Hi Boneyard,
We are using Version: 11.4.1 (Edition: Hotfix HF8), Please find below the cipher list:
tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA
10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA
11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
12: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
13: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
14: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
15: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
16: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
17: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
18: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
19: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
20: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA
21: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA
22: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
I am attaching ssllab output below:
Configuration
Protocols
TLS 1.2Yes
TLS 1.1Yes
TLS 1.0Yes
SSL 3No
SSL 2No
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS112
Handshake Simulation
Android 2.3.7 No SNI 2RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
Android 4.0.4RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
Android 4.1.1RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
Android 4.2.2RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
Android 4.3RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
Android 4.4.2RSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Android 5.0.0RSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Android 6.0RSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Baidu Jan 2015RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
BingPreview Jan 2015RSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Chrome 51 / Win 7 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Firefox 31.3.0 ESR / Win 7RSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Firefox 46 / Win 7 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Firefox 47 / Win 7 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Googlebot Feb 2015RSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 6 / XP No FS 1 No SNI 2Server sent fatal alert: handshake_failure
IE 7 / VistaRSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 8 / XP No FS 1 No SNI 2RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_3DES_EDE_CBC_SHA
IE 8-10 / Win 7 RRSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 11 / Win 7 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 11 / Win 8.1 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 10 / Win Phone 8.0RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 11 / Win Phone 8.1 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 11 / Win Phone 8.1 Update RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
IE 11 / Win 10 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Edge 13 / Win 10 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Edge 13 / Win Phone 10 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Java 6u45 No SNI 2RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
Java 7u25RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
Java 8u31RSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
OpenSSL 0.9.8yRSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
OpenSSL 1.0.1l RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
OpenSSL 1.0.2e RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Safari 5.1.9 / OS X 10.6.8RSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
Safari 6 / iOS 6.0.1 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Safari 6.0.4 / OS X 10.8.4 RRSA 2048 (SHA256) TLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA No FS
Safari 7 / iOS 7.1 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Safari 7 / OS X 10.9 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Safari 8 / iOS 8.4 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Safari 8 / OS X 10.10 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Safari 9 / iOS 9 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Safari 9 / OS X 10.11 RRSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
Apple ATS 9 / iOS 9 RRSA 2048 (SHA256) TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH secp256r1 FS
Yahoo Slurp Jan 2015RSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
YandexBot Jan 2015RSA 2048 (SHA256) TLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA No FS
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
Protocol Details
DROWN (experimental)No, server keys and hostname not seen elsewhere with SSLv2
(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN test here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete
Secure RenegotiationSupported
Secure Client-Initiated RenegotiationYes
Insecure Client-Initiated RenegotiationNo
BEAST attackNot mitigated server-side (more info) TLS 1.0: 0x2f
POODLE (SSLv3)No, SSL 3 not supported (more info)
POODLE (TLS)Inconclusive (Timeout) (more info)
Downgrade attack preventionYes, TLS_FALLBACK_SCSV supported (more info)
SSL/TLS compressionNo
RC4No
Heartbeat (extension)No
Heartbleed (vulnerability)No (more info)
OpenSSL CCS vuln. (CVE-2014-0224)No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107)No (more info)
Forward SecrecyWith some browsers (more info)
ALPNNo
NPNNo
Session resumption (caching)Yes
Session resumption (tickets)No
OCSP staplingNo
Strict Transport Security (HSTS)Yes
max-age=63072000; includeSubdomains
HSTS PreloadingNot in: Chrome Edge Firefox IE Tor
Public Key Pinning (HPKP)No
Public Key Pinning Report-OnlyNo
Long handshake intoleranceNo
TLS extension intoleranceNo
TLS version intoleranceNo
Incorrect SNI alertsNo
Uses common DH primesNo, DHE suites not supported
DH public server param (Ys) reuseNo, DHE suites not supported
SSL 2 handshake compatibilityYes