#########################################################
  testssl.sh 2.5dev               http://dev.testssl.sh
  (59299ce 2015-06-17 11:33:29 -- 1.279)

   This program is free software. Redistribution +
   modification under GPLv2 is permitted.
   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

 Note: you can only check the server with what is
 available (ciphers/protocols) locally on your machine!
#########################################################

 Using "OpenSSL 1.0.2a 19 Mar 2015" [~141 ciphers] on
 adam-w530:/usr/bin/openssl
 (built: "reproducible build, date unspecified", platform: "Cygwin-x86_64")

For now I am providing the config file in to have GOST support
Testing now all MX records (on port 25): eugeni.torproject.org 
-------------------------------------------------------------------------------------------------------------------------

Testing now (2015-06-19 11:29) ---> 38.229.72.13:25 (eugeni.torproject.org) <---

 rDNS (38.229.72.13):    eugeni.torproject.org
 Service set:            STARTTLS via SMTP

--> Testing protocols (via native openssl)

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   (SPDY is a HTTP protocol and thus not tested here)

--> Testing ~standard cipher lists

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            offered (NOT ok)
 56 Bit encryption         Local problem: No 56 Bit encryption configured in /usr/bin/openssl
 Export Ciphers (general)     offered (NOT ok)
 Low (<=64 Bit)               offered (NOT ok)
 DES Ciphers                  offered (NOT ok)
 Medium grade encryption      offered (NOT ok)
 Triple DES Ciphers           offered (NOT ok)
 High grade encryption        offered (OK)

--> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here

 PFS ciphers (OK): ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4-SHA 


--> Testing server preferences

 Has server cipher order?     nope (NOT ok)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (limited sense as client will pick)
 Negotiated cipher per proto  (limited sense as client will pick)(SPDY is a HTTP protocol and thus not tested here)
     ECDHE-RSA-AES256-SHA:          SSLv3, TLSv1, TLSv1.1
     ECDHE-RSA-AES256-GCM-SHA384:   TLSv1.2
 No further cipher order check as order is determined by the client

--> Testing server defaults (Server Hello)

 TLS timestamp:               (not yet implemented for STARTTLS) 
 HTTP clock skew:             not tested as we're not targeting HTTP
 TLS server extensions        renegotiation info, EC point formats, session ticket, heartbeat
 Session Tickets RFC 5077     7200 seconds
 Server key size              2048 bit
 Signature Algorithm          SHA1 with RSA
 Fingerprint / Serial         SHA1 62D590B1F07257E21B08EB88D9295C0EF00F3EA2 / 01B8
                              SHA256 ED83D27364F556AEAAA066E4D35FB46E959C033C579E226D89A8850F9FDACB5C
 Common Name (CN)             eugeni.torproject.org (matches certificate directly)
 subjectAltName (SAN)         -- 
 Issuer                       auto-ca.torproject.org (torproject.org)
 Certificate Expiration       >= 60 days (2015-03-10 20:00 --> 2016-03-09 19:00 -0500)
 # of certificates provided   2
 Certificate Revocation List  --
 OCSP URI                     --
 OCSP stapling                not offered

--> Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                (not yet implemented for STARTTLS)
 CCS (CVE-2014-0224)                       (not yet implemented for STARTTLS)
 Secure Renegotiation (CVE 2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     likely not vulnerable (OK) (timed out)
 CRIME, TLS (CVE-2012-4929)                VULNERABLE (NOT ok), but not using HTTP: probably no exploit known
 POODLE, SSL (CVE-2014-3566)               VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention NOT supported
 FREAK (CVE-2015-0204), experimental       VULNERABLE (NOT ok), uses EXPORT RSA ciphers
 LOGJAM (CVE-2015-4000), experimental      VULNERABLE (NOT ok), uses DHE EXPORT ciphers
 BEAST (CVE-2011-3389)                     SSL3: ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
                                                 DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
                                                 EXP-EDH-RSA-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5
                                                 EXP-RC2-CBC-MD5
                                           TLS1: ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
                                                 DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
                                                 EXP-EDH-RSA-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5
                                                 EXP-RC2-CBC-MD5
                                           -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 RC4-MD5 EXP-RC4-MD5 EXP-RC4-MD5 

--> Testing all locally available 141 ciphers against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256         TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             
 xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             
 xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                
 x9f     DHE-RSA-AES256-GCM-SHA384      DH 1024    AESGCM     256         TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               
 x6b     DHE-RSA-AES256-SHA256          DH 1024    AES        256         TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               
 x39     DHE-RSA-AES256-SHA             DH 1024    AES        256         TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  
 x88     DHE-RSA-CAMELLIA256-SHA        DH 1024    Camellia   256         TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             
 x9d     AES256-GCM-SHA384              RSA        AESGCM     256         TLS_RSA_WITH_AES_256_GCM_SHA384                   
 x3d     AES256-SHA256                  RSA        AES        256         TLS_RSA_WITH_AES_256_CBC_SHA256                   
 x35     AES256-SHA                     RSA        AES        256         TLS_RSA_WITH_AES_256_CBC_SHA                      
 x84     CAMELLIA256-SHA                RSA        Camellia   256         TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128         TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             
 xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             
 xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                
 x9e     DHE-RSA-AES128-GCM-SHA256      DH 1024    AESGCM     128         TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               
 x67     DHE-RSA-AES128-SHA256          DH 1024    AES        128         TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               
 x33     DHE-RSA-AES128-SHA             DH 1024    AES        128         TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  
 x9a     DHE-RSA-SEED-SHA               DH 1024    SEED       128         TLS_DHE_RSA_WITH_SEED_CBC_SHA                     
 x45     DHE-RSA-CAMELLIA128-SHA        DH 1024    Camellia   128         TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             
 x9c     AES128-GCM-SHA256              RSA        AESGCM     128         TLS_RSA_WITH_AES_128_GCM_SHA256                   
 x3c     AES128-SHA256                  RSA        AES        128         TLS_RSA_WITH_AES_128_CBC_SHA256                   
 x2f     AES128-SHA                     RSA        AES        128         TLS_RSA_WITH_AES_128_CBC_SHA                      
 x96     SEED-SHA                       RSA        SEED       128         TLS_RSA_WITH_SEED_CBC_SHA                         
 x41     CAMELLIA128-SHA                RSA        Camellia   128         TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 
 xc011   ECDHE-RSA-RC4-SHA              ECDH 256   RC4        128         TLS_ECDHE_RSA_WITH_RC4_128_SHA                    
 x05     RC4-SHA                        RSA        RC4        128         TLS_RSA_WITH_RC4_128_SHA                          
 x04     RC4-MD5                        RSA        RC4        128         TLS_RSA_WITH_RC4_128_MD5                          
 x010080 RC4-MD5                        RSA        RC4        128         SSL_CK_RC4_128_WITH_MD5                           
 xc012   ECDHE-RSA-DES-CBC3-SHA         ECDH 256   3DES       168         TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               
 x16     EDH-RSA-DES-CBC3-SHA           DH 1024    3DES       168         TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 
 x0a     DES-CBC3-SHA                   RSA        3DES       168         TLS_RSA_WITH_3DES_EDE_CBC_SHA                     
 x15     EDH-RSA-DES-CBC-SHA            DH 1024    DES        56          TLS_DHE_RSA_WITH_DES_CBC_SHA                      
 x09     DES-CBC-SHA                    RSA        DES        56          TLS_RSA_WITH_DES_CBC_SHA                          
 x14     EXP-EDH-RSA-DES-CBC-SHA        DH(512)    DES        40,export   TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA             
 x08     EXP-DES-CBC-SHA                RSA(512)   DES        40,export   TLS_RSA_EXPORT_WITH_DES40_CBC_SHA                 
 x06     EXP-RC2-CBC-MD5                RSA(512)   RC2        40,export   TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5                
 x040080 EXP-RC2-CBC-MD5                RSA(512)   RC2        40,export   SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5              
 x03     EXP-RC4-MD5                    RSA(512)   RC4        40,export   TLS_RSA_EXPORT_WITH_RC4_40_MD5                    
 x020080 EXP-RC4-MD5                    RSA(512)   RC4        40,export   SSL_CK_RC4_128_EXPORT40_WITH_MD5                  


Done now (2015-06-19 11:41) ---> 38.229.72.13:25 (eugeni.torproject.org) <---


-------------------------------------------------------------------------------------------------------------------------
Done testing now all MX records (on port 25): eugeni.torproject.org