SSL check results of protonmail.ch

NEW You can also bulk check multiple servers.

Discover if the mail servers for protonmail.ch can be reached through a secure connection.

To establish a secure connection a mail server has to offer STARTTLS (SSL), a trustworthy SSL certificate, support for the Diffie-Hellman-Algorithm to guarantee Perfect Forward Secrecy and must not be vulnerable against the Heartbleed attack. Futhermore we recommend using end-to-end encryption with GnuPG.

Summary

Report created Fri, 12 Nov 2021 05:35:44 +0000

The mailservers of protonmail.ch can be reached through a secure connection.

Servers

Incoming Mails

These servers are responsible for incoming mails to @protonmail.ch addresses.

Hostname / IP address Priority STARTTLS Certificates Protocol
mail.protonmail.ch
185.205.70.128
5
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
13 s
mail.protonmail.ch
176.119.200.128
5
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
2 s
mail.protonmail.ch
185.70.42.128
5
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
2 s
mailsec.protonmail.ch
176.119.200.129
10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
2 s
mailsec.protonmail.ch
185.70.42.129
10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
2 s
mailsec.protonmail.ch
185.205.70.129
10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
2 s
mailsec.protonmail.ch
185.70.40.104
10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
2 s

Outgoing Mails

We have received emails from these servers with @protonmail.ch sender addresses. Test mail delivery

Host TLS Version & Cipher
mail-40138.protonmail.ch (185.70.40.138)
TLSv1.3 TLS_AES_256_GCM_SHA384
mail-40132.protonmail.ch (185.70.40.132)
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
mail-40131.protonmail.ch (185.70.40.131)
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
mail-40130.protonmail.ch (185.70.40.130)
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

Certificates

First seen at:

CN=protonmail.com

Certificate chain
  • protonmail.com
    • remaining
    • 4096 bit
    • sha256WithRSAEncryption

      • R3
        • remaining
        • 2048 bit
        • sha256WithRSAEncryption

          • ISRG Root X1 (Certificate is self-signed.)
            • remaining
            • 4096 bit
            • sha256WithRSAEncryption

Subject
Common Name (CN)
  • protonmail.com
Alternative Names
  • *.pm.me
  • *.protonmail.ch
  • *.protonmail.com
  • *.protonvpn.ch
  • *.protonvpn.com
  • protonmail.com
Issuer
Country (C)
  • US
Organization (O)
  • Let's Encrypt
Common Name (CN)
  • R3
validity period
Not valid before
2021-10-04
Not valid after
2022-01-02
This certifcate has been verified for the following usages:
  • Digital Signature
  • Key Encipherment
  • TLS Web Server Authentication
  • TLS Web Client Authentication
Fingerprints
SHA256
37:25:26:45:C3:FC:5B:2D:A7:B2:A0:3C:5A:07:EC:78:8C:D8:BD:D6:AC:13:0C:C0:F4:DF:B3:3F:1B:33:71:44
SHA1
C9:7A:F7:57:A2:72:35:11:E9:9F:8E:19:16:21:3C:A3:1B:E1:AC:F5
X509v3 extensions
subjectKeyIdentifier
  • 33:36:13:CB:1C:5C:7A:BD:79:9C:FB:E5:1D:DB:AB:5F:C6:66:41:06
authorityKeyIdentifier
  • keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
authorityInfoAccess
  • OCSP - URI:http://r3.o.lencr.org
  • CA Issuers - URI:http://r3.i.lencr.org/
certificatePolicies
  • Policy: 2.23.140.1.2.1
  • Policy: 1.3.6.1.4.1.44947.1.1.1
  • CPS: http://cps.letsencrypt.org
ct_precert_scts
  • Signed Certificate Timestamp:
  • Version : v1 (0x0)
  • Log ID : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
  • EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
  • Timestamp : Oct 4 09:54:04.112 2021 GMT
  • Extensions: none
  • Signature : ecdsa-with-SHA256
  • 30:45:02:21:00:9C:4A:7A:C5:23:3F:DC:27:F5:15:98:
  • 3A:7A:CC:5F:26:49:C8:5D:A3:5A:C6:2F:5E:55:65:04:
  • 03:89:DC:43:F1:02:20:2B:C7:E2:87:D2:DC:F4:B2:B2:
  • 5A:59:68:48:CF:7E:AA:52:CE:63:BE:E5:91:75:B2:5F:
  • 80:F4:4E:74:02:8E:E3
  • Signed Certificate Timestamp:
  • Version : v1 (0x0)
  • Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
  • 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
  • Timestamp : Oct 4 09:54:04.186 2021 GMT
  • Extensions: none
  • Signature : ecdsa-with-SHA256
  • 30:46:02:21:00:DC:86:F3:6E:02:03:0D:9E:CE:14:9C:
  • 9A:9C:BE:AD:A4:1D:B9:A0:4F:71:F3:64:D8:7D:B6:EF:
  • CA:10:DC:E5:16:02:21:00:E4:AC:9A:BA:02:8D:46:4A:
  • AB:85:B8:DB:76:7C:3E:16:27:29:CC:47:4B:1E:B8:4E:
  • 2D:91:D9:DD:F2:C6:0F:FE

DANE

DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates to be bound to DNS using TLSA records and DNSSEC.

Name Options DNSSEC Matches
_25._tcp.mailsec.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
valid
_25._tcp.mailsec.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
_25._tcp.mail.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
valid
_25._tcp.mail.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid