ofxdc.wellsfargo.com, 23.36.162.202:443

TLS Test Results from February 12 2023 21:46:39 UTC. Scan took 63 seconds.

Summary

Finding Severity Result
HTTP Status Code WARN Unexpected 503 Service Unavailable @ '/'
Secure Renegotiation WARN OpenSSL handshake didn't succeed
TLS 1.2 OK offered
TLS 1.3 OK offered with final
Perfect Forward Secrecy OK offered
Common Name (CN) OK ofxdc.wellsfargo.com
Subject Alternative Name (SAN) INFO
  • ofxdc.wellsfargo.com
CA Issuers INFO Wells Fargo Public Trust Certification Authority 01 G2 (Wells Fargo & Company from US)
Valid Not After OK 2023-10-17 23:59

Protocols

Version Status
SSL v2 not offered
SSL v3 not offered
TLS 1.0 not offered
TLS 1.1 not offered
TLS 1.2 offered
TLS 1.3 offered with final
ALPN / HTTP2 http/1.1

Cipher Categories

Category Status
NULL ciphers (no encryption) not offered
Anonymous NULL Ciphers (no authentication) not offered
Export ciphers (excluding ADH+NULL) not offered
LOW: 64 Bit + DES, RC[2,4] (excluding export) not offered
Triple DES Ciphers / IDEA not offered
Obsolete CBC ciphers (AES, ARIA etc.) not offered
Strong encryption (AEAD ciphers) offered

Perfect Forward Secrecy

Category Status
Perfect Forward Secrecy offered
PFS Ciphers
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
PFS ECDHE Curves
  • prime256v1

Server Preferences

Category Finding
Cipher Order server
Protocol Negotiated Default protocol TLS1.3
Cipher Negotiated TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
Cipher Order TLS v1.2 ECDHE-RSA-AES256-GCM-SHA384

Server Defaults

Category Finding
TLS Extensions
  • renegotiation info/#65281
  • server name/#0
  • EC point formats/#11
  • session ticket/#35
  • status request/#5
  • next protocol/#13172
  • supported versions/#43
  • key share/#51
  • max fragment length/#1
  • application layer protocol negotiation/#16
TLS Session Ticket valid for 83100 seconds only (<daily)
SSL Session-ID Support yes
Session Resumption Ticket supported
Session Resumption ID supported
TLS Timestamp random
Number of Certificates 1

Certificate

Category Finding
Signature Algorithm SHA256 with RSA
Key Size RSA 2048 bits
Key Usage
  • Digital Signature
  • Key Encipherment
Extended Key Usage
  • TLS Web Server Authentication
  • TLS Web Client Authentication
Serial Number 0685B97155E16D2FD5B351CF12184F59
SHA1 Fingerprint 52D5C5942FCBEBF763AA8B3648C1F0AF5E3BA1E0
SHA256 Fingerprint 6E4FB892C024BB5EC98717DE7A68316F59C10701FEFE7AAC894E1C5FF1643232
X.509 Certificate Download ofxdc.wellsfargo.com_443_52D5C594.pem
Common Name (CN) ofxdc.wellsfargo.com
Common Name w/o SNI request w/o SNI didn't succeed
Subject Alternative Name (SAN)
  • ofxdc.wellsfargo.com
CA Issuers Wells Fargo Public Trust Certification Authority 01 G2 (Wells Fargo & Company from US)
Certificate Trust Ok via SAN (SNI mandatory)
Chain Of Trust passed.
Extended-Validation Policies no
ETS (prev. "eTLS") not present
Expiration Status 247 >= 60 days
Valid Not Before 2022-10-17 00:00
Valid Not After 2023-10-17 23:59
Validity Period No finding
Certificate Count Server 2
Certs List Ordering Problem no
Leaked Key (pwnedkeys) not in database
CRL Revoked not revoked
CRL Distribution Points
  • http://cdph.digitalcertvalidation.com/WellsFargoPublicTrustCertificationAuthority01G2.crl
OCSP Revoked not revoked
OCSP URL http://statush.digitalcertvalidation.com
OCSP Stapling offered
OCSP Must Staple Extension --
DNS CAA Record
  • --
Certificate Transparency yes (certificate extension)

HTTP response

Category Finding
HTTP Status Code Unexpected 503 Service Unavailable @ '/'
HTTP Clock Skew 0 seconds from localtime
HSTS Expiration Time 365 days (=31536000 seconds) > 15552000 seconds
HSTS Subdomains includes subdomains
HSTS Preload domain is NOT marked for preloading
Server Banner
Banner Application
Cookie Count
Secure Cookie
HTTP-only Cookie
Security Headers --
Reverse Proxy Banner

Vulnerabilities

Category Finding
Heartbleed not vulnerable, no heartbeat extension
CCS not vulnerable
Ticketbleed not vulnerable
ROBOT not vulnerable, no RSA key transport cipher
Secure Renegotiation OpenSSL handshake didn't succeed
Secure Client Renegotiation not vulnerable
CRIME TLS not vulnerable
BREACH not vulnerable, no HTTP compression - only supplied '/' tested
POODLE SSL not vulnerable, no SSLv3
Fallback SCSV no protocol below TLS 1.2 offered
SWEET32 not vulnerable
FREAK not vulnerable
DROWN not vulnerable on this host and port
DROWN Hint Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see censys.io
LOGJAM not vulnerable, no DH EXPORT ciphers,
LOGJAM Common Primes no DH key with <= TLS 1.2
BEAST not vulnerable, no SSL3 or TLS1
LUCKY13 not vulnerable
RC4 not vulnerable

Ciphers

Name Key Exchange Encryption Key Length IANA ID
ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 xc030
ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 xc02f

Client Simulation

Category Connection via
Android 4.4.2 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Android 5.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Android 7.0 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Android 8.1 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Android 9.0 TLSv1.3 TLS_AES_256_GCM_SHA384
Android X TLSv1.3 TLS_AES_256_GCM_SHA384
Chrome 74 Windows 10 TLSv1.3 TLS_AES_256_GCM_SHA384
Chrome 79 Windows 10 TLSv1.3 TLS_AES_256_GCM_SHA384
Firefox 66 Windows 8.1/10 TLSv1.3 TLS_AES_256_GCM_SHA384
Firefox 71 Windows 10 TLSv1.3 TLS_AES_256_GCM_SHA384
IE 6 Windows XP No connection
IE 8 Windows 7 No connection
IE 8 Windows XP No connection
IE 11 Windows 7 No connection
IE 11 Windows 8.1 No connection
IE 11 Windows Phone 8.1 No connection
IE 11 Windows 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Edge 15 Windows 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Edge 17 Windows 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Opera 66 Windows 10 TLSv1.3 TLS_AES_256_GCM_SHA384
Safari 9 IOS9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Safari 9 OSX 10.11 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Safari 10 OSX 10.12 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Safari 12.1 iOS 12.2 TLSv1.3 TLS_CHACHA20_POLY1305_SHA256
Safari 13.0 OSX 10.14.6 TLSv1.3 TLS_CHACHA20_POLY1305_SHA256
Apple ATS 9 IOS9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Java 6u45 No connection
Java 7u25 No connection
Java 8u161 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384
Java 12.0.1 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384
OpenSSL 1.02e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
OpenSSL 1.10l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
OpenSSL 1.11d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384
Thunderbird 68.3 TLSv1.3 TLS_AES_256_GCM_SHA384