[研究]ESET NOD32 Antivirus 可能會變更網站伺服器憑證資訊(一)

[研究]ESET NOD32 Antivirus 可能會變更網站伺服器憑證資訊(一)

2023-02-25

********************************************************************************

同一台電腦，安裝 ESET NOD32 Antivirus，檢視不同網站伺服器憑證

https://gcp.nat.gov.tw/

********************************************************************************

另一台電腦，沒有安裝 ESET NOD32 Antivirus，檢視不同網站伺服器憑證

********************************************************************************

(下圖)官方沒查到特別有用資訊

********************************************************************************

問一下 ChatGPT

(下圖)Click 可看100%圖

同一個網站，ESET NOD32 會把網站伺服器憑證變成 ESET 發行，非 ESET NOD32 看到正常，為什麼？

可能有以下幾種情況：

中間人攻擊：可能您的電腦或網路受到中間人攻擊。中間人攻擊者可以篡改您和網站之間的通訊，使您看到的網站伺服器憑證被替換成由ESET發行的憑證。此舉可以讓攻擊者收集您的個人敏感資訊，例如帳戶密碼、信用卡號碼等。

安全軟體的SSL檢查：ESET NOD32可能開啟了SSL/TLS憑證檢查功能。此功能會對瀏覽器所連接的網站的憑證進行驗證，確保該網站的憑證是由可信的機構發行的。如果憑證不符合要求，ESET NOD32可能會替換掉該網站的憑證，以確保您的訪問是安全的。

瀏覽器快取：可能您的瀏覽器已經儲存了一份ESET發行的憑證，並且在訪問網站時直接從快取中載入了該憑證。這將導致您看到的網站伺服器憑證被替換成由ESET發行的憑證。

如果您懷疑自己的電腦或網路受到中間人攻擊，建議您立即停止使用該電腦或網路，並採取必要的安全措施，例如更改密碼、更新防病毒軟體、使用VPN等。如果您對ESET NOD32的SSL/TLS憑證檢查功能有疑問，建議您查閱該軟體的使用手冊或聯繫ESET支援團隊。

********************************************************************************

Q：網站A，ESET NOD32 會把伺服器憑證變成 ESET 發行，沒安裝 ESET NOD32 則看到正常，

網站B，不管有無安裝 ESET NOD32，看到都正常，為什麼？

ChatGPT：

這種情況可能是因為網站A和網站B所使用的SSL/TLS憑證不同，或者是因為ESET NOD32在網站A和網站B之間的憑證驗證策略不同所導致的。

對於網站A，ESET NOD32可能開啟了SSL/TLS憑證檢查功能，並且該網站使用的憑證不符合要求。這導致ESET NOD32替換了網站A的憑證，以確保您的訪問是安全的。而在沒有安裝ESET NOD32的情況下，您可以正常訪問網站A，因為您的瀏覽器沒有對該憑證進行檢查，所以您看到的是該網站原本的憑證。

對於網站B，可能它所使用的憑證符合ESET NOD32的憑證驗證要求，所以無論您是否安裝ESET NOD32，您都可以正常訪問該網站，並且您看到的憑證與該網站原本的憑證相同。

總之，ESET NOD32的SSL/TLS憑證檢查功能可以增加網路訪問的安全性，但有時也可能會影響您對某些網站的訪問體驗。如果您對ESET NOD32的憑證驗證策略有疑問，建議您查閱該軟體的使用手冊或聯繫ESET支援團隊。

********************************************************************************

SSL Server Test (Powered by Qualys SSL Labs)

https://www.ssllabs.com/ssltest/index.html

(下圖)查很久

(下圖)Click 可看100%

********************************************************************************

把全部「Click here to expand」按鈕按下。(卷動抓圖過程會失敗，測試2次都如次)，貼出內容

Home Projects Qualys Free Trial Contact

You are here:  Home > Projects > SSL Server Test > gcp.nat.gov.tw > 210.241.69.200

SSL Report: gcp.nat.gov.tw (210.241.69.200)

Assessed on:  Fri, 24 Feb 2023 23:35:05 UTC | Hide | Clear cache

Scan Another »

Summary

Overall Rating

A+

0

20

40

60

80

100

Certificate

 

Protocol Support

 

Key Exchange

 

Cipher Strength

 

Visit our documentation page for more information, configuration guides, and books. Known issues are documented here.

HTTP Strict Transport Security (HSTS) with long duration deployed on this server.  MORE INFO »

Certificate #1: RSA 2048 bits (SHA256withRSA)

Server Key and Certificate #1
Subject	grca.nat.gov.tw Fingerprint SHA256: 6629f1afdffecf6a2e7886ee705cf21fa3aeb1c2666d85f13488ff1c8efe04b6 Pin SHA256: tqa/TX0pN+xM6+fX1ar9rVi6o+duYp2NUL/yRVWOjlY=
Common names	grca.nat.gov.tw
Alternative names	grca.nat.gov.tw gcp.nat.gov.tw gca.nat.gov.tw gcaweb.nat.gov.tw gcara.nat.gov.tw xca.nat.gov.tw xcaweb.nat.gov.tw xcara.nat.gov.tw gtlsca.nat.gov.tw gtlscaweb.nat.gov.tw gtlscara.nat.gov.tw gtestca.nat.gov.tw oid.nat.gov.tw training.gpki.nat.gov.tw gpkiapi.nat.gov.tw
Serial Number	3d0dd5d1dea986babc1676b9ea56cafb
Valid from	Tue, 27 Sep 2022 07:21:38 UTC
Valid until	Wed, 27 Sep 2023 07:21:38 UTC (expires in 7 months and 2 days)
Key	RSA 2048 bits (e 65537)
Weak key (Debian)	No
Issuer	????????????? - G1 AIA: http://gtlsca.nat.gov.tw/Certs/GTLSCA.crt
Signature algorithm	SHA256withRSA
Extended Validation	No
Certificate Transparency	Yes (certificate)
OCSP Must Staple	No
Revocation information	CRL, OCSP CRL: http://gtlsca.nat.gov.tw/crl/GTLSCA-complete.crl OCSP: http://ocsp.gtlsca.nat.gov.tw/OCSP
Revocation status	Good (not revoked)
DNS CAA	No (more info)
Trusted	Yes Mozilla  Apple  Android  Java  Windows

Additional Certificates (if supplied)
Certificates provided	4 (7491 bytes)
Chain issues	Contains anchor
#2
Subject	????????????? - G1 Fingerprint SHA256: 9d1cda1b9ef395afce7de0fe74de6d9ff5e0d2a43789116c00c6ba5bf44b9823 Pin SHA256: yMUknny/PvrLFQdEKWvDlcHaFRKWkzvSUpfOPXBS62Y=
Valid until	Tue, 19 Aug 2031 06:46:45 UTC (expires in 8 years and 5 months)
Key	RSA 4096 bits (e 65537)
Issuer	ePKI Root Certification Authority - G2
Signature algorithm	SHA256withRSA
#3
Subject	ePKI Root Certification Authority - G2 Fingerprint SHA256: 64717250af8b028dd8e5c0bae4c9142c8b103532612bc487085fd3c319f9c067 Pin SHA256: tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU=
Valid until	Wed, 20 Dec 2034 02:31:27 UTC (expires in 11 years and 9 months)
Key	RSA 4096 bits (e 65537)
Issuer	Chunghwa Telecom Co., Ltd. / ePKI Root Certification Authority
Signature algorithm	SHA256withRSA
#4
Subject	Chunghwa Telecom Co., Ltd. / ePKI Root Certification Authority   In trust store Fingerprint SHA256: c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5 Pin SHA256: YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U=
Valid until	Wed, 20 Dec 2034 02:31:27 UTC (expires in 11 years and 9 months)
Key	RSA 4096 bits (e 65537)
Issuer	Chunghwa Telecom Co., Ltd. / ePKI Root Certification Authority   Self-signed
Signature algorithm	SHA1withRSA   Weak, but no impact on root certificate

Certification Paths

Path #1: Trusted
1	Sent by server	grca.nat.gov.tw Fingerprint SHA256: 6629f1afdffecf6a2e7886ee705cf21fa3aeb1c2666d85f13488ff1c8efe04b6 Pin SHA256: tqa/TX0pN+xM6+fX1ar9rVi6o+duYp2NUL/yRVWOjlY= RSA 2048 bits (e 65537) / SHA256withRSA
2	Sent by server	????????????? - G1 Fingerprint SHA256: 9d1cda1b9ef395afce7de0fe74de6d9ff5e0d2a43789116c00c6ba5bf44b9823 Pin SHA256: yMUknny/PvrLFQdEKWvDlcHaFRKWkzvSUpfOPXBS62Y= RSA 4096 bits (e 65537) / SHA256withRSA
3	Sent by server	ePKI Root Certification Authority - G2 Fingerprint SHA256: 64717250af8b028dd8e5c0bae4c9142c8b103532612bc487085fd3c319f9c067 Pin SHA256: tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU= RSA 4096 bits (e 65537) / SHA256withRSA
4	Sent by server In trust store	Chunghwa Telecom Co., Ltd. / ePKI Root Certification Authority   Self-signed Fingerprint SHA256: c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5 Pin SHA256: YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= RSA 4096 bits (e 65537) / SHA1withRSA Weak or insecure signature, but no impact on root certificate
Path #2: Not trusted (path does not chain to a trusted anchor)
1	Sent by server	grca.nat.gov.tw Fingerprint SHA256: 6629f1afdffecf6a2e7886ee705cf21fa3aeb1c2666d85f13488ff1c8efe04b6 Pin SHA256: tqa/TX0pN+xM6+fX1ar9rVi6o+duYp2NUL/yRVWOjlY= RSA 2048 bits (e 65537) / SHA256withRSA
2	Sent by server	????????????? - G1 Fingerprint SHA256: 9d1cda1b9ef395afce7de0fe74de6d9ff5e0d2a43789116c00c6ba5bf44b9823 Pin SHA256: yMUknny/PvrLFQdEKWvDlcHaFRKWkzvSUpfOPXBS62Y= RSA 4096 bits (e 65537) / SHA256withRSA
3	Sent by server	ePKI Root Certification Authority - G2 Fingerprint SHA256: 64717250af8b028dd8e5c0bae4c9142c8b103532612bc487085fd3c319f9c067 Pin SHA256: tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU= RSA 4096 bits (e 65537) / SHA256withRSA
4	Extra download	Chunghwa Telecom Co., Ltd. / ePKI Root Certification Authority Fingerprint SHA256: b9c974de139f6308d74ccc423c3bc0bded5e7ab4ad738b304b50d429c42c3d66 Pin SHA256: YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= RSA 4096 bits (e 65537) / SHA256withRSA
5	Extra download   Not in trust store	ePKI Root Certification Authority - G2   Self-signed Fingerprint SHA256: 1e51942b84fd467bf77d1c89da241c04254dc8f3ef4c22451fe7a89978bdcd4f Pin SHA256: tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU= RSA 4096 bits (e 65537) / SHA256withRSA

Configuration

Protocols
TLS 1.3	No
TLS 1.2	Yes
TLS 1.1	No
TLS 1.0	No
SSL 3	No
SSL 2	No

Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK	256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK	128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK	256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK	256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)   WEAK	128
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)   WEAK	256

Handshake Simulation
Android 4.4.2	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 5.0.0	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 6.0	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 7.0	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 8.0	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 8.1	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 9.0	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
BingPreview Jan 2015	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 49 / XP SP3	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 69 / Win 7  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 70 / Win 10	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 80 / Win 10  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 31.3.0 ESR / Win 7	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 47 / Win 7  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 49 / XP SP3	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 62 / Win 7  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 73 / Win 10  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Googlebot Feb 2018	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
IE 11 / Win 7  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 8.1  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1 Update  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 10  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 15 / Win 10  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 16 / Win 10  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 18 / Win 10  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 13 / Win Phone 10  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 8u161	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 11.0.3	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 12.0.1	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.1l  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.2s  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.1.0k  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.1.1c  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 6 / iOS 6.0.1	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 7 / iOS 7.1  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 7 / OS X 10.9  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 8 / iOS 8.4  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 8 / OS X 10.10  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 9 / iOS 9  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 9 / OS X 10.11  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / iOS 10  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / OS X 10.12  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 12.1.2 / MacOS 10.14.6 Beta  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 12.1.1 / iOS 12.3.1  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Apple ATS 9 / iOS 9  R	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Yahoo Slurp Jan 2015	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
YandexBot Jan 2015	RSA 2048 (SHA256)	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
# Not simulated clients (Protocol mismatch)
Android 2.3.7   No SNI 2	Protocol mismatch (not simulated)
Android 4.0.4	Protocol mismatch (not simulated)
Android 4.1.1	Protocol mismatch (not simulated)
Android 4.2.2	Protocol mismatch (not simulated)
Android 4.3	Protocol mismatch (not simulated)
Baidu Jan 2015	Protocol mismatch (not simulated)
IE 6 / XP   No FS 1   No SNI 2	Protocol mismatch (not simulated)
IE 7 / Vista	Protocol mismatch (not simulated)
IE 8 / XP   No FS 1   No SNI 2	Protocol mismatch (not simulated)
IE 8-10 / Win 7  R	Protocol mismatch (not simulated)
IE 10 / Win Phone 8.0	Protocol mismatch (not simulated)
Java 6u45   No SNI 2	Protocol mismatch (not simulated)
Java 7u25	Protocol mismatch (not simulated)
OpenSSL 0.9.8y	Protocol mismatch (not simulated)
Safari 5.1.9 / OS X 10.6.8	Protocol mismatch (not simulated)
Safari 6.0.4 / OS X 10.8.4  R	Protocol mismatch (not simulated)
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
(All) Certificate trust is not checked in handshake simulation, we only perform TLS handshake.

Protocol Details
DROWN	Unable to perform this test due to an internal error. (1) For a better understanding of this test, please read this longer explanation (2) Key usage data kindly provided by the Censys network search engine; original DROWN website here (3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete INTERNAL ERROR: connect timed out INTERNAL ERROR: connect timed out
Secure Renegotiation	Supported
Secure Client-Initiated Renegotiation	Yes
Insecure Client-Initiated Renegotiation	No
BEAST attack	Mitigated server-side (more info)
POODLE (SSLv3)	No, SSL 3 not supported (more info)
POODLE (TLS)	No (more info)
Zombie POODLE	No (more info)   TLS 1.2 : 0xc013
GOLDENDOODLE	No (more info)   TLS 1.2 : 0xc013
OpenSSL 0-Length	No (more info)   TLS 1.2 : 0xc013
Sleeping POODLE	No (more info)   TLS 1.2 : 0xc013
Downgrade attack prevention	Unknown (requires support for at least two protocols, excl. SSL2)
SSL/TLS compression	No
RC4	No
Heartbeat (extension)	No
Heartbleed (vulnerability)	No (more info)
Ticketbleed (vulnerability)	No (more info)
OpenSSL CCS vuln. (CVE-2014-0224)	No (more info)
OpenSSL Padding Oracle vuln. (CVE-2016-2107)	No (more info)
ROBOT (vulnerability)	No (more info)
Forward Secrecy	Yes (with most browsers)   ROBUST (more info)
ALPN	No
NPN	No
Session resumption (caching)	Yes
Session resumption (tickets)	No
OCSP stapling	No
Strict Transport Security (HSTS)	Yes max-age=31536000;includeSubdomains; preload
HSTS Preloading	Not in: Chrome  Edge  Firefox  IE
Public Key Pinning (HPKP)	No (more info)
Public Key Pinning Report-Only	No
Public Key Pinning (Static)	Unknown
Long handshake intolerance	No
TLS extension intolerance	No
TLS version intolerance	No
Incorrect SNI alerts	No
Uses common DH primes	No, DHE suites not supported
DH public server param (Ys) reuse	No, DHE suites not supported
ECDH public server param reuse	No
Supported Named Groups	secp256r1, x25519, secp384r1 (server preferred order)
SSL 2 handshake compatibility	Yes

HTTP Requests

1 https://gcp.nat.gov.tw/  (HTTP/1.1 200 OK)

Miscellaneous
Test date	Fri, 24 Feb 2023 23:28:23 UTC
Test duration	386.634 seconds
HTTP status code	200
HTTP server signature	-
Server hostname	210-241-69-200.hinet-ip.hinet.net

SSL Report v2.1.10

Copyright © 2009-2023 Qualys, Inc. All Rights Reserved.	Terms and Conditions
Try Qualys for free! Experience the award-winning Qualys Cloud Platform and the entire collection of Qualys Cloud Apps, including certificate security solutions.

********************************************************************************

看似正常。　

(完)