SSL Labs SSLTest gets a nice update

The latest version of the SSL Test (v1.2.85) has expanded on the amount of virtualized browsers and operating systems, now including more browser versions, OSX, and even Fedora. On top of that Forward Secrecy has been properly merged into the test rather than just being a "bonus point".



Interesting to note is that Windows XP doesn't actually support modern cipher suites that use Forward Secrecy like ECDHE. A lot of software and "privacy fanatics" will be at risk due to this, having only older more vulnerable cipher suites to choose. Another reason for XP users to upgrade.

Unsurprisingly Windows 8/8.1 has the best support for the newest ciphers like GCM_SHA256

Also watch out using v12.xx of Opera or Firefox on Debian. Though I'm unsure why the Debian version of Firefox is worse off than the Windows 7 version.

 

Only if you use IE or Safari, they use TLS implementation of the OS. FF, Chrome and Opera(both old and new) don't.

Yes, it seems other browser and OS's have some catching up to do, good job from MS. I remember IE being the last browser to still support vulnerable SSL 2.0 and now the roles seemed to have turned.

Apparently Debian's fault, strange choice:
Firefox and Chrome use NSS meaningless of the OS. However, some Linux distros ship a Firefox version which may have disabled ECC support, like Fedora or Red Hat Enterprise Linux.
http://www.carbonwind.net/blog/post...rowsers-and-their-SSLTLS-implementations.aspx

 

That's true, but this statement seems to suggest that no browser on XP supports Forward Secrecy, or am I misinterpreting it?
"Browsers that do not support Forward Secrecy are excluded when determining support for it."
(The asterisk next to WinXP)

Also keep in mind that other software that may communicates over SSL/TLS could be using the OS implementation.

That is strange, thanks for the info.

edit:

Configuring Apache, Nginx, and OpenSSL for Forward Secrecy

This blog entry goes quite in depth actually, I'll be linking it to a few people that weren't sure how to set it up.

 

I'm not sure, perhaps they mean IE on XP, but none of the other browsers are tested on XP, which might mean they excluded that because they don't have PFS support on XP. Unfortunately, I don't have access to an XP machine at the moment, so I can't check it myself.

Good point, though I doubt many of them will uses the latest TLS protocols and FPS.

 

I just installed XP in a VM and then I remembered this, so I installed Chrome in the VM, and it shows ECDHE_RSA being used for encrypted.google.com, I also installed FF but it doesn't display if it uses ECDHE, though all ciphers with ECDHE are enabled in about:config. The windows disc contained XP SP2 and I didn't update it yet, so even on an outdated XP machine, browsers can support Forward Secrecy if they use an SSL/TLS implementation independent of the OS.

 

That site is very useful. Unfortunately, it can only test web servers but not mail servers.

So in order to test if your email server supports Forward Secrecy you have to execute, e.g.,

Code:

openssl s_client -cipher 'ECDH:DH' -connect pop.googlemail.com:995

and

Code:

openssl s_client -cipher 'ECDH:DH' -connect smtp.googlemail.com:465

or

Code:

openssl s_client -cipher 'ECDH:DH' -connect imap.googlemail.com:993

If you get a ciphersuite that begins with DH or ECDH, PFE is supported.

Another useful tool is sslscan which tests the SSL capabilities of a server.

 

SSLTest has been updated to 1.3.6;
The difference I see is that they expanded the handshake stimulation to include IE6 on XP, Java 6u45, Java 7u25, OpenSSL 0.9.8y and OpenSSL 1.0.1e.

 

SSL Labs now also has a client test:
https://www.ssllabs.com/ssltest/viewMyClient.html

https://community.qualys.com/blogs/securitylabs/2013/10/02/introducing-the-ssl-client-test