SSL check results of protonmail.ch

NEW You can also bulk check multiple servers.

Discover if the mail servers for protonmail.ch can be reached through a secure connection.

To establish a secure connection a mail server has to offer STARTTLS (SSL), a trustworthy SSL certificate, support for the Diffie-Hellman-Algorithm to guarantee Perfect Forward Secrecy and must not be vulnerable against the Heartbleed attack. Futhermore we recommend using end-to-end encryption with GnuPG.

Summary

Report created Mon, 15 Jan 2024 12:52:06 +0000

The mailservers of protonmail.ch can be reached through a secure connection.

Servers

Incoming Mails

These servers are responsible for incoming mails to @protonmail.ch addresses.

Hostname / IP address Priority STARTTLS Certificates Protocol
mail.protonmail.ch
185.70.42.128
5
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
24 s
mail.protonmail.ch
176.119.200.128
5
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
31 s
mail.protonmail.ch
185.205.70.128
5
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
36 s
mailsec.protonmail.ch
185.205.70.129
10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
13 s
mailsec.protonmail.ch
176.119.200.129
10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
12 s
mailsec.protonmail.ch
185.70.42.129
10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
13 s

Outgoing Mails

We have received emails from these servers with @protonmail.ch sender addresses. Test mail delivery

Host TLS Version & Cipher
mail-40138.protonmail.ch (185.70.40.138)
TLSv1.3 TLS_AES_256_GCM_SHA384
mail-40132.protonmail.ch (185.70.40.132)
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
mail-40131.protonmail.ch (185.70.40.131)
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
mail-40130.protonmail.ch (185.70.40.130)
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

Certificates

First seen at:

CN=protonmail.com

Certificate chain
  • protonmail.com
    • remaining
    • 4096 bit
    • sha256WithRSAEncryption

      • R3
        • remaining
        • 2048 bit
        • sha256WithRSAEncryption

          • ISRG Root X1 (Certificate is self-signed.)
            • remaining
            • 4096 bit
            • sha256WithRSAEncryption

Subject
Common Name (CN)
  • protonmail.com
Alternative Names
  • *.pm.me
  • *.protonmail.ch
  • *.protonmail.com
  • *.protonvpn.ch
  • *.protonvpn.com
  • protonmail.com
Issuer
Country (C)
  • US
Organization (O)
  • Let's Encrypt
Common Name (CN)
  • R3
validity period
Not valid before
2023-12-06
Not valid after
2024-03-05
This certifcate has been verified for the following usages:
  • Digital Signature
  • Key Encipherment
  • TLS Web Server Authentication
  • TLS Web Client Authentication
Fingerprints
SHA256
BE:44:92:50:EA:F0:C6:08:74:49:12:0D:BE:11:1C:39:44:5D:79:DF:48:C9:A2:EB:B9:B3:A6:D5:FF:15:A9:47
SHA1
DE:F6:4D:9D:17:E4:C1:D3:1F:93:F2:99:0D:AF:4B:F6:7E:4A:87:8F
X509v3 extensions
subjectKeyIdentifier
  • 33:36:13:CB:1C:5C:7A:BD:79:9C:FB:E5:1D:DB:AB:5F:C6:66:41:06
authorityKeyIdentifier
  • keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
authorityInfoAccess
  • OCSP - URI:http://r3.o.lencr.org
  • CA Issuers - URI:http://r3.i.lencr.org/
certificatePolicies
  • Policy: 2.23.140.1.2.1
ct_precert_scts
  • Signed Certificate Timestamp:
  • Version : v1 (0x0)
  • Log ID : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:
  • 67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
  • Timestamp : Dec 6 09:19:02.626 2023 GMT
  • Extensions: none
  • Signature : ecdsa-with-SHA256
  • 30:45:02:21:00:DD:91:51:43:9C:F5:E9:FC:8D:F7:A1:
  • 98:46:59:2B:D3:47:E8:A6:2E:17:30:70:94:2E:04:CB:
  • FA:64:04:84:94:02:20:0C:E2:2F:14:84:96:FF:D0:D7:
  • 01:30:FC:13:9A:CB:78:D9:D3:C8:D2:1D:9D:AD:A8:06:
  • B1:F4:33:B3:58:0E:F5
  • Signed Certificate Timestamp:
  • Version : v1 (0x0)
  • Log ID : 29:D0:3A:1B:B6:74:AA:71:1C:D3:03:5B:65:57:C1:4F:
  • 8A:A7:8B:4F:E8:38:94:49:EC:A4:53:F9:44:BD:24:68
  • Timestamp : Dec 6 09:19:02.823 2023 GMT
  • Extensions: none
  • Signature : ecdsa-with-SHA256
  • 30:45:02:21:00:D4:29:3E:12:26:A3:46:18:47:60:CE:
  • A3:80:21:A4:0F:F3:15:FD:7C:A9:0D:BE:CB:E3:3D:0B:
  • D3:8D:D3:92:B4:02:20:33:64:D8:D1:B6:B1:D0:70:10:
  • 7F:F9:18:08:9B:D9:6E:7F:99:3F:F0:18:F2:20:E1:C6:
  • 6A:BF:3C:34:1B:64:65

DANE

DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates to be bound to DNS using TLSA records and DNSSEC.

Name Options DNSSEC Matches
_25._tcp.mailsec.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
_25._tcp.mailsec.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
valid
_25._tcp.mail.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
valid
_25._tcp.mail.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid