NAME
WebService::SSLLabs::EndpointDetails - EndpointDetails object
VERSION
Version 0.33
SUBROUTINES/METHODS
new
a new WebService::SSLLabs::EndpointDetails object, accepts a hash ref as it's parameter.
host_start_time
endpoint assessment starting time, in milliseconds since 1970. This field is useful when test results are retrieved in several HTTP invocations. Then, you should check that the hostStartTime value matches the startTime value of the host.
key
returns the connected Key object
cert
returns the connected Cert object
chain
returns the connected Chain object
protocols
returns the list of supported protocols as Protocol objects
suites
returns the Suites object
server_signature
Contents of the HTTP Server response header when known. This field could be absent for one of two reasons: 1) the HTTP request failed (check httpStatusCode) or 2) there was no Server response header returned.
prefix_delegation
true if this endpoint is reachable via a hostname with the www prefix
non_prefix_delegation
true if this endpoint is reachable via a hostname without the www prefix
vuln_beast
true if the endpoint is vulnerable to the BEAST attack
reneg_support
this is an integer value that describes the endpoint support for renegotiation:
- bit 0 (1) - set if insecure client-initiated renegotiation is supported
- bit 1 (2) - set if secure renegotiation is supported
- bit 2 (4) - set if secure client-initiated renegotiation is supported
- bit 3 (8) - set if the server requires secure renegotiation support
sts_response_header
the contents of the Strict-Transport-Security (STS) response header, if seen
sts_max_age
the maxAge parameter extracted from the STS parameters;
- undef if STS not seen,
- -1 if the specified value is invalid (e.g., not a zero or a positive integer; the maximum value currently supported is 2,147,483,647)
sts_subdomains
true if the includeSubDomains STS parameter is set; undef if STS not seen
pkp_response_header
the contents of the Public-Key-Pinning response header, if seen
session_resumption
this is an integer value that describes endpoint support for session resumption. The possible values are:
- 0 - session resumption is not enabled and we're seeing empty session IDs
- 1 - endpoint returns session IDs, but sessions are not resumed
- 2 - session resumption is enabled
compression_methods
integer value that describes supported compression methods
supports_npn
true if the server supports NPN
npn_protocols
space separated list of supported protocols
session_tickets
indicates support for Session Tickets
- bit 0 (1) - set if session tickets are supported
- bit 1 (2) - set if the implementation is faulty [not implemented]
- bit 2 (4) - set if the server is intolerant to the extension
ocsp_stapling
true if OCSP stapling is deployed on the server
stapling_revocation_status
same as Cert.revocationStatus, but for the stapled OCSP response.
stapling_revocation_error_message
description of the problem with the stapled OCSP response, if any.
sni_required
if SNI support is required to access the web site.
http_status_code
status code of the final HTTP response seen. When submitting HTTP requests, redirections are followed, but only if they lead to the same hostname. If this field is not available, that means the HTTP request failed.
http_forwarding
available on a server that responded with a redirection to some other hostname.
supports_rc4
true if the server supports at least one RC4 suite.
rc4_only
true if only RC4 suites are supported.
forward_secrecy
indicates support for Forward Secrecy
- bit 0 (1) - set if at least one browser from our simulations negotiated a Forward Secrecy suite.
- bit 1 (2) - set based on Simulator results if FS is achieved with modern clients. For example, the server supports ECDHE suites, but not DHE.
- bit 2 (4) - set if all simulated clients achieve FS. In other words, this requires an ECDHE + DHE combination to be supported.
rc4_with_modern
true if RC4 is used with modern clients.
sims
instance of SimDetails.
heartbleed
true if the server is vulnerable to the Heartbleed attack.
heartbeat
true if the server supports the Heartbeat extension.
open_ssl_ccs
results of the CVE-2014-0224 test:
- -1 - test failed
- 0 - unknown
- 1 - not vulnerable
- 2 - possibly vulnerable, but not exploitable
- 3 - vulnerable and exploitable
openssl_lucky_minus_20
poodle
true if the endpoint is vulnerable to POODLE; false otherwise
poodle_tls
results of the POODLE TLS test:
fallback_scsv
true if the server supports TLS_FALLBACK_SCSV, false if it doesn't. This field will not be available if the server's support for TLS_FALLBACK_SCSV can't be tested because it supports only one protocol version (e.g., only TLS 1.2).
freak
true of the server is vulnerable to the FREAK attack, meaning it supports 512-bit key exchange.
has_sct
information about the availability of certificate transparency information (embedded SCTs):
- bit 0 (1) - SCT in certificate
- bit 1 (2) - SCT in the stapled OCSP response
- bit 2 (4) - SCT in the TLS extension (ServerHello)
dh_primes
list of hex-encoded DH primes used by the server
dh_uses_known_primes
whether the server uses known DH primes:
dh_ys_reuse
true if the DH ephemeral server value is reused.
logjam
true if the server uses DH parameters weaker than 1024 bits.
chacha20_preference
true if the server takes into account client preferences when deciding if to use ChaCha20 suites
hsts_policy
returns server's HSTS policy as a HASH. Experimental.
hpkp_policy
returns server's HPKP policy as a HASH. Experimental.
hpkp_ro_policy
returns server's HPKP Report Only policy as a HASH. Experimental.
drown_hosts
list of DrownHost objects. Experimental.
drown_errors
true if error occurred in drown test.
drown_vulnerable
true if server vulnerable to drown attack.
protocol_intolerance
indicates protocol version intolerance issues
- bit 0 (1) - TLS 1.0
- bit 1 (2) - TLS 1.1
- bit 2 (4) - TLS 1.2
- bit 3 (8) - TLS 1.3
- bit 4 (16) - TLS 1.152
- bit 5 (32) - TLS 2.152
misc_intolerance
indicates protocol version intolerance issues
- bit 0 (1) - extension intolerance
- bit 1 (2) - long handshake intolerance
- bit 2 (4) - long handshake intolerance workaround success
DIAGNOSTICS
None
CONFIGURATION AND ENVIRONMENT
WebService::SSLLabs::EndpointDetails requires no configuration files or environment variables.
DEPENDENCIES
WebService::SSLLabs::EndpointDetails requires no non-core modules
INCOMPATIBILITIES
None reported
BUGS AND LIMITATIONS
Please report any bugs or feature requests to bug-net-ssllabs at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=WebService-SSLLabs. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
AUTHOR
David Dick, <ddick at cpan.org>
SUPPORT
You can find documentation for this module with the perldoc command.
perldoc WebService::SSLLabs::EndpointDetailsYou can also look for information at:
RT: CPAN's request tracker (report bugs here)
AnnoCPAN: Annotated CPAN documentation
CPAN Ratings
Search CPAN
ACKNOWLEDGEMENTS
Thanks to Ivan Ristic and the team at https://www.qualys.com for providing the service at https://www.ssllabs.com
POD was extracted from the API help at https://github.com/ssllabs/ssllabs-scan/blob/stable/ssllabs-api-docs.md
LICENSE AND COPYRIGHT
Copyright 2016 David Dick.
This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.