Hlídač Web NÚKIB Detailní analýza HTTPs pro Web NÚKIB

No 128 cipher limit bug

not offered

not offered

not offered

not offered

offered

offered with final

not offered

h2

http/1.1

not offered

not offered

not offered

not offered

not offered

not offered

not offered

offered

server -- TLS 1.3 client determined

Default protocol TLS1.3

TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)

TLSv1.2   xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLSv1.2   xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

TLSv1.2   xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256

false

TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384

TLSv1.3   x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256

TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

offered

TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256

prime256v1 secp384r1 X25519

'server name/#0' 'renegotiation info/#65281' 'EC point formats/#11' 'key share/#51' 'supported versions/#43' 'extended master secret/#23' 'application layer protocol negotiation/#16'

no -- no lifetime advertised

yes

not supported

supported

off by -3 seconds from your localtime

none

none

1

ECDSA with SHA384

EC 384 bits (curve P-384)

Digital Signature

TLS Web Server Authentication

06B32973C24B616AED02AF914258CC7E7681

18

F58C26CA341D57F91AA1EAD9902E5787778A302B

50719B58499F52255DFE77D2E5A06293CE23DBD3EB36880ED03EC271E8C71B5F

-----BEGIN CERTIFICATE----- MIIDcDCCAvegAwIBAgISBrMpc8JLYWrtAq+RQljMfnaBMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NzAeFw0yNjA1MTIxOTE4MjBaFw0yNjA4MTAxOTE4MTlaMAAwdjAQBgcqhkjOPQIB BgUrgQQAIgNiAAStBRgcstglv3iGNJKVSbVfJwNvlEpPgSL+E3X/Yk/FCThIOVj8 S0mF+I3w0SXUsr++SpUd7uK5Xe3b8c4PawvkkhDH7nGRJKwBdbB/Kf3gjJmTNheX AYAVj+gzLYc1IBijggIAMIIB/DAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI KwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSuSJ7chx1EoG/aouVg dAR4wpwAgDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNy5p LmxlbmNyLm9yZy8wIQYDVR0RAQH/BBcwFYITcG9ydGFsLm51a2liLmdvdi5jejAT BgNVHSAEDDAKMAgGBmeBDAECATAsBgNVHR8EJTAjMCGgH6AdhhtodHRwOi8vZTcu Yy5sZW5jci5vcmcvMi5jcmwwggEKBgorBgEEAdZ5AgQCBIH7BIH4APYAdQDIo8R/ x7OtuTVrAT9qehJt4zpOQ6XGRvmXrTl1mR3PmgAAAZ4d1cw0AAAEAwBGMEQCIDQ/ azbsilVjbe7ESrRYxBRbEO0+1oeuC9fNA5VR7cyMAiAp2lRZ07EVqcZA+BENXndr EDlYWNDw9OSvKzLVfCxRdgB9AGz+UBlDqF6pFrxS0TPk3Mke8UEcfSWEINFzgJ4Y GOs6AAABnh3Vz7cACAAABQALMX8xBAMARjBEAiACO/pQsTpIBN2j4+66aC/Z72X9 l0MFhFITVt/0nTH6UAIgLNPDAtKbidtC1hLQ0wEv9IBU4qbsVb095k67ISFn1eEw CgYIKoZIzj0EAwMDZwAwZAIwflXb5sxZt3r9FVbzOpLpii+8r4iOKkRqq5sU5nDJ gTg+67waOXRawG/gCUEUrz0nAjBJ82NrEQ+TN2Lfv3L9aZWIb+ot4Uy6b69gO3eM sKx7mIXS/mCYw3tkKIA+ab6GvOQ= -----END CERTIFICATE-----

no CN field in subject

request w/o SNI didn't succeed, usual for EC certificates

portal.nukib.gov.cz

Ok via SAN (SNI mandatory)

no

51 >= 30 days

2026-05-12 19:18

2026-08-10 19:18

certificate has no extended life time according to browser forum

not present

http://e7.c.lencr.org/2.crl

--

not offered

--

issue=letsencrypt.org

yes (certificate extension)

2

no

E7 (Let's Encrypt from US)

-----BEGIN CERTIFICATE----- MIICtzCCAjygAwIBAgIRAMWKhaLGI0XgqMRSU4efWTowCgYIKoZIzj0EAwMwTzEL MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjQwMzEzMDAwMDAwWhcN MjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j cnlwdDELMAkGA1UEAxMCRTcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARB6ASTCFh/ vjcwDMCgQer+VtqEkz7JANurZxLP+U9TCeioL6sp5Z8VRvRbYk4P1INBmbefQHJF HCxcSjKmwtvGBWpl/9ra8HW0QDsUaJW2qOJqceJ0ZVFT3hbUHifBM/2jgfgwgfUw DgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAS BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSuSJ7chx1EoG/aouVgdAR4wpwA gDAfBgNVHSMEGDAWgBR8Qpau3ktIO/qS+J6Mz22LqXI3lTAyBggrBgEFBQcBAQQm MCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94Mi5pLmxlbmNyLm9yZy8wEwYDVR0gBAww CjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gyLmMubGVuY3Iu b3JnLzAKBggqhkjOPQQDAwNpADBmAjEA/e5N+wjAk945cpaFxGaeMC13fyvdbNzX lRg9HNdElxi5mXdI4az2CykNU07iFwqEAjEAihPCDkw4b1BvfLg8VNLLuaMpn1Rb Z1682chR6zNRCseyie4SjyTCdkvsAa+omQSf -----END CERTIFICATE-----

54715420224C5B65BEED018DC3940D7338C577E322D5488F633D8C6A8FED61B2

2024-03-13 00:00

2027-03-12 23:59

ok > 40 days

E7 <-- ISRG Root X2

intermediate certificate(s) is/are ok

200 OK ('/')

0 seconds from localtime

1781899661

365 days (=31536000 seconds) > 15552000 seconds

includes subdomains

domain is NOT marked for preloading

No support for HTTP Public Key Pinning

No Server banner line in header, interesting!

No application banner found

1 at '/'

All (1) at '/' marked as secure

1/1 at '/' marked as HttpOnly

nosniff

default-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; form-action 'self' https://sso.nukib.gov.cz; frame-src https://www.youtube-nocookie.com; base-uri 'self'

geolocation=(), camera=(), microphone=(), usb=(), payment=(), accelerometer=(), gyroscope=(), magnetometer=(), clipboard-read=(), clipboard-write=(self), fullscreen=(*)

strict-origin-when-cross-origin

no-store

X-Cache-Status: MISS

not vulnerable, no heartbeat extension

not vulnerable

no session ticket extension

not vulnerable, no RSA key transport cipher

not vulnerable

not vulnerable

not vulnerable, no SSLv3

no protocol below TLS 1.2 offered

not vulnerable

not vulnerable

not vulnerable on this host and port

no RSA certificate, can't be used with SSLv2 elsewhere

not vulnerable, no DH EXPORT ciphers,

no DH key with <= TLS 1.2

not vulnerable, no SSL3 or TLS1

not vulnerable

not vulnerable

not vulnerable

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256

TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256

No connection

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.3 TLS_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_128_GCM_SHA256

No connection

No connection

No connection

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.3 TLS_AES_128_GCM_SHA256

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.3 TLS_CHACHA20_POLY1305_SHA256

TLSv1.3 TLS_CHACHA20_POLY1305_SHA256

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

No connection

No connection

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.3 TLS_AES_128_GCM_SHA256

TLSv1.3 TLS_AES_128_GCM_SHA256

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.3 TLS_AES_256_GCM_SHA384

TLSv1.3 TLS_AES_128_GCM_SHA256

SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)

https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

0

0

0

0

0

0

0

Grade capped to T. Issues with the chain of trust (chain incomplete)

82