Ministry of ICT

Iran Information Technology Organization

FA

Report Summary

B
94.8 / 100

Domain, IP Address & Port Number
crm.dayins.com (185.103.86.42:443)
Assessment Time & Date
Sept. 17, 2025, 8:31 a.m.
Assessment Duration
Seconds 417

.Based on "cert_chain_of_trust" test, which shows an obsolete and insecure result, your grade has dropped to B

SSL Certificate

Is the certificate still valid?

YES

Certificate Issue Date

2024-08-22 15:01

Certificate Expiration Date

2025-08-19 11:08

Trust Chain Health

Incomplete Chain!

Certificate Issuer

Certum Organization Validation CA SHA2 (Unizeto Technologies S.A. from PL)

Is the certificate valid for crm.dayins.com?

YES

This test checks if the server supports SSL‌v3 or not. SSLv3 is a broken, hence, unsafe protocol and must not be used.

HTTP Header Response

HTTP Status Code	200 OK ('/')
Strict Transport Security (HSTS)	730 days (=63072000 seconds) > 15465600 seconds
HSTS Subdomains	only for this domain
HSTS Preload	domain is NOT marked for preloading
Public Key Pinning (HPKP)	No support for HTTP Public Key Pinning
Server Banner	Apache
Banner Application	No application banner found

Protocol Information

SSLv2

Your server does not support SSLv2 which is good since it is an insecure protocol.

This test checks if the server supports SSL‌v2 or not. SSLv2 is a broken, hence, unsafe protocol and must not be used.

SSLv3

Your server does not support SSLv3 which is good since it is an insecure protocol.

This test checks if the server supports SSL‌v3 or not. SSLv3 is a broken, hence, unsafe protocol and must not be used.

TLS1

Your server does not support TLS v1.0.

This test checks if the server supports SSL‌v3 or not. TLS1.0 is an almost two-decade old protocol. This protocol is vulnerable against attacks such as BEAST and POODLE. Additionally, TLSv.10 supports weak cipher suits which further makes it an insecure protocol. Starting June 30, 2018, websites will need to stop supporting TLS 1.0 to remain PCI compliant.

TLS1.1

Your server does not support TLSv1.1. In presence of stronger protocols (i.e. TLS‌ v1.2 and TLS v1.3), this would be considered a good configuration.

TLS1.1 does not have known major vulnerabilities. But, similar to TLS1.1 it supports weak cipher suits that are not proper for modern use.

TLS1.2

Your server supports TLSv1.2. Currently, this protocol is considered stable. But you'd better consider supporting TLS v1.3.

Currently, TLS1.2 is a stable and secure protocol to go with before TLS1.3 is officially announced as the only accepted protocol.

TLS1.3

Your server supports TLS v1.3. Currently, this protocol is considered the most robust protocol available.

TLS1.3 is going to be the stable secure protocol in the near future and it is recommended that every server shift to this protocol.

Cipher Suites

NULL

Your server does not support NULL ciphers.

Description: The cipher suites with a "NULL" do not offer data encryption, only integrity check. This means "not secure" for most usages. Validation Conditions: This test is passed if the certification is not expired.

aNULL

Your server does not support aNULL ciphers.

Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.

EXPORT

Your server does not support EXPORT ciphers.

Description: The cipher suites with "EXPORT" are, by design, weak. They are encrypted, but only with keys small enough to be cracked with even amateur hardware (say, a basic home PC -- symmetric encryption relying on 40-bit keys). These suites were defined to comply with the US export rules on cryptographic systems, rules which were quite strict before 2000. Nowadays, these restrictions have been lifted and there is little point in supporting the "EXPORT" cipher suites. Validation Conditions: This test is passed if the server does not support EXPORT ciphers.

LOW

Your server does not support LOW ciphers.

Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.

3DES_IDEA

Your server does not support 3DES ciphers.

Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.

AVERAGE

Your server does not support AVERAGE ciphers.

Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.

Strong

Your server support strong ciphers.

Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.

PFS Information

PFS‌ Overview

Your server supports Perfect Forward Secrecy (PFS)

Description: Perfect Forward Secrecy guarantees different encryption keys per session. Thus, if a session key is compromised, other previously recorded sessions (by attacker) will be safe. Validation Conditions: This test is passed if your server supports robust perfect forward secrecy.

Vulnerabilities

Analyzing Heartbleed Vulnerability

Your connection is immune against heartbleed attack.

Description: 'Heartbleed' was a critical vulnerability in SSL which would enable an adversary to retrieve sensitive information from the corresponding server. Validation Conditions: This test passes if the server is not vulnerable to this attack.

Analyzing CCS Vulnerability

Your connection is immune against CCS attack.

Description: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of 'ChangeCipherSpec' messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.

Analyzing Ticketbleed Vulnerability

Your connection is immune against ticketbleed attack.

Description: 'The Ticketbleed-Bug' was a programming error in enterprise-level hardware. This bug allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This memory can potentially contain key material or sensitive data from other connections. Validation Conditions: This test passes if the server is not vulnerable to 'ticketbleed-bug'.

Analyzing ROBOT vulnerability

Your connection is immune to ROBOT attack.

Description: ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server. In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption. Validation Conditions: This test passes if the sever is not vulnerable to the ROBOT‌ attack.

Analyzing Secure Renegotiation

OpenSSL handshake do not succeed

Description: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue. Validation Conditions: This test passes if the server is not vulnerable to this bug.

not vulnerable

Analyzing Client-initiated Secure Connection

Your server is properly configured to support Secure Client Renegotiation.

Description: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, while implemented on many different products, cannot perform a renegotiation handshake correctly. This allows attackers to use a man-in-the-middle attack to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue. Validation Conditions: This test passes if the server does not have this vulnerability.

Analyzing protection against CRIME Attack

Your connection is immune against CRIME_TLS attack.

Description: CRIME (Compression Ratio Info-leak Made Easy) is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. Validation Conditions: This test passes if the server is not vulnerable to CRIME attack.

Analyzing protection against poodle attacks

Your connection is immune against poodle_ssl attack.

Description: The POODLE attack (which stands for 'Padding Oracle On Downgraded Legacy Encryption') is a man-in-the-middle exploit which takes advantage of Internet and security software client's fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Validation Conditions: This test passes if the server is not vulnerable to poodle attacks

Cipher Suite Assessments

TLS1.2

TLS1.3

Browser Simulations

Client

Cipher Suite

Protocol

ANDROID-442

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

ANDROID-500

TLSv1.2

ECDHE-RSA-AES128-GCM-SHA256

ANDROID-60

N/A

No Connection

ANDROID-70

N/A

No Connection

ANDROID-81

TLSv1.2

ECDHE-RSA-AES128-GCM-SHA256

ANDROID-90

TLSv1.3

TLS_AES_128_GCM_SHA256

ANDROID-X

TLSv1.3

TLS_AES_128_GCM_SHA256

CHROME-74-WIN10

TLSv1.3

TLS_AES_128_GCM_SHA256

CHROME-79-WIN10

TLSv1.3

TLS_AES_128_GCM_SHA256

FIREFOX-66-WIN81

TLSv1.3

TLS_AES_128_GCM_SHA256

FIREFOX-71-WIN10

TLSv1.3

TLS_AES_128_GCM_SHA256

IE-6-XP

N/A

No Connection

IE-8-WIN7

N/A

No Connection

IE-8-XP

N/A

No Connection

IE-11-WIN7

TLSv1.2

DHE-RSA-AES256-GCM-SHA384

IE-11-WIN81

N/A

No Connection

IE-11-WINPHONE81

N/A

No Connection

IE-11-WIN10

N/A

No Connection

EDGE-15-WIN10

N/A

No Connection

EDGE-17-WIN10

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

OPERA-66-WIN10

N/A

No Connection

SAFARI-9-IOS9

N/A

No Connection

SAFARI-9-OSX1011

N/A

No Connection

SAFARI-10-OSX1012

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

SAFARI-121-IOS-122

TLSv1.3

TLS_CHACHA20_POLY1305_SHA256

SAFARI-130-OSX-10146

N/A

No Connection

APPLE-ATS-9-IOS9

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

JAVA-6U45

N/A

No Connection

JAVA-7U25

N/A

No Connection

JAVA-8U161

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

JAVA1102

TLSv1.3

TLS_AES_128_GCM_SHA256

JAVA1201

TLSv1.3

TLS_AES_128_GCM_SHA256

OPENSSL-102E

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

OPENSSL-110L

TLSv1.2

ECDHE-RSA-AES256-GCM-SHA384

OPENSSL-111D

TLSv1.3

TLS_AES_256_GCM_SHA384

THUNDERBIRD-68-3-1

TLSv1.3

TLS_AES_128_GCM_SHA256