github-starred/ollama
2
0
Fork 0
mirror of https://github.com/ollama/ollama.git synced 2026-05-06 16:11:34 -05:00
Code Issues 14.5k Packages Projects Releases 120 Wiki Activity

[GH-ISSUE #3372] Ollama can't run models in Docker, Certificate error x509 #27834

New Issue
Closed
opened 2026-04-22 05:27:47 -05:00 by GiteaMirror · 14 comments
GiteaMirror commented 2026-04-22 05:27:47 -05:00
Owner
Copy Link

Originally created by @BumblingWizard on GitHub (Mar 27, 2024).
Original GitHub issue: https://github.com/ollama/ollama/issues/3372

What is the issue?

I'm seeing a similar issue to the one reported in: ollama.ai certificate has expired, not possible to download models #3336

I installed the current image from the docker hub earlier today (ollama/ollama:latest), but when I attempt to use a model, I get the following error:

Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama2/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority

What did you expect to see?

I expected it to pull a model and work.

Steps to reproduce

Install the image, run a container, use the command "ollama run llama2" (or any other model).

Are there any recent changes that introduced the issue?

No response

OS

Linux

Architecture

amd64

Platform

Docker, WSL2

Ollama version

No response

GPU

No response

GPU info

No response

CPU

Intel

Other software

No response

Originally created by @BumblingWizard on GitHub (Mar 27, 2024). Original GitHub issue: https://github.com/ollama/ollama/issues/3372 ### What is the issue? I'm seeing a similar issue to the one reported in: ollama.ai certificate has expired, not possible to download models #3336 I installed the current image from the docker hub earlier today (ollama/ollama:latest), but when I attempt to use a model, I get the following error: Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama2/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority ### What did you expect to see? I expected it to pull a model and work. ### Steps to reproduce Install the image, run a container, use the command "ollama run llama2" (or any other model). ### Are there any recent changes that introduced the issue? _No response_ ### OS Linux ### Architecture amd64 ### Platform Docker, WSL2 ### Ollama version _No response_ ### GPU _No response_ ### GPU info _No response_ ### CPU Intel ### Other software _No response_
GiteaMirror added the bug label 2026-04-22 05:27:47 -05:00
GiteaMirror commented 2026-04-22 05:27:51 -05:00
Author
Owner
Copy Link

@gitmoneyMSBA commented on GitHub (Mar 27, 2024):

Getting the exact same error.

OS
macOS Sonoma 14.3.1

CPU
Apple M1 Pro

Other software
No response

Architecture
arm64

Platform
Docker, R package rollama as well as Terminal

Ollama version
No response

GPU
No response

GPU info
No response

<!-- gh-comment-id:2023514560 --> @gitmoneyMSBA commented on GitHub (Mar 27, 2024): Getting the exact same error. OS macOS Sonoma 14.3.1 CPU Apple M1 Pro Other software No response Architecture arm64 Platform Docker, _R_ package _rollama_ as well as Terminal Ollama version No response GPU No response GPU info No response
GiteaMirror commented 2026-04-22 05:27:54 -05:00
Author
Owner
Copy Link

@jimscard commented on GitHub (Mar 28, 2024):

As a datapoint, I ran the testssl script against the URL mentioned above. The following results should provide clues to the misconfiguration. Note that there are multiple IP addresses that the URL resolves to -- one of them seems to be more problematic than the others:

└─$ testssl https://registry.ollama.ai/v2/library/llama2/manifests/latest
Unable to find image 'drwetter/testssl.sh:latest' locally
latest: Pulling from drwetter/testssl.sh
22be9f90e464: Pull complete
1ff732d10b0c: Pull complete
2c88f9ab693b: Pull complete
Digest: sha256:b1f1622f54b1d08262381eeed9bec8a54d97901b9ce084a37e49dd2ab47c819d
Status: Downloaded newer image for drwetter/testssl.sh:latest

###########################################################
    testssl.sh       3.2rc3 from https://testssl.sh/dev/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-bad (1.0.2k-dev)" [~183 ciphers]
 on ccf314d4ac50:/home/testssl/bin/openssl.Linux.x86_64
 (built: "Sep  1 14:03:44 2022", platform: "linux-x86_64")


Testing all IPv4 addresses (port 443): 104.21.75.227 172.67.182.229
----------------------------------------------------------------------------------------
 Start 2024-03-28 05:26:13                -->> 104.21.75.227:443 (registry.ollama.ai) <<--

 Further IP addresses:   172.67.182.229 2606:4700:3034::ac43:b6e5 2606:4700:3036::6815:4be3
 rDNS (104.21.75.227):   --
 Service detected:       HTTP


 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)

 Testing cipher categories

 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
 Triple DES Ciphers / IDEA                         offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            offered
 Strong encryption (AEAD ciphers) with no FS       offered (OK)
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)


 Testing server's cipher preferences

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 -
SSLv3
 -
TLSv1 (server order)
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLSv1.1 (server order)
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients)
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256
TLSv1.3 (no server order, thus listed by strength)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256

 Has server cipher order?     yes (OK) -- only for < TLS 1.3


 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4

 FS is offered (OK)           TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305-OLD
                              ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305
                              TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519
 TLS 1.2 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA+SHA256 RSA-PSS-RSAE+SHA384
 TLS 1.3 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512

 Testing server defaults (Server Hello)

 TLS extensions (standard)    "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35"
                              "status request/#5" "next protocol/#13172" "key share/#51" "supported versions/#43"
                              "extended master secret/#23" "application layer protocol negotiation/#16" "compress_certificate/#27"
 Session Ticket RFC 5077 hint 64800 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               0 sec from localtime
 Certificate Compression      0002/Brotli
 Client Authentication        none
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits (exponent is 65537)
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication
 Serial                       B67108FB323AE7310D57FA995F4D359E (OK: length 16)
 Fingerprints                 SHA1 882A6128D0897AB43AC4854F132469383B420DF5
                              SHA256 5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1
 Common Name (CN)             ollama.ai  (request w/o SNI didn't succeed)
 subjectAltName (SAN)         ollama.ai *.ollama.ai
 Trust (hostname)             Ok via SAN wildcard (SNI mandatory)
                              wildcard certificate could be problematic, see other hosts at
                              https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1
 Chain of trust               Ok
 EV cert (experimental)       no
 Certificate Validity (UTC)   expires < 60 days (51) (2024-02-18 21:16 --> 2024-05-18 21:16)
 ETS/"eTLS", visibility info  not present
 Certificate Revocation List  http://crls.pki.goog/gts1p5/MQqSks_wLFY.crl
 OCSP URI                     http://ocsp.pki.goog/s/gts1p5/mDQpcJcSZzg
 OCSP stapling                offered, not revoked
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     yes (certificate extension)
 Certificates provided        3
 Issuer                       GTS CA 1P5 (Google Trust Services LLC from US)
 Intermediate cert validity   #1: ok > 40 days (2027-09-30 00:00). GTS CA 1P5 <-- GTS Root R1
                              #2: ok > 40 days (2028-01-28 00:00). GTS Root R1 <-- GlobalSign Root CA
 Intermediate Bad OCSP (exp.) Ok


 Testing HTTP header response @ "/v2/library/llama2/manifests/latest"

 HTTP Status Code             400 Bad Request (Hint: better try another URL)
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                cloudflare
 Application banner           --
 Cookie(s)                    (none issued at "/v2/library/llama2/manifests/latest") -- maybe better try target URL of 30x
 Security headers             X-Content-Type-Options: nosniff
 Reverse Proxy banner         via: 1.1 google


 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/v2/library/llama2/manifests/latest" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    VULNERABLE, uses 64 bit block ciphers
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Running client simulations (HTTP) via sockets

 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
------------------------------------------------------------------------------------------------
 Android 6.0                  TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305-OLD   256 bit ECDH (P-256)
 Android 7.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Android 9.0 (native)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 10.0 (native)        TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 11 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 12 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 79 (Win 10)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 101 (Win 10)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 100 (Win 10)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 8 Win 7                   TLSv1.0   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 8 XP                      No connection
 IE 11 Win 7                  TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Java 7u25                    TLSv1.0   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 Java 8u161                   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_128_GCM_SHA256            256 bit ECDH (P-256)
 Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 go 1.17.8                    TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 LibreSSL 2.8.3 (Apple)       TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
 OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
 OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 OpenSSL 3.0.3 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Thunderbird (91.9)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)


 Rating (experimental)

 Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
 Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
 Protocol Support (weighted)  95 (28)
 Key Exchange     (weighted)  90 (27)
 Cipher Strength  (weighted)  90 (36)
 Final Score                  91
 Overall Grade                B
 Grade cap reasons            Grade capped to B. TLS 1.1 offered
                              Grade capped to B. TLS 1.0 offered
                              Grade capped to A. HSTS is not offered

 Done 2024-03-28 05:28:48 [ 158s] -->> 104.21.75.227:443 (registry.ollama.ai) <<--

----------------------------------------------------------------------------------------
 Start 2024-03-28 05:28:48                -->> 172.67.182.229:443 (registry.ollama.ai) <<--

 Further IP addresses:   104.21.75.227 2606:4700:3034::ac43:b6e5 2606:4700:3036::6815:4be3
 rDNS (172.67.182.229):  --
 Service detected:       HTTP


 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)

 Testing cipher categories

 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
 Triple DES Ciphers / IDEA                         offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            offered
 Strong encryption (AEAD ciphers) with no FS       offered (OK)
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)


 Testing server's cipher preferences

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 -
SSLv3
 -
TLSv1 (server order)
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLSv1.1 (server order)
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients)
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256
TLSv1.3 (no server order, thus listed by strength)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256

 Has server cipher order?     yes (OK) -- only for < TLS 1.3


 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4

 FS is offered (OK)           TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305-OLD
                              ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305
                              TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519
 TLS 1.2 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA+SHA256 RSA-PSS-RSAE+SHA384
 TLS 1.3 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512

 Testing server defaults (Server Hello)

 TLS extensions (standard)    "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35"
                              "status request/#5" "next protocol/#13172" "key share/#51" "supported versions/#43"
                              "extended master secret/#23" "application layer protocol negotiation/#16" "compress_certificate/#27"
 Session Ticket RFC 5077 hint 64800 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: no
 TLS clock skew               0 sec from localtime
 Certificate Compression      0002/Brotli
 Client Authentication        none
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits (exponent is 65537)
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication
 Serial                       B67108FB323AE7310D57FA995F4D359E (OK: length 16)
 Fingerprints                 SHA1 882A6128D0897AB43AC4854F132469383B420DF5
                              SHA256 5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1
 Common Name (CN)             ollama.ai  (request w/o SNI didn't succeed)
 subjectAltName (SAN)         ollama.ai *.ollama.ai
 Trust (hostname)             Ok via SAN wildcard (SNI mandatory)
                              wildcard certificate could be problematic, see other hosts at
                              https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1
 Chain of trust               Ok
 EV cert (experimental)       no
 Certificate Validity (UTC)   expires < 60 days (51) (2024-02-18 21:16 --> 2024-05-18 21:16)
 ETS/"eTLS", visibility info  not present
 Certificate Revocation List  http://crls.pki.goog/gts1p5/MQqSks_wLFY.crl
 OCSP URI                     http://ocsp.pki.goog/s/gts1p5/mDQpcJcSZzg
 OCSP stapling                offered, not revoked
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     yes (certificate extension)
 Certificates provided        3
 Issuer                       GTS CA 1P5 (Google Trust Services LLC from US)
 Intermediate cert validity   #1: ok > 40 days (2027-09-30 00:00). GTS CA 1P5 <-- GTS Root R1
                              #2: ok > 40 days (2028-01-28 00:00). GTS Root R1 <-- GlobalSign Root CA
 Intermediate Bad OCSP (exp.) Ok


 Testing HTTP header response @ "/v2/library/llama2/manifests/latest"

 HTTP Status Code             400 Bad Request (Hint: better try another URL)
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                cloudflare
 Application banner           --
 Cookie(s)                    (none issued at "/v2/library/llama2/manifests/latest") -- maybe better try target URL of 30x
 Security headers             X-Content-Type-Options: nosniff
 Reverse Proxy banner         via: 1.1 google


 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/v2/library/llama2/manifests/latest" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    VULNERABLE, uses 64 bit block ciphers
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Running client simulations (HTTP) via sockets

 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
------------------------------------------------------------------------------------------------
 Android 6.0                  TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305-OLD   256 bit ECDH (P-256)
 Android 7.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Android 9.0 (native)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 10.0 (native)        TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 11 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 12 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 79 (Win 10)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 101 (Win 10)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 100 (Win 10)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 8 Win 7                   TLSv1.0   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 8 XP                      No connection
 IE 11 Win 7                  TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.2   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Java 7u25                    TLSv1.0   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 Java 8u161                   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_128_GCM_SHA256            256 bit ECDH (P-256)
 Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 go 1.17.8                    TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 LibreSSL 2.8.3 (Apple)       TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
 OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
 OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 OpenSSL 3.0.3 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Thunderbird (91.9)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)


 Rating (experimental)

 Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
 Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
 Protocol Support (weighted)  95 (28)
 Key Exchange     (weighted)  90 (27)
 Cipher Strength  (weighted)  90 (36)
 Final Score                  91
 Overall Grade                B
 Grade cap reasons            Grade capped to B. TLS 1.1 offered
                              Grade capped to B. TLS 1.0 offered
                              Grade capped to A. HSTS is not offered

 Done 2024-03-28 05:31:18 [ 308s] -->> 172.67.182.229:443 (registry.ollama.ai) <<--

----------------------------------------------------------------------------------------
Done testing now all IP addresses (on port 443): 104.21.75.227 172.67.182.229
<!-- gh-comment-id:2024444062 --> @jimscard commented on GitHub (Mar 28, 2024): As a datapoint, I ran the testssl script against the URL mentioned above. The following results should provide clues to the misconfiguration. Note that there are multiple IP addresses that the URL resolves to -- one of them seems to be more problematic than the others: ``` └─$ testssl https://registry.ollama.ai/v2/library/llama2/manifests/latest Unable to find image 'drwetter/testssl.sh:latest' locally latest: Pulling from drwetter/testssl.sh 22be9f90e464: Pull complete 1ff732d10b0c: Pull complete 2c88f9ab693b: Pull complete Digest: sha256:b1f1622f54b1d08262381eeed9bec8a54d97901b9ce084a37e49dd2ab47c819d Status: Downloaded newer image for drwetter/testssl.sh:latest ########################################################### testssl.sh 3.2rc3 from https://testssl.sh/dev/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.0.2-bad (1.0.2k-dev)" [~183 ciphers] on ccf314d4ac50:/home/testssl/bin/openssl.Linux.x86_64 (built: "Sep 1 14:03:44 2022", platform: "linux-x86_64") Testing all IPv4 addresses (port 443): 104.21.75.227 172.67.182.229 ---------------------------------------------------------------------------------------- Start 2024-03-28 05:26:13 -->> 104.21.75.227:443 (registry.ollama.ai) <<-- Further IP addresses: 172.67.182.229 2606:4700:3034::ac43:b6e5 2606:4700:3036::6815:4be3 rDNS (104.21.75.227): -- Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY h2, http/1.1 (advertised) ALPN/HTTP2 h2, http/1.1 (offered) Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) Triple DES Ciphers / IDEA offered Obsoleted CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) with no FS offered (OK) Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Testing server's cipher preferences Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 - SSLv3 - TLSv1 (server order) xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLSv1.1 (server order) xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients) xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLSv1.3 (no server order, thus listed by strength) x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 Has server cipher order? yes (OK) -- only for < TLS 1.3 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 FS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA+SHA256 RSA-PSS-RSAE+SHA384 TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 Testing server defaults (Server Hello) TLS extensions (standard) "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "next protocol/#13172" "key share/#51" "supported versions/#43" "extended master secret/#23" "application layer protocol negotiation/#16" "compress_certificate/#27" Session Ticket RFC 5077 hint 64800 seconds, session tickets keys seems to be rotated < daily SSL Session ID support yes Session Resumption Tickets: yes, ID: yes TLS clock skew 0 sec from localtime Certificate Compression 0002/Brotli Client Authentication none Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits (exponent is 65537) Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication Serial B67108FB323AE7310D57FA995F4D359E (OK: length 16) Fingerprints SHA1 882A6128D0897AB43AC4854F132469383B420DF5 SHA256 5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1 Common Name (CN) ollama.ai (request w/o SNI didn't succeed) subjectAltName (SAN) ollama.ai *.ollama.ai Trust (hostname) Ok via SAN wildcard (SNI mandatory) wildcard certificate could be problematic, see other hosts at https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1 Chain of trust Ok EV cert (experimental) no Certificate Validity (UTC) expires < 60 days (51) (2024-02-18 21:16 --> 2024-05-18 21:16) ETS/"eTLS", visibility info not present Certificate Revocation List http://crls.pki.goog/gts1p5/MQqSks_wLFY.crl OCSP URI http://ocsp.pki.goog/s/gts1p5/mDQpcJcSZzg OCSP stapling offered, not revoked OCSP must staple extension -- DNS CAA RR (experimental) not offered Certificate Transparency yes (certificate extension) Certificates provided 3 Issuer GTS CA 1P5 (Google Trust Services LLC from US) Intermediate cert validity #1: ok > 40 days (2027-09-30 00:00). GTS CA 1P5 <-- GTS Root R1 #2: ok > 40 days (2028-01-28 00:00). GTS Root R1 <-- GlobalSign Root CA Intermediate Bad OCSP (exp.) Ok Testing HTTP header response @ "/v2/library/llama2/manifests/latest" HTTP Status Code 400 Bad Request (Hint: better try another URL) HTTP clock skew 0 sec from localtime Strict Transport Security not offered Public Key Pinning -- Server banner cloudflare Application banner -- Cookie(s) (none issued at "/v2/library/llama2/manifests/latest") -- maybe better try target URL of 30x Security headers X-Content-Type-Options: nosniff Reverse Proxy banner via: 1.1 google Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/v2/library/llama2/manifests/latest" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1 LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches Winshock (CVE-2014-6321), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Running client simulations (HTTP) via sockets Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy ------------------------------------------------------------------------------------------------ Android 6.0 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-OLD 256 bit ECDH (P-256) Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 11 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 12 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 79 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 101 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 100 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) IE 6 XP No connection IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) IE 8 XP No connection IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) Java 8u161 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256 256 bit ECDH (P-256) Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) go 1.17.8 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) OpenSSL 3.0.3 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Thunderbird (91.9) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Rating (experimental) Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide Protocol Support (weighted) 95 (28) Key Exchange (weighted) 90 (27) Cipher Strength (weighted) 90 (36) Final Score 91 Overall Grade B Grade cap reasons Grade capped to B. TLS 1.1 offered Grade capped to B. TLS 1.0 offered Grade capped to A. HSTS is not offered Done 2024-03-28 05:28:48 [ 158s] -->> 104.21.75.227:443 (registry.ollama.ai) <<-- ---------------------------------------------------------------------------------------- Start 2024-03-28 05:28:48 -->> 172.67.182.229:443 (registry.ollama.ai) <<-- Further IP addresses: 104.21.75.227 2606:4700:3034::ac43:b6e5 2606:4700:3036::6815:4be3 rDNS (172.67.182.229): -- Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY h2, http/1.1 (advertised) ALPN/HTTP2 h2, http/1.1 (offered) Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) Triple DES Ciphers / IDEA offered Obsoleted CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) with no FS offered (OK) Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Testing server's cipher preferences Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 - SSLv3 - TLSv1 (server order) xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLSv1.1 (server order) xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA TLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients) xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLSv1.3 (no server order, thus listed by strength) x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 Has server cipher order? yes (OK) -- only for < TLS 1.3 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 FS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA+SHA256 RSA-PSS-RSAE+SHA384 TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 Testing server defaults (Server Hello) TLS extensions (standard) "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "status request/#5" "next protocol/#13172" "key share/#51" "supported versions/#43" "extended master secret/#23" "application layer protocol negotiation/#16" "compress_certificate/#27" Session Ticket RFC 5077 hint 64800 seconds, session tickets keys seems to be rotated < daily SSL Session ID support yes Session Resumption Tickets: yes, ID: no TLS clock skew 0 sec from localtime Certificate Compression 0002/Brotli Client Authentication none Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits (exponent is 65537) Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication Serial B67108FB323AE7310D57FA995F4D359E (OK: length 16) Fingerprints SHA1 882A6128D0897AB43AC4854F132469383B420DF5 SHA256 5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1 Common Name (CN) ollama.ai (request w/o SNI didn't succeed) subjectAltName (SAN) ollama.ai *.ollama.ai Trust (hostname) Ok via SAN wildcard (SNI mandatory) wildcard certificate could be problematic, see other hosts at https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1 Chain of trust Ok EV cert (experimental) no Certificate Validity (UTC) expires < 60 days (51) (2024-02-18 21:16 --> 2024-05-18 21:16) ETS/"eTLS", visibility info not present Certificate Revocation List http://crls.pki.goog/gts1p5/MQqSks_wLFY.crl OCSP URI http://ocsp.pki.goog/s/gts1p5/mDQpcJcSZzg OCSP stapling offered, not revoked OCSP must staple extension -- DNS CAA RR (experimental) not offered Certificate Transparency yes (certificate extension) Certificates provided 3 Issuer GTS CA 1P5 (Google Trust Services LLC from US) Intermediate cert validity #1: ok > 40 days (2027-09-30 00:00). GTS CA 1P5 <-- GTS Root R1 #2: ok > 40 days (2028-01-28 00:00). GTS Root R1 <-- GlobalSign Root CA Intermediate Bad OCSP (exp.) Ok Testing HTTP header response @ "/v2/library/llama2/manifests/latest" HTTP Status Code 400 Bad Request (Hint: better try another URL) HTTP clock skew 0 sec from localtime Strict Transport Security not offered Public Key Pinning -- Server banner cloudflare Application banner -- Cookie(s) (none issued at "/v2/library/llama2/manifests/latest") -- maybe better try target URL of 30x Security headers X-Content-Type-Options: nosniff Reverse Proxy banner via: 1.1 google Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/v2/library/llama2/manifests/latest" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=5DEA58EFBA3EC0E356EFE46AAE2AB7E7CB164B814747537CA1B5F95BBB1AC2E1 LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches Winshock (CVE-2014-6321), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Running client simulations (HTTP) via sockets Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy ------------------------------------------------------------------------------------------------ Android 6.0 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-OLD 256 bit ECDH (P-256) Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 11 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 12 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 79 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 101 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 100 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) IE 6 XP No connection IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) IE 8 XP No connection IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA 256 bit ECDH (P-256) Java 8u161 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256 256 bit ECDH (P-256) Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) go 1.17.8 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) OpenSSL 3.0.3 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Thunderbird (91.9) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Rating (experimental) Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide Protocol Support (weighted) 95 (28) Key Exchange (weighted) 90 (27) Cipher Strength (weighted) 90 (36) Final Score 91 Overall Grade B Grade cap reasons Grade capped to B. TLS 1.1 offered Grade capped to B. TLS 1.0 offered Grade capped to A. HSTS is not offered Done 2024-03-28 05:31:18 [ 308s] -->> 172.67.182.229:443 (registry.ollama.ai) <<-- ---------------------------------------------------------------------------------------- Done testing now all IP addresses (on port 443): 104.21.75.227 172.67.182.229 ```
GiteaMirror commented 2026-04-22 05:27:55 -05:00
Author
Owner
Copy Link

@BumblingWizard commented on GitHub (Apr 10, 2024):

This is still an issue.

<!-- gh-comment-id:2047596420 --> @BumblingWizard commented on GitHub (Apr 10, 2024): This is still an issue.
GiteaMirror commented 2026-04-22 05:27:56 -05:00
Author
Owner
Copy Link

@gd03champ commented on GitHub (May 25, 2024):

Still in same error!

root@bd6dc4eef5ab:/# ollama pull llama3
pulling manifest 
Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama3/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority

Any progress on this?

<!-- gh-comment-id:2131374275 --> @gd03champ commented on GitHub (May 25, 2024): Still in same error! ``` root@bd6dc4eef5ab:/# ollama pull llama3 pulling manifest Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama3/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority ``` Any progress on this?
GiteaMirror commented 2026-04-22 05:27:57 -05:00
Author
Owner
Copy Link

@rosdi commented on GitHub (Jun 26, 2024):

The same thing is happening to me.

  • I tried in WSL2 Ubuntu Linux on Windows
  • I also tried in Docker on Windows (both giving the same error)

Both giving the same error: Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama3/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority

My company laptop uses zscaler, so it could be relevant. But I have added ZScaler root certificate in my WSL2 Linux cert store. When I tried to curl to the url, it works fine, so the certificate is trusted.

Here is a full command on my laptop if anyone interested to see:

rosdi@H-TQ0nmTkQIbRhN:~$ ollama run llama3
pulling manifest
Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama3/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority

As you can see below, wget works just fine so the certificate is already trusted in my machine

rosdi@H-TQ0nmTkQIbRhN:~$ wget https://registry.ollama.ai/v2/library/llama3/manifests/latest
--2024-06-26 13:39:00--  https://registry.ollama.ai/v2/library/llama3/manifests/latest
Resolving registry.ollama.ai (registry.ollama.ai)... 104.21.75.227, 172.67.182.229, 2606:4700:3034::ac43:b6e5, ...
Connecting to registry.ollama.ai (registry.ollama.ai)|104.21.75.227|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 859 [text/plain]
Saving to: ‘latest’

latest                      100%[================================================>]     859  --.-KB/s    in 0s

2024-06-26 13:39:00 (131 MB/s) - ‘latest’ saved [859/859]

I should add that the docker image runs just fine on my personal PC (without ZScaler), only on my company laptop it is having this error.

We should provide option to let ollama ignore untrusted certificate.

<!-- gh-comment-id:2190764935 --> @rosdi commented on GitHub (Jun 26, 2024): The same thing is happening to me. - I tried in WSL2 Ubuntu Linux on Windows - I also tried in Docker on Windows (both giving the same error) Both giving the same error: `Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama3/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority` My company laptop uses zscaler, so it could be relevant. But I have added ZScaler root certificate in my WSL2 Linux cert store. **When I tried to `curl` to the url, it works fine, so the certificate is trusted**. Here is a full command on my laptop if anyone interested to see: ``` rosdi@H-TQ0nmTkQIbRhN:~$ ollama run llama3 pulling manifest Error: pull model manifest: Get "https://registry.ollama.ai/v2/library/llama3/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority ``` As you can see below, **wget works just fine so the certificate is already trusted in my machine** ``` rosdi@H-TQ0nmTkQIbRhN:~$ wget https://registry.ollama.ai/v2/library/llama3/manifests/latest --2024-06-26 13:39:00-- https://registry.ollama.ai/v2/library/llama3/manifests/latest Resolving registry.ollama.ai (registry.ollama.ai)... 104.21.75.227, 172.67.182.229, 2606:4700:3034::ac43:b6e5, ... Connecting to registry.ollama.ai (registry.ollama.ai)|104.21.75.227|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 859 [text/plain] Saving to: ‘latest’ latest 100%[================================================>] 859 --.-KB/s in 0s 2024-06-26 13:39:00 (131 MB/s) - ‘latest’ saved [859/859] ``` I should add that the docker image runs just fine on my personal PC (without ZScaler), only on my company laptop it is having this error. We should provide option to let ollama ignore untrusted certificate.
GiteaMirror commented 2026-04-22 05:27:58 -05:00
Author
Owner
Copy Link

@rosdi commented on GitHub (Jul 2, 2024):

Ok I got this resolved by rebuilding the docker image. The issue is docker sees my company's Zscaler ssl certificate, and this is not trusted.

Solution is to add the Zscaler root certificate into the ollama docker image and set it as trusted.

I can push the modified Dockerfile to a repo if anyone interested to see my approach.

<!-- gh-comment-id:2202336348 --> @rosdi commented on GitHub (Jul 2, 2024): Ok I got this resolved by rebuilding the docker image. The issue is docker sees my company's Zscaler ssl certificate, and this is not trusted. Solution is to add the Zscaler root certificate into the ollama docker image and set it as trusted. I can push the modified Dockerfile to a repo if anyone interested to see my approach.
GiteaMirror commented 2026-04-22 05:27:59 -05:00
Author
Owner
Copy Link

@rosdi commented on GitHub (Jul 4, 2024):

Ok I was being silly. You do not need to rebuild the docker image to resolve this issue.

  1. Just pull the docker image from here: https://hub.docker.com/r/ollama/ollama
  2. Run that image, then docker exec -it <image id> bash
  3. Once inside that, paste your company's zscaler certificate and save it in /usr/local/share/ca-certificates/ like so:
$ cd /usr/local/share/ca-certificates/
$ nano your-company-zscaler-cert.crt
<paste the text content of your certificate into nano and save>
  1. Then run update-ca-certificates to reload your list of trusted certificates
$ update-ca-certificates
  1. Once done, try to pull a model, it should no longer complain of certificate issue
$ ollama pull llama3

This is easier than rebuilding the entire docker image. 😅

<!-- gh-comment-id:2208199072 --> @rosdi commented on GitHub (Jul 4, 2024): Ok I was being silly. You do not need to rebuild the docker image to resolve this issue. 1) Just pull the docker image from here: https://hub.docker.com/r/ollama/ollama 2) Run that image, then `docker exec -it <image id> bash` 3) Once inside that, paste your company's zscaler certificate and save it in `/usr/local/share/ca-certificates/` like so: ``` $ cd /usr/local/share/ca-certificates/ $ nano your-company-zscaler-cert.crt <paste the text content of your certificate into nano and save> ``` 4) Then run `update-ca-certificates` to reload your list of trusted certificates ``` $ update-ca-certificates ``` 5) Once done, try to pull a model, it should no longer complain of certificate issue ``` $ ollama pull llama3 ``` This is easier than rebuilding the entire docker image. 😅
GiteaMirror commented 2026-04-22 05:27:59 -05:00
Author
Owner
Copy Link

@bennwei commented on GitHub (Jul 29, 2024):

If you are using a company PC with Zscaler, @rosdi 's above solution did point me to a fix finally, but with an addition of company root certificate to /usr/local/share/ca-certificates/:

For example, if you want to use phi3 model:

  1. visit https://ollama.com/library/phi3:3.8b
  2. Click "Visit site information" on Chrome
  3. Click "Connection is secure"
  4. Click "Certificate is valid"
  5. With the opened "Certificate Viewer:Ollama.com, go to "Details", export the top level company certificate and saved as *.crt file
  6. Within Docker container, Finish the rest of setup based on steps 3
  7. Restart Docker, and it should work!
<!-- gh-comment-id:2257021498 --> @bennwei commented on GitHub (Jul 29, 2024): If you are using a company PC with Zscaler, @rosdi 's above solution did point me to a fix finally, but with an addition of company root certificate to /usr/local/share/ca-certificates/: For example, if you want to use phi3 model: 1. visit https://ollama.com/library/phi3:3.8b 2. Click "Visit site information" on Chrome 3. Click "Connection is secure" 4. Click "Certificate is valid" 5. With the opened "Certificate Viewer:Ollama.com, go to "Details", export the top level company certificate and saved as *.crt file 6. Within Docker container, Finish the rest of setup based on [steps 3](https://github.com/ollama/ollama/issues/3372#issuecomment-2208199072) 7. Restart Docker, and it should work!
GiteaMirror commented 2026-04-22 05:28:00 -05:00
Author
Owner
Copy Link

@DYH-Hong commented on GitHub (Aug 2, 2024):

Related #823

<!-- gh-comment-id:2264676778 --> @DYH-Hong commented on GitHub (Aug 2, 2024): Related #823
GiteaMirror commented 2026-04-22 05:28:01 -05:00
Author
Owner
Copy Link

@mxyng commented on GitHub (Aug 23, 2024):

The original problem was a transient issue caused by our certificate failing to automatically renew. The root cause has been addressed so it shouldn't be a problem anymore.

If anyone is still experiencing issues, it's likely caused by a proxy configuration with missing certificates.

<!-- gh-comment-id:2307800489 --> @mxyng commented on GitHub (Aug 23, 2024): The original problem was a transient issue caused by our certificate failing to automatically renew. The root cause has been addressed so it shouldn't be a problem anymore. If anyone is still experiencing issues, it's likely caused by a proxy configuration with missing certificates.
GiteaMirror commented 2026-04-22 05:28:02 -05:00
Author
Owner
Copy Link

@LiZhYun commented on GitHub (Nov 18, 2024):

Ok I got this resolved by rebuilding the docker image. The issue is docker sees my company's Zscaler ssl certificate, and this is not trusted.

Solution is to add the Zscaler root certificate into the ollama docker image and set it as trusted.

I can push the modified Dockerfile to a repo if anyone interested to see my approach.

Hi, could you push the modified Dockerfile to a repo? I've tried to rebuild the image but failed.

<!-- gh-comment-id:2483537236 --> @LiZhYun commented on GitHub (Nov 18, 2024): > Ok I got this resolved by rebuilding the docker image. The issue is docker sees my company's Zscaler ssl certificate, and this is not trusted. > > Solution is to add the Zscaler root certificate into the ollama docker image and set it as trusted. > > I can push the modified Dockerfile to a repo if anyone interested to see my approach. Hi, could you push the modified Dockerfile to a repo? I've tried to rebuild the image but failed.
GiteaMirror commented 2026-04-22 05:28:04 -05:00
Author
Owner
Copy Link

@HuiMi24 commented on GitHub (Jan 23, 2025):

This works: https://github.com/ollama/ollama/issues/3372#issuecomment-2257021498

<!-- gh-comment-id:2608888420 --> @HuiMi24 commented on GitHub (Jan 23, 2025): This works: https://github.com/ollama/ollama/issues/3372#issuecomment-2257021498
GiteaMirror commented 2026-04-22 05:28:04 -05:00
Author
Owner
Copy Link

@rosdi commented on GitHub (Jan 23, 2025):

@LiZhYun you do not need to rebuild, just follow my latest steps here: https://github.com/ollama/ollama/issues/3372#issuecomment-2208199072

<!-- gh-comment-id:2609300179 --> @rosdi commented on GitHub (Jan 23, 2025): @LiZhYun you do not need to rebuild, just follow my latest steps here: https://github.com/ollama/ollama/issues/3372#issuecomment-2208199072
GiteaMirror commented 2026-04-22 05:28:05 -05:00
Author
Owner
Copy Link

@liuj23CD commented on GitHub (Feb 13, 2025):

If you are using a company PC with Zscaler, @rosdi 's above solution did point me to a fix finally, but with an addition of company root certificate to /usr/local/share/ca-certificates/:

For example, if you want to use phi3 model:

  1. visit https://ollama.com/library/phi3:3.8b
  2. Click "Visit site information" on Chrome
  3. Click "Connection is secure"
  4. Click "Certificate is valid"
  5. With the opened "Certificate Viewer:Ollama.com, go to "Details", export the top level company certificate and saved as *.crt file
  6. Within Docker container, Finish the rest of setup based on steps 3
  7. Restart Docker, and it should work!

greate, solved the issue

<!-- gh-comment-id:2655809392 --> @liuj23CD commented on GitHub (Feb 13, 2025): > If you are using a company PC with Zscaler, [@rosdi](https://github.com/rosdi) 's above solution did point me to a fix finally, but with an addition of company root certificate to /usr/local/share/ca-certificates/: > > For example, if you want to use phi3 model: > > 1. visit https://ollama.com/library/phi3:3.8b > 2. Click "Visit site information" on Chrome > 3. Click "Connection is secure" > 4. Click "Certificate is valid" > 5. With the opened "Certificate Viewer:Ollama.com, go to "Details", export the top level company certificate and saved as *.crt file > 6. Within Docker container, Finish the rest of setup based on [steps 3](https://github.com/ollama/ollama/issues/3372#issuecomment-2208199072) > 7. Restart Docker, and it should work! greate, solved the issue
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
amd
api
app
bug
build
cli
cloud
compatibility
context-length
create
docker
documentation
embeddings
feature request
feedback wanted
good first issue
gpt-oss
gpu
harmony
help wanted
image
install
intel
js
launch
linux
macos
memory
mlx
model
needs more info
networking
nvidia
ollama.com
performance
pull-request
Mirrored from GitHub Pull Request
 python
question
registry
rendering
thinking
tools
top
vulkan
windows
wsl
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/ollama#27834
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?