Summary of WWW - Thomann.de:443 (HTTPS) SSL Security Test

ImmuniWeb® Community | SSL Security Test
Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST
guidelines.
WWW.THOMANN.DE FINAL GRADE
September 28th 2020

212.204.75.161:443
19:17 CEST
Summary of www.thomann.de:443 (HTTPS) SSL Security Test
The server has TLS 1.0 enabled. It is non-compliant with NIST Non-compliant with PCI DSS and NIST
since SP 800-52 REV. 2 and non-compliant with PCI DSS since
the 30th of June 2018.
The server has TLS 1.1 enabled. NIST recommends to drop TLS Information
1.1 support since SP 800-52 REV. 2
2020 © ImmuniWeb® Community | SSL Security Test | https://www.immuniweb.com/ssl/?id=s1kj1r2w 1 / 13

SSL Certificate Analysis
RSA CERTIFICATE INFORMATION
Issuer RapidSSL RSA CA 2018

Trusted Yes
Common Name *.thomann.de
Key Type/Size RSA 4096 bits
Signature Algorithm sha256WithRSAEncryption
Subject Alternative Names DNS:*.thomann.de, DNS:thomann.de
Transparency Yes
Validation Level DV
CRL http://cdp.rapidssl.com/RapidSSLRSACA2018.crl
OCSP http://status.rapidssl.com
OCSP Must-Staple No
Supports OCSP Stapling No
Valid From April 1st 2020, 02:00 CEST
Valid To April 2nd 2021, 13:00 CET
CERTIFICATE CHAIN
Server sends useless certificates. Misconfiguration or weakness
DigiCert Global Root CA Self-signed Root CA

SHA256 4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
PIN r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=
Expires in 4,059 days
RapidSSL RSA CA 2018


Intermediate CA

SHA256 c790b47128447ec0b60f22bfcb795d71c326dd910ee12cbb4cc5a86191eb91bc
PIN nKWcsYrc+y5I8vLf1VGByjbt+Hnasjl+9h8lNKJytoE=
Expires in 2,595 days
*.thomann.de

Server certificate


SHA256 8abb63fc829be9921098e2902833cc30fc1a9381988e9b7f0d164786a25671f6
PIN AVUNs5DmDmQ7Iquv8GVMHvGVNYElOtu/uxbzYRi2Hs4=
Expires in 186 days

Test For Compliance With PCI DSS Requirements

Reference: PCI DSS 3.1 - Requirements 2.3 and 4.1
CERTIFICATES ARE TRUSTED
All the certificates provided by the server are trusted. Good configuration
SUPPORTED CIPHERS
List of all cipher suites supported by the server:
TLSV1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Good configuration
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements
TLS_DHE_RSA_WITH_AES_256_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA Good configuration
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements
TLS_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Good configuration
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Good configuration

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Good configuration
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Good configuration
TLSV1.1


TLSV1.0

SUPPORTED PROTOCOLS
List of all SSL/TLS protocols supported by the server:
TLSv1.0 Non-compliant with PCI DSS requirements
TLSv1.1 Good configuration
DIFFIE-HELLMAN PARAMETER SIZE
Diffie-Hellman parameter size: 2048 bits Good configuration
SUPPORTED ELLIPTIC CURVES

List of all elliptic curves supported by the server:
P-256 (prime256v1) (256 bits) Good configuration
P-384 (secp384r1) (384 bits) Good configuration
POODLE OVER TLS
The server is not vulnerable to POODLE over TLS. Not vulnerable
GOLDENDOODLE
The server is not vulnerable to GOLDENDOODLE. Not vulnerable
ZOMBIE POODLE
The server is not vulnerable to Zombie POODLE. Not vulnerable
SLEEPING POODLE
The server is not vulnerable to Sleeping POODLE. Not vulnerable
0-LENGTH OPENSSL
The server is not vulnerable 0-Length OpenSSL. Not vulnerable

CVE-2016-2107
The server is not vulnerable to OpenSSL padding-oracle flaw (CVE-2016- Not vulnerable
2107).
SERVER DOES NOT SUPPORT CLIENT-INITIATED INSECURE RENEGOTIATION
The server does not support client-initiated insecure renegotiation. Good configuration
ROBOT
The server is not vulnerable to ROBOT (Return Of Bleichenbacher's Oracle Not vulnerable
Threat) vulnerability.
HEARTBLEED
The server version of OpenSSL is not vulnerable to Heartbleed attack. Not vulnerable
CVE-2014-0224
The server is not vulnerable to CVE-2014-0224 (OpenSSL CCS flaw). Not vulnerable

Test For Compliance With HIPAA Guidance

Reference: HIPAA of 1996, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information
Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.
X.509 CERTIFICATES ARE IN VERSION 3
All the X509 certificates provided by the server are in version 3. Good configuration
SERVER DOES NOT SUPPORT OCSP STAPLING
The server does not support OCSP stapling for its RSA certificate. Its support Non-compliant with HIPAA guidance
allows better verification of the certificate validation status.
SUPPORTED PROTOCOLS

SUPPORTED CIPHERS
TLSV1.2

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with HIPAA guidance
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA Non-compliant with HIPAA guidance

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with HIPAA guidance
TLS_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with HIPAA guidance


TLSV1.1




TLSV1.0




TLSV1.1 SUPPORTED
The server supports TLSv1.1 which is required minimum to comply with HIPAA Good configuration
guidance.
EC_POINT_FORMAT EXTENSION
The server supports the EC_POINT_FORMAT TLS extension. Good configuration

Test For Compliance With NIST Guidelines

Reference: NIST Special Publication 800-52 Revision 2 - Section 3
X.509 CERTIFICATES ARE IN VERSION 3
All the X509 certificates provided by the server are in version 3. Good configuration
SERVER DOES NOT SUPPORT OCSP STAPLING
The server does not support OCSP stapling for its RSA certificate. Its support Non-compliant with NIST guidelines
allows better verification of the certificate validation status.
SUPPORTED CIPHERS
TLSV1.2

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with NIST guidelines

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA Non-compliant with NIST guidelines

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with NIST guidelines
TLS_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with NIST guidelines



TLSV1.1



TLSV1.0


SUPPORTED PROTOCOLS
TLSv1.0 Non-compliant with NIST guidelines



TLSV1.1 SUPPORTED
The server supports TLSv1.1. It's still compliant, but NIST recommends to drop Information
TLS 1.1 support since SP 800-52 REV. 2
SERVER DOES NOT SUPPORT OF TLSV1.3
The server does not support TLSv1.3 which is the only version of TLS that Information
currently has no known flaws or exploitable weaknesses.
SERVER DOES NOT SUPPORT EXTENDED MASTER SECRET
The server does not support Extended Master Secret extension for TLS vresions Non-compliant with NIST guidelines
≤ 1.2.
EC_POINT_FORMAT EXTENSION

The server supports the EC_POINT_FORMAT TLS extension. Good configuration

Test For Industry Best-Practices
DNSCAA
This domain does not have a Certification Authority Authorization (CAA) record. Information
CERTIFICATES DO NOT PROVIDE EV
The RSA certificate provided is NOT an Extended Validation (EV) certificate. Information
SERVER DOES NOT SUPPORT OF TLSV1.3
The server does not support TLSv1.3 which is the only version of TLS that Misconfiguration or weakness
currently has no known flaws or exploitable weaknesses.
SERVER HAS CIPHER PREFERENCE
The server enforces cipher suites preference. Good configuration
SERVER PREFERRED CIPHER SUITES

Preferred cipher suite for each protocol supported (except SSLv2). Expected configuration are ciphers allowed by PCI DSS
and enabling PFS:
TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLSv1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Good configuration

TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Good configuration
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Good configuration
SERVER PREFERS CIPHER SUITES PROVIDING PFS
For TLS family of protocols, the server prefers cipher suite(s) providing Perfect Good configuration
Forward Secrecy (PFS).
HTTP SITE DOES NOT REDIRECT
The HTTP version of the website does not redirect to the HTTPS version. We Misconfiguration or weakness
advise to enable redirection.
SERVER DOES NOT PROVIDE HSTS
The server does not enforce HTTP Strict Transport Security. We advise to Misconfiguration or weakness
enable it to enforce the user to browse the website in HTTPS.
TLS_FALLBACK_SCSV
The server supports TLS_FALLBACK_SCSV extension for protocol downgrade Good configuration
attack prevention.
SERVER DOES NOT SUPPORT CLIENT-INITIATED SECURE RENEGOTIATION
The server does not support client-initiated secure renegotiation. Good configuration
SERVER-INITIATED SECURE RENEGOTIATION
The server supports secure server-initiated renegotiation. Good configuration

SERVER DOES NOT SUPPORT TLS COMPRESSION
TLS compression is not supported by the server. Good configuration

Summary of WWW - Thomann.de:443 (HTTPS) SSL Security Test

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Summary of WWW - Thomann.de:443 (HTTPS) SSL Security Test

Загружено:

Авторское право:

Доступные форматы

ImmuniWeb® Community | SSL Security Test

WWW.THOMANN.DE FINAL GRADE

September 28th 2020

Summary of www.thomann.de:443 (HTTPS) SSL Security Test

2020 © ImmuniWeb® Community | SSL Security Test | https://www.immuniweb.com/ssl/?id=s1kj1r2w 1 / 13

SSL Certificate Analysis

RSA CERTIFICATE INFORMATION

Issuer RapidSSL RSA CA 2018

Server sends useless certificates. Misconfiguration or weakness

DigiCert Global Root CA Self-signed Root CA

Key Type/Size RSA 2048 bits

RapidSSL RSA CA 2018

Key Type/Size RSA 2048 bits

2020 © ImmuniWeb® Community | SSL Security Test | https://www.immuniweb.com/ssl/?id=s1kj1r2w 2 / 13

Key Type/Size RSA 4096 bits

2020 © ImmuniWeb® Community | SSL Security Test | https://www.immuniweb.com/ssl/?id=s1kj1r2w 3 / 13

Test For Compliance With PCI DSS Requirements

CERTIFICATES ARE TRUSTED

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Good configuration

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Good configuration

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements

TLS_DHE_RSA_WITH_AES_256_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_AES_128_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements

TLS_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Good configuration

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Good configuration

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Good configuration

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Good configuration

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Good configuration

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Good configuration

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Good configuration

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Good configuration

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Good configuration

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_AES_128_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements

2020 © ImmuniWeb® Community | SSL Security Test | https://www.immuniweb.com/ssl/?id=s1kj1r2w 4 / 13

TLS_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Good configuration

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Good configuration

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements

TLS_DHE_RSA_WITH_AES_256_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_AES_128_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA Good configuration

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements

TLS_RSA_WITH_3DES_EDE_CBC_SHA Non-compliant with PCI DSS requirements

TLSv1.0 Non-compliant with PCI DSS requirements

TLSv1.1 Good configuration

TLSv1.2 Good configuration

DIFFIE-HELLMAN PARAMETER SIZE

Diffie-Hellman parameter size: 2048 bits Good configuration

SUPPORTED ELLIPTIC CURVES

P-256 (prime256v1) (256 bits) Good configuration

P-384 (secp384r1) (384 bits) Good configuration

P-521 (secp521r1) (521 bits) Good configuration

POODLE OVER TLS

The server is not vulnerable to POODLE over TLS. Not vulnerable

The server is not vulnerable to GOLDENDOODLE. Not vulnerable

The server is not vulnerable to Zombie POODLE. Not vulnerable