LoTW Site Analysis [was LoTW updates failing]


Scott Davis
 

Hi Timothy,

Thanks for chiming in with your help and insights!  Here is what I am seeing:

Summary
Overall Rating
A
0
20
40
60
80
100
Certificate
 
Protocol Support
 
Key Exchange
 
Cipher Strength
 

Visit our documentation page for more information, configuration guides, and books. Known issues are documented here.
Certificate #1: RSA 2048 bits (SHA256withRSA)
Server Key and Certificate #1
Subject lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=
Common nameslotw.arrl.org
Alternative nameslotw.arrl.org www.lotw.arrl.org
Serial Number4656752305dec2a8
Valid fromFri, 17 Mar 2017 14:17:01 UTC
Valid untilTue, 16 Apr 2019 19:45:40 UTC (expires in 6 months and 1 day)
KeyRSA 2048 bits (e 65537)
Weak key (Debian) No
IssuerGo Daddy Secure Certificate Authority - G2
AIA: http://certificates.godaddy.com/repository/gdig2.crt
Signature algorithmSHA256withRSA
Extended ValidationYes
Certificate TransparencyYes (certificate)
OCSP Must StapleNo
Revocation information CRL, OCSP
CRL: http://crl.godaddy.com/gdig2s3-7.crl
OCSP: http://ocsp.godaddy.com/
Revocation statusGood (not revoked)
DNS CAANo (more info)
TrustedYes
Mozilla  Apple  Android  Java  Windows 


Additional Certificates (if supplied)
Certificates provided3 (4283 bytes)
Chain issuesNone
#2
SubjectGo Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=
Valid untilSat, 03 May 2031 07:00:00 UTC (expires in 12 years and 6 months)
KeyRSA 2048 bits (e 65537)
IssuerGo Daddy Root Certificate Authority - G2
Signature algorithm SHA256withRSA
#3
SubjectGo Daddy Root Certificate Authority - G2
Fingerprint SHA256: 3a2fbe92891e57fe05d57087f48e730f17e5a5f53ef403d618e5b74d7a7e6ecb
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=
Valid untilFri, 30 May 2031 07:00:00 UTC (expires in 12 years and 7 months)
KeyRSA 2048 bits (e 65537)
IssuerThe Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority
Signature algorithm SHA256withRSA


Certification Paths
MozillaAppleAndroidJavaWindows
Path #1: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3In trust storeGo Daddy Root Certificate Authority - G2   Self-signed
Fingerprint SHA256: 45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
Path #2: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server Go Daddy Root Certificate Authority - G2
Fingerprint SHA256: 3a2fbe92891e57fe05d57087f48e730f17e5a5f53ef403d618e5b74d7a7e6ecb
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
4In trust storeThe Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   Self-signed
Fingerprint SHA256: c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
Pin SHA256: VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=

RSA 2048 bits (e 3) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Path #1: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3In trust storeGo Daddy Root Certificate Authority - G2   Self-signed
Fingerprint SHA256: 45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
Path #2: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server Go Daddy Root Certificate Authority - G2
Fingerprint SHA256: 3a2fbe92891e57fe05d57087f48e730f17e5a5f53ef403d618e5b74d7a7e6ecb
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
4In trust storeThe Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   Self-signed
Fingerprint SHA256: c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
Pin SHA256: VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=

RSA 2048 bits (e 3) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Path #1: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3In trust storeGo Daddy Root Certificate Authority - G2   Self-signed
Fingerprint SHA256: 45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
Path #2: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server Go Daddy Root Certificate Authority - G2
Fingerprint SHA256: 3a2fbe92891e57fe05d57087f48e730f17e5a5f53ef403d618e5b74d7a7e6ecb
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
4In trust storeThe Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   Self-signed
Fingerprint SHA256: c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
Pin SHA256: VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=

RSA 2048 bits (e 3) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Path #1: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3In trust storeGo Daddy Root Certificate Authority - G2   Self-signed
Fingerprint SHA256: 45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
Path #2: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server Go Daddy Root Certificate Authority - G2
Fingerprint SHA256: 3a2fbe92891e57fe05d57087f48e730f17e5a5f53ef403d618e5b74d7a7e6ecb
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
4In trust storeThe Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   Self-signed
Fingerprint SHA256: c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
Pin SHA256: VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=

RSA 2048 bits (e 3) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Path #1: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3In trust storeGo Daddy Root Certificate Authority - G2   Self-signed
Fingerprint SHA256: 45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
Path #2: Trusted
1 Sent by server lotw.arrl.org
Fingerprint SHA256: 46bbfd816be019babd99ad799117d212b36f2afdf130ec299a2752d0cb888211
Pin SHA256: FiiB/F90iLb2W0BtlxJCtIT2cwj2ISLOOJnxkpkv4Wk=

RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint SHA256: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
Pin SHA256: 8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=

RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server Go Daddy Root Certificate Authority - G2
Fingerprint SHA256: 3a2fbe92891e57fe05d57087f48e730f17e5a5f53ef403d618e5b74d7a7e6ecb
Pin SHA256: Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA=

RSA 2048 bits (e 65537) / SHA256withRSA
4In trust storeThe Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   Self-signed
Fingerprint SHA256: c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
Pin SHA256: VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=

RSA 2048 bits (e 3) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Click here to expand
Configuration
Protocols
TLS 1.3No
TLS 1.2Yes
TLS 1.1 No
TLS 1.0No
SSL 3No
SSL 2No
For TLS 1.3 tests, we only support RFC 8446.


Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS 256


Handshake Simulation
Android 4.4.2 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 5.0.0 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 6.0 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 7.0 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
BingPreview Jan 2015 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 49 / XP SP3 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 69 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 70 / Win 10 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 31.3.0 ESR / Win 7 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 47 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 49 / XP SP3 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 62 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Googlebot Feb 2018 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
IE 11 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 2048  FS
IE 11 / Win 8.1  R RSA 2048 (SHA256)   TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 2048  FS
IE 11 / Win Phone 8.1  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp256r1  FS
IE 11 / Win Phone 8.1 Update  R RSA 2048 (SHA256)   TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 2048  FS
IE 11 / Win 10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 15 / Win 10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 13 / Win Phone 10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 8u161 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.1l  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.2e  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 6 / iOS 6.0.1 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp256r1  FS
Safari 7 / iOS 7.1  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp256r1  FS
Safari 7 / OS X 10.9  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp256r1  FS
Safari 8 / iOS 8.4  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp256r1  FS
Safari 8 / OS X 10.10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp256r1  FS
Safari 9 / iOS 9  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 9 / OS X 10.11  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / iOS 10  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / OS X 10.12  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Apple ATS 9 / iOS 9  R RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Yahoo Slurp Jan 2015 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
YandexBot Jan 2015 RSA 2048 (SHA256)   TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
# Not simulated clients (Protocol mismatch)
Android 2.3.7   No SNI 2Protocol mismatch (not simulated)
Android 4.0.4Protocol mismatch (not simulated)
Android 4.1.1Protocol mismatch (not simulated)
Android 4.2.2Protocol mismatch (not simulated)
Android 4.3Protocol mismatch (not simulated)
Baidu Jan 2015Protocol mismatch (not simulated)
IE 6 / XP   No FS 1   No SNI 2Protocol mismatch (not simulated)
IE 7 / VistaProtocol mismatch (not simulated)
IE 8 / XP   No FS 1   No SNI 2Protocol mismatch (not simulated)
IE 8-10 / Win 7  RProtocol mismatch (not simulated)
IE 10 / Win Phone 8.0Protocol mismatch (not simulated)
Java 6u45   No SNI 2Protocol mismatch (not simulated)
Java 7u25Protocol mismatch (not simulated)
OpenSSL 0.9.8yProtocol mismatch (not simulated)
Safari 5.1.9 / OS X 10.6.8Protocol mismatch (not simulated)
Safari 6.0.4 / OS X 10.8.4  RProtocol mismatch (not simulated)
Click here to expand
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
(All) Certificate trust is not checked in handshake simulation, we only perform TLS handshake.


Protocol Details
DROWNNo, server keys and hostname not seen elsewhere with SSLv2
(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN website here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete
Secure RenegotiationSupported
Secure Client-Initiated RenegotiationNo
Insecure Client-Initiated RenegotiationNo
BEAST attack Mitigated server-side (more info)  
POODLE (SSLv3) No, SSL 3 not supported (more info)
POODLE (TLS) No (more info)
Downgrade attack preventionUnknown (requires support for at least two protocols, excl. SSL2)
SSL/TLS compressionNo
RC4No
Heartbeat (extension)Yes
Heartbleed (vulnerability)No (more info)
Ticketbleed (vulnerability)No (more info)
OpenSSL CCS vuln. (CVE-2014-0224)No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107)
No (more info)
ROBOT (vulnerability)No (more info)
Forward SecrecyYes (with most browsers)   ROBUST (more info)
ALPNNo
NPNNo
Session resumption (caching)Yes
Session resumption (tickets)Yes
OCSP staplingNo
Strict Transport Security (HSTS)No
HSTS Preloading Not in: Chrome  Edge  Firefox  IE 
Public Key Pinning (HPKP)No (more info)
Public Key Pinning Report-OnlyNo
Public Key Pinning (Static)No (more info)
Long handshake intoleranceNo
TLS extension intoleranceNo
TLS version intolerance No
Incorrect SNI alertsNo
Uses common DH primesNo
DH public server param (Ys) reuseNo
ECDH public server param reuseNo
Supported Named Groups secp256r1
SSL 2 handshake compatibility No


HTTP Requests
1 https://lotw.arrl.org/  (HTTP/1.1 301 Moved Permanently)
1
DateMon, 15 Oct 2018 15:49:23 GMT
ServerApache
Locationhttps://lotw.arrl.org/lotwuser/default
Cache-Controlmax-age=0
ExpiresMon, 15 Oct 2018 15:49:23 GMT
VaryAccept-Encoding
Content-Length246
Connectionclose
Content-Typetext/html; charset=iso-8859-1
2 https://lotw.arrl.org/lotwuser/default  (HTTP/1.1 200 OK)
2
DateMon, 15 Oct 2018 15:49:24 GMT
ServerApache
Cache-Controlmax-age=0
ExpiresMon, 15 Oct 2018 15:49:24 GMT
VaryAccept-Encoding
Connectionclose
Transfer-Encodingchunked
Content-Typetext/html; charset=UTF-8


Miscellaneous
Test dateMon, 15 Oct 2018 15:49:17 UTC
Test duration52.542 seconds
HTTP status code 200
HTTP server signatureApache
Server hostname lotw.arrl.org 

73, Scott
N3FJP
 
Serving the Amateur Radio community with contesting and general logging software since 1997.
 
1 Peter 3 vs 15: Always be prepared to give an answer to everyone who asks you to give the reason for the hope that you have. But do this with gentleness and respect...
 
 


-----Original Message-----
From: Timothy Robnett <tim@...>
To: N3FJPSoftwareUsers <N3FJPSoftwareUsers@groups.io>
Sent: Mon, Oct 15, 2018 11:56 am
Subject: Re: [N3FJPSoftwareUsers] LoTW updates failing

Folks,

Most IT professionals struggle to understand how certificates work and what is needed for success. If you are struggling with this, realize that are people who work with them for a living that don't understand how they work. Having said that, let me assure you this has nothing to do with AC Log or anything in Scott's code but I will try and help if I can.

For those of you having issues, would you be able to use Internet Explorer and connect to https://lotw.arrl.org/lotwuser/lotwreport.adi?login= and report what you get back? I suspect that it has to do with LoTW going to TLS 1.2 protocol support only with no support for SSL v2, SSL v3, TLS 1.0 or TLS 1.1.

Fair warning: The ouput from this site is technical but if you want to see what ciphers, protocols, etc. are being supported as well as what TLS features are enabled click this link. https://www.ssllabs.com/ssltest/analyze.html?d=lotw.arrl.org 

--
73
kb0phk
_._,_._,_


Timothy Robnett - w0trr
 

Thanks Scott,  I guess that will keep everyone from clicking on the link ;-)

In studying the output a little bit more since my note - it appears that for users of Windows you need Internet Explorer 11 or greater or the newer Microsoft Edge browser. If you are running Windows XP with IE 6, Vista with IE 7 or Windows 7 with IE 8-10 it will not work.

For those having issues, please check what version of IE is installed by clicking Help -> About. If the version is 10 or less, your computer is out of date and will not work with LoTW and many other sites that are trying to improve their security posture.

--
73
kb0phk


Scott Davis
 

Hi Timothy,

I am running Microsoft Edge:  Here is the version:

Microsoft Edge 42.17134.1.0
Microsoft EdgeHTML 17.17134


73, Scott
N3FJP
 
Serving the Amateur Radio community with contesting and general logging software since 1997.
 
1 Peter 3 vs 15: Always be prepared to give an answer to everyone who asks you to give the reason for the hope that you have. But do this with gentleness and respect...
 
 


-----Original Message-----
From: Timothy Robnett <tim@...>
To: N3FJPSoftwareUsers <N3FJPSoftwareUsers@groups.io>
Sent: Mon, Oct 15, 2018 12:25 pm
Subject: Re: [N3FJPSoftwareUsers] LoTW Site Analysis [was LoTW updates failing]

Thanks Scott,  I guess that will keep everyone from clicking on the link ;-)

In studying the output a little bit more since my note - it appears that for users of Windows you need Internet Explorer 11 or greater or the newer Microsoft Edge browser. If you are running Windows XP with IE 6, Vista with IE 7 or Windows 7 with IE 8-10 it will not work.

For those having issues, please check what version of IE is installed by clicking Help -> About. If the version is 10 or less, your computer is out of date and will not work with LoTW and many other sites that are trying to improve their security posture.

--
73
kb0phk


John K9IJ
 

Looks to me like they're running a very old version of TLS and need to support more current versions.

Protocols
TLS 1.3    No
TLS 1.2    Yes   <--
TLS 1.1    No
TLS 1.0    No
SSL 3    No
SSL 2    No

Joihn - K9IJ

On 10/15/2018 11:25 AM, Timothy Robnett wrote:
Thanks Scott,  I guess that will keep everyone from clicking on the link ;-)

In studying the output a little bit more since my note - it appears that for users of Windows you need Internet Explorer 11 or greater or the newer Microsoft Edge browser. If you are running Windows XP with IE 6, Vista with IE 7 or Windows 7 with IE 8-10 it will not work.

For those having issues, please check what version of IE is installed by clicking Help -> About. If the version is 10 or less, your computer is out of date and will not work with LoTW and many other sites that are trying to improve their security posture.

--
73
kb0phk

-- 
No trees were killed in the sending of this message. However, a large number of electrons were terribly inconvenienced !

k9ij@...
Webmaster, Network Admin, Janitor


John Huber
 

According to this site https://tlsversions.com/,  TLS 1.2 IS the current version.  https://datatracker.ietf.org/doc/rfc8446/ indicates that TLS 1.3 is still a PROPOSED standard.  Thus, at least for this item, ARRL is at the most current version of TLS (Transport Layer Security).
 
73,  John / N8FYL
 

From: John K9IJ
Sent: Monday, October 15, 2018 12:39
To: N3FJPSoftwareUsers@groups.io
Subject: Re: [N3FJPSoftwareUsers] LoTW Site Analysis [was LoTW updates failing]
 
Looks to me like they're running a very old version of TLS and need to support more current versions.

Protocols
TLS 1.3    No
TLS 1.2    Yes   <--
TLS 1.1    No
TLS 1.0    No
SSL 3    No
SSL 2    No

Joihn - K9IJ

On 10/15/2018 11:25 AM, Timothy Robnett wrote:
Thanks Scott,  I guess that will keep everyone from clicking on the link ;-)

In studying the output a little bit more since my note - it appears that for users of Windows you need Internet Explorer 11 or greater or the newer Microsoft Edge browser. If you are running Windows XP with IE 6, Vista with IE 7 or Windows 7 with IE 8-10 it will not work.

For those having issues, please check what version of IE is installed by clicking Help -> About. If the version is 10 or less, your computer is out of date and will not work with LoTW and many other sites that are trying to improve their security posture.

--
73
kb0phk

-- 
No trees were killed in the sending of this message. However, a large number of electrons were terribly inconvenienced !

k9ij@...
Webmaster, Network Admin, Janitor


Dan Morris
 

I have been using Firefox as my default browser and have never had a problem with LoTW!!
I am using Win 7 Pro.  I tried logging in to LoTW with my browser and it says account not found???

Dan Morris  KZ3T

I live to live for Him!



On Oct 15, 2018, at 12:25 PM, Timothy Robnett <tim@...> wrote:

Thanks Scott,  I guess that will keep everyone from clicking on the link ;-)

In studying the output a little bit more since my note - it appears that for users of Windows you need Internet Explorer 11 or greater or the newer Microsoft Edge browser. If you are running Windows XP with IE 6, Vista with IE 7 or Windows 7 with IE 8-10 it will not work.

For those having issues, please check what version of IE is installed by clicking Help -> About. If the version is 10 or less, your computer is out of date and will not work with LoTW and many other sites that are trying to improve their security posture.

--
73
kb0phk


David Rounds
 

Timothy,
How do I verify the internal version of Internet Explorer that is installed by Windows 10? 

I have not specifically installed Internet Explorer on any computer since Windows XP.
I know that Win10 does install Edge but I do not use it.
I have the latest versions of Chrome and Firefox installed

Any further information would also be helpful.

73
David
AK9F

On 10/15/2018 11:25 AM, Timothy Robnett wrote:
Thanks Scott,  I guess that will keep everyone from clicking on the link ;-)

In studying the output a little bit more since my note - it appears that for users of Windows you need Internet Explorer 11 or greater or the newer Microsoft Edge browser. If you are running Windows XP with IE 6, Vista with IE 7 or Windows 7 with IE 8-10 it will not work.

For those having issues, please check what version of IE is installed by clicking Help -> About. If the version is 10 or less, your computer is out of date and will not work with LoTW and many other sites that are trying to improve their security posture.

--
73
kb0phk
_._,_._,_




Jim Shorney
 

I use Waterfox 56 (a 64-bit Firefox/Mozilla variant) and have had no problems
using the ARRL and LoTW web sites today. Internet Exploder is banned from my
house.

73

-Jim
NU0C

73

-Jim
NU0C

On Mon, 15 Oct 2018 21:58:52 -0500, David Rounds wrote:

Timothy,
How do I verify the internal version of Internet Explorer that is
installed by Windows 10?

I have not specifically installed Internet Explorer on any computer
since Windows XP.
I know that Win10 does install Edge but I do not use it.
I have the latest versions of Chrome and Firefox installed

Any further information would also be helpful.

73
David
AK9F

On 10/15/2018 11:25 AM, Timothy Robnett wrote:
Thanks Scott, I guess that will keep everyone from clicking on the
link ;-)

In studying the output a little bit more since my note - it appears
that for users of Windows you need Internet Explorer 11 or greater or
the newer Microsoft Edge browser. If you are running Windows XP with
IE 6, Vista with IE 7 or Windows 7 with IE 8-10 it will not work.

For those having issues, please check what version of IE is installed
by clicking Help -> About. If the version is 10 or less, your computer
is out of date and will not work with LoTW and many other sites that
are trying to improve their security posture.

--
73
kb0phk
--

"Good men don’t need rules. Today is not the day to find out why I have so many." - Doctor Who


Timothy Robnett - w0trr
 

@David Rounds,

Help -> About is how you check the version on most Windows Software. Windows 10 will have a current version of IE son unless you are curious, no need to check.

I am still curious what Scott had to do in his code to fix this. I downloaded the spec for using this service and in playing with it, it seems ARRL changed their spec without notice and without updating the documentation. Ugh.

--
73
kb0phk