NAME

WebService::SSLLabs::EndpointDetails - EndpointDetails object

VERSION

Version 0.33

SUBROUTINES/METHODS

new

a new WebService::SSLLabs::EndpointDetails object, accepts a hash ref as it's parameter.

host_start_time

endpoint assessment starting time, in milliseconds since 1970. This field is useful when test results are retrieved in several HTTP invocations. Then, you should check that the hostStartTime value matches the startTime value of the host.

key

returns the connected Key object

cert

returns the connected Cert object

chain

returns the connected Chain object

protocols

returns the list of supported protocols as Protocol objects

suites

returns the Suites object

server_signature

Contents of the HTTP Server response header when known. This field could be absent for one of two reasons: 1) the HTTP request failed (check httpStatusCode) or 2) there was no Server response header returned.

prefix_delegation

true if this endpoint is reachable via a hostname with the www prefix

non_prefix_delegation

true if this endpoint is reachable via a hostname without the www prefix

vuln_beast

true if the endpoint is vulnerable to the BEAST attack

reneg_support

this is an integer value that describes the endpoint support for renegotiation:

bit 0 (1) - set if insecure client-initiated renegotiation is supported
bit 1 (2) - set if secure renegotiation is supported
bit 2 (4) - set if secure client-initiated renegotiation is supported
bit 3 (8) - set if the server requires secure renegotiation support

sts_response_header

the contents of the Strict-Transport-Security (STS) response header, if seen

sts_max_age

the maxAge parameter extracted from the STS parameters;

undef if STS not seen,
-1 if the specified value is invalid (e.g., not a zero or a positive integer; the maximum value currently supported is 2,147,483,647)

sts_subdomains

true if the includeSubDomains STS parameter is set; undef if STS not seen

pkp_response_header

the contents of the Public-Key-Pinning response header, if seen

session_resumption

this is an integer value that describes endpoint support for session resumption. The possible values are:

0 - session resumption is not enabled and we're seeing empty session IDs
1 - endpoint returns session IDs, but sessions are not resumed
2 - session resumption is enabled

compression_methods

integer value that describes supported compression methods

bit 0 is set for DEFLATE

supports_npn

true if the server supports NPN

npn_protocols

space separated list of supported protocols

session_tickets

indicates support for Session Tickets

bit 0 (1) - set if session tickets are supported
bit 1 (2) - set if the implementation is faulty [not implemented]
bit 2 (4) - set if the server is intolerant to the extension

ocsp_stapling

true if OCSP stapling is deployed on the server

stapling_revocation_status

same as Cert.revocationStatus, but for the stapled OCSP response.

stapling_revocation_error_message

description of the problem with the stapled OCSP response, if any.

sni_required

if SNI support is required to access the web site.

http_status_code

status code of the final HTTP response seen. When submitting HTTP requests, redirections are followed, but only if they lead to the same hostname. If this field is not available, that means the HTTP request failed.

http_forwarding

available on a server that responded with a redirection to some other hostname.

supports_rc4

true if the server supports at least one RC4 suite.

rc4_only

true if only RC4 suites are supported.

forward_secrecy

indicates support for Forward Secrecy

bit 0 (1) - set if at least one browser from our simulations negotiated a Forward Secrecy suite.
bit 1 (2) - set based on Simulator results if FS is achieved with modern clients. For example, the server supports ECDHE suites, but not DHE.
bit 2 (4) - set if all simulated clients achieve FS. In other words, this requires an ECDHE + DHE combination to be supported.

rc4_with_modern

true if RC4 is used with modern clients.

sims

instance of SimDetails.

heartbleed

true if the server is vulnerable to the Heartbleed attack.

heartbeat

true if the server supports the Heartbeat extension.

open_ssl_ccs

results of the CVE-2014-0224 test:

-1 - test failed
0 - unknown
1 - not vulnerable
2 - possibly vulnerable, but not exploitable
3 - vulnerable and exploitable

openssl_lucky_minus_20

-1 - test failed
0 - unknown
1 - not vulnerable
2 - vulnerable and insecure

poodle

true if the endpoint is vulnerable to POODLE; false otherwise

poodle_tls

results of the POODLE TLS test:

-3 - timeout
-2 - TLS not supported
-1 - test failed
0 - unknown
1 - not vulnerable
2 - vulnerable

fallback_scsv

true if the server supports TLS_FALLBACK_SCSV, false if it doesn't. This field will not be available if the server's support for TLS_FALLBACK_SCSV can't be tested because it supports only one protocol version (e.g., only TLS 1.2).

freak

true of the server is vulnerable to the FREAK attack, meaning it supports 512-bit key exchange.

has_sct

information about the availability of certificate transparency information (embedded SCTs):

bit 0 (1) - SCT in certificate
bit 1 (2) - SCT in the stapled OCSP response
bit 2 (4) - SCT in the TLS extension (ServerHello)

dh_primes

list of hex-encoded DH primes used by the server

dh_uses_known_primes

whether the server uses known DH primes:

0 - no
1 - yes, but they're not weak
2 - yes and they're weak

dh_ys_reuse

true if the DH ephemeral server value is reused.

logjam

true if the server uses DH parameters weaker than 1024 bits.

chacha20_preference

true if the server takes into account client preferences when deciding if to use ChaCha20 suites

hsts_policy

returns server's HSTS policy as a HASH. Experimental.

hpkp_policy

returns server's HPKP policy as a HASH. Experimental.

hpkp_ro_policy

returns server's HPKP Report Only policy as a HASH. Experimental.

drown_hosts

list of DrownHost objects. Experimental.

drown_errors

true if error occurred in drown test.

drown_vulnerable

true if server vulnerable to drown attack.

protocol_intolerance

indicates protocol version intolerance issues

bit 0 (1) - TLS 1.0
bit 1 (2) - TLS 1.1
bit 2 (4) - TLS 1.2
bit 3 (8) - TLS 1.3
bit 4 (16) - TLS 1.152
bit 5 (32) - TLS 2.152

misc_intolerance

indicates protocol version intolerance issues

bit 0 (1) - extension intolerance
bit 1 (2) - long handshake intolerance
bit 2 (4) - long handshake intolerance workaround success

DIAGNOSTICS

None

CONFIGURATION AND ENVIRONMENT

WebService::SSLLabs::EndpointDetails requires no configuration files or environment variables.

DEPENDENCIES

WebService::SSLLabs::EndpointDetails requires no non-core modules

INCOMPATIBILITIES

None reported

BUGS AND LIMITATIONS

Please report any bugs or feature requests to bug-net-ssllabs at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=WebService-SSLLabs. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

AUTHOR

David Dick, <ddick at cpan.org>

SUPPORT

You can find documentation for this module with the perldoc command.

    perldoc WebService::SSLLabs::EndpointDetails

You can also look for information at:

ACKNOWLEDGEMENTS

Thanks to Ivan Ristic and the team at https://www.qualys.com for providing the service at https://www.ssllabs.com

POD was extracted from the API help at https://github.com/ssllabs/ssllabs-scan/blob/stable/ssllabs-api-docs.md

LICENSE AND COPYRIGHT

Copyright 2016 David Dick.

This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.

See http://dev.perl.org/licenses/ for more information.