安装Percona Server 8.0版本数据库

作为MYSQL的衍生社区版本,Percona以其优秀的迭代速度和有异于ORACLE社区版及MARIA DB版本的新特性,给数据开发者带来了更多的选择。

2018年Percona也升级了其下的Percona Server 8.0。这里演示如何在CentOS下安装Percona Server8.0及启用特色存储引擎.

1.安装Percona YUM源:

$ sudo yum install https://repo.percona.com/yum/percona-release-latest.noarch.rpm

2.设定Yum源使用Percona的版本为8.0

$ sudo percona-release setup ps80

3.安装数据库

$ sudo yum install percona-server-server

4.运行Percona Server for MySQL

$ sudo service mysql start

5.确认运行状态

$ sudo service mysql status

6.关闭Percona或重启Percona

$ sudo service mysql stop
$ sudo service mysql restart

7.找到安装临时root密码

 grep "A temporary password" /var/log/mysqld.log

你会得到结果临时密码;但是如果无法出现可以试着重启Percona Server

2019-01-04T16:56:48.430540Z 5 [Note] [MY-010454] [Server] A temporary password is generated for root@localhost: 临时密码

8.初始化数据库,修改默认密码,注意8.0默认有强制密码强度要求。

mysql_secure_installation

Securing the MySQL server deployment.

Enter password for user root:
The 'validate_password' component is installed on the server.
The subsequent steps will run with the existing configuration
of the component.
Using existing password for root.

Estimated strength of the password: 100
Change the password for root ? ((Press y|Y for Yes, any other key for No) :

 ... skipping.
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.


Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.

By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.


Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
 - Dropping test database...
Success.

 - Removing privileges on test database...
Success.

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.

All done!

9.解决phpMyadmin因加密认证不一样导致无法连接的问题

mysql -p
Enter password:
mysql> alter user 'root'@'localhost' identified with mysql_native_password by '你的密码';
Query OK, 0 rows affected (0.26 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)

Linux下的tar压缩解压缩命令详解

tar

-c: 建立压缩档案
-x:解压
-t:查看内容
-r:向压缩归档文件末尾追加文件
-u:更新原压缩包中的文件

这五个是独立的命令,压缩解压都要用到其中一个,可以和别的命令连用但只能用其中一个。下面的参数是根据需要在压缩或解压档案时可选的。

-z:有gzip属性的
-j:有bz2属性的
-Z:有compress属性的
-v:显示所有过程
-O:将文件解开到标准输出

下面的参数-f是必须的

-f: 使用档案名字,切记,这个参数是最后一个参数,后面只能接档案名。

# tar -cf all.tar *.jpg
这条命令是将所有.jpg的文件打成一个名为all.tar的包。-c是表示产生新的包,-f指定包的文件名。

# tar -rf all.tar *.gif
这条命令是将所有.gif的文件增加到all.tar的包里面去。-r是表示增加文件的意思。

# tar -uf all.tar logo.gif
这条命令是更新原来tar包all.tar中logo.gif文件,-u是表示更新文件的意思。

# tar -tf all.tar
这条命令是列出all.tar包中所有文件,-t是列出文件的意思

# tar -xf all.tar
这条命令是解出all.tar包中所有文件,-t是解开的意思

压缩

tar -cvf jpg.tar *.jpg //将目录里所有jpg文件打包成tar.jpg 

tar -czf jpg.tar.gz *.jpg   //将目录里所有jpg文件打包成jpg.tar后,并且将其用gzip压缩,生成一个gzip压缩过的包,命名为jpg.tar.gz

 tar -cjf jpg.tar.bz2 *.jpg //将目录里所有jpg文件打包成jpg.tar后,并且将其用bzip2压缩,生成一个bzip2压缩过的包,命名为jpg.tar.bz2

tar -cZf jpg.tar.Z *.jpg   //将目录里所有jpg文件打包成jpg.tar后,并且将其用compress压缩,生成一个umcompress压缩过的包,命名为jpg.tar.Z

rar a jpg.rar *.jpg //rar格式的压缩,需要先下载rar for linux

zip jpg.zip *.jpg //zip格式的压缩,需要先下载zip for linux

解压

tar -xvf file.tar //解压 tar包

tar -xzvf file.tar.gz //解压tar.gz

tar -xjvf file.tar.bz2   //解压 tar.bz2

tar -xZvf file.tar.Z   //解压tar.Z

unrar e file.rar //解压rar

unzip file.zip //解压zip

总结

1、*.tar 用 tar -xvf 解压

2、*.gz 用 gzip -d或者gunzip 解压

3、*.tar.gz和*.tgz 用 tar -xzf 解压

4、*.bz2 用 bzip2 -d或者用bunzip2 解压

5、*.tar.bz2用tar -xjf 解压

6、*.Z 用 uncompress 解压

7、*.tar.Z 用tar -xZf 解压

8、*.rar 用 unrar e解压

9、*.zip 用 unzip 解压

解压jdk到指定文件夹:

tar -xzvf jdk-8u131-linux-x64.tar.gz -C /usr/local/java


腾讯云云主机实现多IP绑定

腾讯云主机实际上一直允许绑定弹性IP,最开始是可以实现经典IP更换为弹性IP可以有效的屏蔽掉攻击,释放IP进行更换。

但是运用弹性网卡实际上可以绑定实现多IP。公网弹性IP实际绑定的是弹性网卡中的内网IP。

点击云主机ID/实例名,检查IP地址,如果为默认公网IP,点击转换为弹性公网IP。

检查网络配置处的网络,如果默认为基础网络有得区域是无法更换为私有网络,那就无法实现绑定多网卡和多IP。

1.新建弹性网卡:

点击云主机ID/实例名,点击弹性网卡,可以看到主网卡配置。

此时我们增加一个新的辅助弹性网卡:

点击主网卡标签,进入弹性网卡选项,点击增加网卡,然后默认即可,可以看到两个网卡并存了。

2.绑定弹性网卡至云主机:

点击绑定云主机;完成后点击绑定主机的辅助网卡,可以查看该网卡的详细信息。

3.绑定新增外网弹性IP至辅助网卡:点击辅助网卡的IP管理。完成后外网弹性IP已经绑定对应的弹性网卡内网IP。但此时系统没有对应的网卡配置信息。

 

4.设置云主机弹性网卡配置文件:

以centos7.4为例:

cd /etc/sysconfig/network-scripts/
cp ifcfg-eth0 ifcfg-eth1
vim ifcfg-eth1

配置eth1辅助网卡ip信息:注意其中的IPADDR输入对应的辅助网卡内网IP,NETMASK GATEWAY按照对应主网卡设置即可。保存编辑退出。

DEVICE='eth1'
NM_CONTROLLED='yes'
ONBOOT='yes'
IPADDR='172.16.0.17'
NETMASK='255.255.240.0'
GATEWAY='172.16.0.1'

5.关闭rp_filter校验,在etc/sysctl.conf中关闭反向过滤.

vim /etc/sysctl.conf

把其中的net.ipv4.conf.default.rp_filter = 1变更为如下,若没有则增加即可。

net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0

更新配置

systemctl restart network

检查确认

ip addr

CentOS7系统YUM安装MariaDB10.3

1.增加MariaDB的repo源:

# MariaDB 10.3 CentOS repository list - created 2018-05-26 07:55 UTC  
# http://downloads.mariadb.org/mariadb/repositories/  
[mariadb]  
name = MariaDB  
baseurl = http://yum.mariadb.org/10.3/centos7-amd64  
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB  
gpgcheck=1

2.清除Yum缓存,重建缓存

yum clean all 
yum makecache

3.查询MariaDB源中的软件包

yum list --disablerepo=\* --enablerepo=mariadb

其中test为测试工具,backup为备份工具

4.安装安装MariaDB数据库

yum install MariaDB-client MariaDB-server MariaDB-devel -y

5.启动数据库及设置MariaDB开机自启

systemctl start mariadb  
systemctl enable mariadb

6.初始化数据库,并删除测试数据库及更改权限和设置密码

mysql_secure_installation

第一步为输入密码,首次安装未设定默认为空,直接Enter

Change the root password? [Y/n] 该项为询问是否设置新密码。建议设置新密码。其他项目按照默认Y即可。

7.测试进入MariaDB

 mysql -uroot -p -A  
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2894
Server version: 10.3.7-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

 

使用Percona安装tokudb存储引擎

由分形树索引支持的PerconaTokuDB®是一款开源的,用于Percona Server的高性能存储引擎,可提高可扩展性和运行效率。专为满足大数据应用的苛刻要求而设计,Percona TokuDB降低了与压缩和优化工作相关的部署成本。Percona TokuDB和Percona HotBackup包含在下面的Percona Server for MySQL 下载链接中。

快速和可扩展性:

Percona TokuDB极大地提高了性能和并发性,减少了磁盘和闪存驱动器存储需求,支持在线模式更改并支持完全符合ACID的事务

Percona TokuDB可以:

  • 更好的性能:如果不进行调整,响应时间比InnoDB快20倍
  • 更强的投资回报率:运营和基础设施成本更低,可扩展性和灵活性更高
  • 可用性更高:在公共,私人和混合云环境中对苛刻应用的停机时间更少

1.安装percona官方RPM源

yum install http://www.percona.com/downloads/percona-release/redhat/0.1-4/percona-release-0.1-4.noarch.rpm

2.测试Percona源

yum list | grep percona

3.yum安装percona

yum install Percona-Server-server-57

4.Percona默认管理命令

service mysql start 
service mysql restart 
service mysql stop 
service mysql status

5.查询安装后的临时percona root密码

grep ‘temporary password’ /var/log/mysqld.log

6.修改数据库密码

mysql -u root -p
Enter password:yourpasswd
elcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 92
Server version: 5.7.21-21-log Percona Server (GPL), Release 21, Revision 2a37e4e

Copyright (c) 2009-2018 Percona LLC and/or its affiliates
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Percona [(none)]> set password=password(‘yournewpasswd’);

mysql有密码安全机制,注意设置为足够复杂的密码

7.编辑/etc/mycnf配置文件,修改mysql默认编码

[mysqld] 
character_set_server=utf8

8.安装jemalloc

yum install jemalloc 
rpm -qa |grep jemalloc 
rpm -qa |grep jemalloc 
jemalloc-3.6.0-1.el7.x86_64
rpm -ql jemalloc-3.6.0-1.el7.x86_64
/usr/bin/jemalloc.sh
/usr/lib64/libjemalloc.so.1
/usr/share/doc/jemalloc-3.6.0
/usr/share/doc/jemalloc-3.6.0/COPYING
/usr/share/doc/jemalloc-3.6.0/README
/usr/share/doc/jemalloc-3.6.0/VERSION
/usr/share/doc/jemalloc-3.6.0/jemalloc.html

记录下/usr/lib64/libjemalloc.so.1地址

9.配置jemalloc依赖文件,编辑/etc/my.cnf,其中加入以下内容:

[mysqld_safe] 
malloc-lib=/usr/lib64/libjemalloc.so.1

10.检查Transparent huge pages

echo never > /sys/kernel/mm/transparent_hugepage/enabled 
echo never > /sys/kernel/mm/transparent_hugepage/defrag

11.安装tokudb

yum install Percona-Server-tokudb-57.x86_64

12.修改selinux状态为permissive,编辑编辑/etc/selinux/config修改以下内容:

selinux=permissive
setenforce 0

12.初始设置tokudb

ps_tokudb_admin --enable -uroot -p

输入密码,检查是否成功

13.重启percona

service mysql restart

14.检查确认是否启用tokudb

mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 94
Server version: 5.7.21-21-log Percona Server (GPL), Release 21, Revision 2a37e4e

Copyright (c) 2009-2018 Percona LLC and/or its affiliates
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Percona [(none)]> show engines;
+--------------------+---------+----------------------------------------------------------------------------+--------------+------+------------+
| Engine             | Support | Comment                                                                    | Transactions | XA   | Savepoints |
+--------------------+---------+----------------------------------------------------------------------------+--------------+------+------------+
| PERFORMANCE_SCHEMA | YES     | Performance Schema                                                         | NO           | NO   | NO         |
| MRG_MYISAM         | YES     | Collection of identical MyISAM tables                                      | NO           | NO   | NO         |
| CSV                | YES     | CSV storage engine                                                         | NO           | NO   | NO         |
| BLACKHOLE          | YES     | /dev/null storage engine (anything you write to it disappears)             | NO           | NO   | NO         |
| MyISAM             | YES     | MyISAM storage engine                                                      | NO           | NO   | NO         |
| TokuDB             | DEFAULT | Percona TokuDB Storage Engine with Fractal Tree(tm) Technology             | YES          | YES  | YES        |
| InnoDB             | YES     | Percona-XtraDB, Supports transactions, row-level locking, and foreign keys | YES          | YES  | YES        |
| ARCHIVE            | YES     | Archive storage engine                                                     | NO           | NO   | NO         |
| MEMORY             | YES     | Hash based, stored in memory, useful for temporary tables                  | NO           | NO   | NO         |
| FEDERATED          | NO      | Federated MySQL storage engine                                             | NULL         | NULL | NULL       |
+--------------------+---------+----------------------------------------------------------------------------+--------------+------+------------+
10 rows in set (0.07 sec)

看到tokudb即为成功。

phpmyadmin与php.ini中的socket配置问题

昨天在安装完新的perconesql数据后,发现phpmyadmin不能正常连接了。一时查来查去不知出了什么问题。

后来经过确认,由于php.ini中的mysqli.default_socket和pdo_mysql.default_socke默认为空,实际默认即为/tmp/mysql.sock,此时如果和mysql本身的设置不一致,就会导致phpmyadmin无法有效登录。

我们先查询mysql服务器使用的socket位置:

# mysql -u root -p
Enter password: yourpasswd
mysql> STATUS;
--------------
mysql  Ver 14.14 Distrib 5.7.21-21, for Linux (x86_64) using  6.2

Connection id:		2
Current database:	
Current user:		root@localhost
SSL:			Not in use
Current pager:		stdout
Using outfile:		''
Using delimiter:	;
Server version:		5.7.21-21 Percona Server (GPL), Release 21, Revision 2a37e4e
Protocol version:	10
Connection:		Localhost via UNIX socket
Server characterset:	utf8
Db     characterset:	utf8
Client characterset:	utf8
Conn.  characterset:	utf8
UNIX socket:		/var/lib/mysql/mysql.sock
Uptime:			26 min 14 sec

Threads: 1  Questions: 5  Slow queries: 0  Opens: 105  Flush tables: 1  Open tables: 98  Queries per second avg: 0.003
--------------

mysql> exit
Bye

上面命令中查询到的socket地址为/var/lib/mysql/mysql.sock

修改php.ini文件中的两项:

vi  /etc/php.ini


mysqli.default_socket = /var/lib/mysql/mysql.sock 



pdo_mysql.default_socket = /var/lib/mysql/mysql.so

你也可以设置mysql配置文件my.cnf

vi /etc/my.cnf

[client]
socket          = /var/lib/mysql/mysql.sock

[mysqld]
socket          = /var/lib/mysql/mysql.sock

至此,重启php或httpd就可以登录phpmyadmin

SSL/TLS加密检测脚本testssl.sh

以前SSL检测常用工具就是ssllabs的:https://www.ssllabs.com/ssltest/ 以及国内的https://myssl.com/.

检测方法很简单,输入在线检测即可。

今天在网上有发现一款好用的SSL检测脚本:testssl.sh:https://testssl.sh/

检测方法就是下载源码,运行:

git clone --depth 1 https://github.com/drwetter/testssl.sh.git

然后进入目录:

运行:帮助shuom

testssl.sh --help

运行检测:

./testssl.sh yourdomain.com

检测结果类型如下:

###########################################################
    testssl.sh       3.0beta from https://testssl.sh/dev/
    (470f8b6 2018-04-28 22:38:53 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on VM_122_230_centos:./bin/openssl.Linux.x86_64
 (built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")


 Start 2018-04-29 23:25:20        -->> 119.28.6.33:443 (zach.xin) <<--

 rDNS (119.28.6.33):     --
 Service detected:       HTTP


 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)

 Testing cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK)
 Triple DES Ciphers (Medium)                   not offered (OK)
 High encryption (AES+Camellia, no AEAD)       offered (OK)
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA 
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 


 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Cipher order
    TLSv1:     ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA 
    TLSv1.1:   ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA 
    TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM AES128-SHA256 AES128-SHA
               ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-CCM8 AES256-CCM AES256-SHA256 AES256-SHA 


 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "next protocol/#13172" "max fragment length/#1"
                              "application layer protocol negotiation/#16" "encrypt-then-mac/#22" "extended master secret/#23"
 Session Ticket RFC 5077 hint 600 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints        049CA937F746C261709C994D3484D78B958A / SHA1 C654AA97C778B10F79B05E12F679146255984AC8
                              SHA256 F1137B78E829E1AEC2F238F931835A0090DBCF01C6F57B48F5CF16C2295B0EB4
 Common Name (CN)             zach.xin
 subjectAltName (SAN)         www.zach.xin zach.xin 
 Issuer                       Let's Encrypt Authority X3 (Let's Encrypt from US)
 Trust (hostname)             Ok via SAN and CN (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 Certificate Validity (UTC)   78 >= 30 days (2018-04-18 19:06 --> 2018-07-17 19:06)
 # of certificates provided   2
 Certificate Revocation List  --
 OCSP URI                     http://ocsp.int-x3.letsencrypt.org
 OCSP stapling                offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     yes (certificate extension)


 Testing HTTP header response @ "/" 

 HTTP Status Code             403 Forbidden
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                nginx
 Application banner           --
 Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
 Security headers             --
 Reverse Proxy banner         --


 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=F1137B78E829E1AEC2F238F931835A0090DBCF01C6F57B48F5CF16C2295B0EB4 could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA 
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing 364 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 xc0a1   AES256-CCM8                       RSA        AESCCM8     256      TLS_RSA_WITH_AES_256_CCM_8                         
 xc09d   AES256-CCM                        RSA        AESCCM      256      TLS_RSA_WITH_AES_256_CCM                           
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256                    
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 xc0a0   AES128-CCM8                       RSA        AESCCM8     128      TLS_RSA_WITH_AES_128_CCM_8                         
 xc09c   AES128-CCM                        RSA        AESCCM      128      TLS_RSA_WITH_AES_128_CCM                           
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256                    
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       


 Running client simulations via sockets 

 Android 4.2.2                TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Android 4.4.2                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 5.0.0                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 6.0                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 7.0                  TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Chrome 57 Win 7              TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Chrome 65 Win 7              TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Firefox 53 Win 7             TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Firefox 59 Win 7             TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 7 Vista                   TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 IE 8 Win 7                   TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 IE 8 XP                      No connection
 IE 11 Win 7                  TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Edge 13 Win 10               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Edge 13 Win Phone 10         TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
 Opera 17 Win 7               TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256)
 Safari 9 iOS 9               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Safari 9 OS X 10.11          TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Safari 10 OS X 10.12         TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Apple ATS 9 iOS 9            TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Tor 17.0.9 Win 7             TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 6u45                    TLSv1.0 AES128-SHA
 Java 7u25                    TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 8u161                   TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Java 9.0.4                   TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 OpenSSL 1.0.1l               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)

 Done 2018-04-29 23:27:55 [ 158s] -->> 119.28.6.33:443 (zach.xin) <<--