valid for the domain we want to connect to.

	Trusted	Untrusted
Valid	0%	25 96.2%
Invalid	0%	1 3.8%

SASL mechanisms 18 results

Mechanism	# times offered before TLS	# times offered after TLS
PLAIN	1 5.6%	17 94.4%
SCRAM-SHA-1	2 11.1%	15 83.3%
SCRAM-SHA-1-PLUS	0 0%	14 77.8%
OFMEET	1 5.6%	1 5.6%
DIGEST-MD5	0 0%	1 5.6%
SCRAM-SHA-512	0 0%	1 5.6%
SCRAM-SHA-512-PLUS	0 0%	1 5.6%

Servers supporting SSL 3, but not TLS 1.0 0 results

SSL 3 and TLS 1.0 are very similar, but TLS 1.0 has some small improvements. This table is meant to help judge whether SSL 3 can be disabled by listing the servers that do support SSL 3, but not TLS 1.0.

Target	Type	When

Servers supporting SSL 2 0 results

SSL 2 is broken and insecure. It is not required for compatibility and servers should disable it.

Target	Type	When

CAs used Top 30

Name/Organization	SHA1	Count
R3	48:50:4E:97:4C:0D:AC:5B:5C:D4:76:C8:20:22:74:B2:4C:8C:71:72	15
Let's Encrypt Authority X3	E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB	2
lhndev.com	19:90:E9:33:48:A0:77:B3:D5:A7:95:79:D0:A2:26:59:DA:B4:BE:3B	1
ZeroSSL RSA Domain Secure Site CA	C8:1A:8B:D1:F9:CF:6D:84:C5:25:F3:78:CA:1D:3F:8C:30:77:0E:34	1

Servers using <2048-bit RSA certificates which expires after 01-01-2014 0 results

As described in the CA/Browser Forum Baseline Requirements, certificates with RSA keys with less than 2048 bits should not be issued with an notAfter date after 31-12-2013. This list lists all certificates which violate that rule.

Target	Type	When	Issuer

Servers with DNSSEC signed SRV records 8 results

Target	Type	When
campanella.org	client to server	2021-01-24T23:18:29+00:00
campanella.org	server to server	2021-01-24T23:18:02+00:00
handb.xyz	client to server	2021-01-25T00:34:51+00:00
handb.xyz	server to server	2021-01-25T00:42:47+00:00
jabber.calyxinstitute.org	client to server	2021-01-24T23:23:39+00:00
jabber.de	client to server	2021-01-25T01:03:02+00:00
jabber.fr	client to server	2021-01-24T15:46:25+00:00
xmpp.is	client to server	2021-01-24T16:58:13+00:00

Servers with DNSSEC signed DANE records 0 results

Target	Type	When

Servers with a hidden service 1 results

Target	Type	When
jabber.calyxinstitute.org	client to server	2021-01-24T23:23:39+00:00

Servers not offering encryption 1 results

Target	Type	When
campanella.org	server to server	2021-01-24T23:18:02+00:00

Servers sharing private keys 0 results

Target	SHA256(SPKI)