sso.cisco.com, [2001:420:1101:4::a]:443

TLS Test Results from June 05 2023 19:53:12 UTC. Scan took 157 seconds.

Summary

Finding	Severity	Result
Secure Renegotiation	CRITICAL	VULNERABLE
OCSP Revoked	WARN
TLS 1.2	OK	offered
TLS 1.3	INFO	not offered + downgraded to weaker protocol
Perfect Forward Secrecy	OK	offered
Common Name (CN)	OK	sso.cisco.com
Subject Alternative Name (SAN)	INFO	sso.cisco.com sso-prod0.cisco.com sso-prod1.cisco.com sso-prod2.cisco.com sso-prod3.cisco.com
CA Issuers	INFO	HydrantID Server CA O1 (IdenTrust from US)
Valid Not After	OK	2023-12-22 07:59

Protocols

Version	Status
SSL v2	not offered
SSL v3	not offered
TLS 1.0	not offered
TLS 1.1	not offered
TLS 1.2	offered
TLS 1.3	not offered + downgraded to weaker protocol
ALPN / HTTP2	http/1.1

How do you like TestTLS?

Seriously? All five?!

I’m flattered, thanks a lot! Your hair looks beautiful!

While we're both riding this wave of joy, would you to give @testtls_com a shoutout on Twitter?

Not too bad, but not perfect.

Thanks a lot, I’m glad that you liked this website!

If you like, follow @testtls_com on Twitter to hear about new features as they are added.

Honest feedback, much appreciated!

So you think that this site could be better, understood.

Would you tell us what’s missing? Reach out either via @testtls_com or e-mail.

Almost 2.5 stars. Oh, boy!

So you think this website is shit, I get it.

Note to self: do not encourage users who rated below 3 stars to comment at @testtls_com.

Ouch, that hurts.

Father? Is that you? What can I do so that you will finally be proud of me?

Let me guess... you would have chosen zero stars if it were available, right? Let it all out via e-mail.

Cipher Categories

Category	Status
NULL ciphers (no encryption)	not offered
Anonymous NULL Ciphers (no authentication)	not offered
Export ciphers (excluding ADH+NULL)	not offered
LOW: 64 Bit + DES, RC[2,4] (excluding export)	not offered
Triple DES Ciphers / IDEA	not offered
Obsolete CBC ciphers (AES, ARIA etc.)	offered
Strong encryption (AEAD ciphers)	offered

Perfect Forward Secrecy

Category	Status
Perfect Forward Secrecy	offered
PFS Ciphers	ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA
PFS ECDHE Curves	secp224r1 prime256v1 secp384r1 secp521r1

Server Preferences

Category	Finding
Cipher Order	server
Protocol Negotiated	Default protocol TLS1.2
Cipher Negotiated	AES128-GCM-SHA256
Cipher Order TLS v1.2	AES128-GCM-SHA256

Server Defaults

Category	Finding
TLS Extensions	EC point formats/#11 application layer protocol negotiation/#16
TLS Session Ticket	no -- no lifetime advertised
SSL Session-ID Support	yes
Session Resumption Ticket	not supported
Session Resumption ID	supported
TLS Timestamp	off by -4 seconds from your localtime
Number of Certificates	1

Certificate

Category	Finding
Signature Algorithm	SHA256 with RSA
Key Size	RSA 2048 bits
Key Usage	Digital Signature Key Encipherment
Extended Key Usage	TLS Web Server Authentication TLS Web Client Authentication
Serial Number	40018538D8D01AE94FE3251ACA5A3566
SHA1 Fingerprint	DE0561B4A055C3C64E2CD3C705A75D015CE4ECCD
SHA256 Fingerprint	9FAFA6A32964CF56F54DA58089D0C2116A8ADD45E51A36C5B6E7C7BDF523FA9B
X.509 Certificate	Download sso.cisco.com_443_DE0561B4.pem
Common Name (CN)	sso.cisco.com
Common Name w/o SNI	sso.cisco.com
Subject Alternative Name (SAN)	sso.cisco.com sso-prod0.cisco.com sso-prod1.cisco.com sso-prod2.cisco.com sso-prod3.cisco.com
CA Issuers	HydrantID Server CA O1 (IdenTrust from US)
Certificate Trust	Ok via SAN (same w/o SNI)
Chain Of Trust	passed.
Extended-Validation Policies	no
ETS (prev. "eTLS")	not present
Expiration Status	199 >= 60 days
Valid Not Before	2022-12-22 08:00
Valid Not After	2023-12-22 07:59
Validity Period	No finding
Certificate Count Server	3
Certs List Ordering Problem	no
Leaked Key (pwnedkeys)	not in database
CRL Revoked	not revoked
CRL Distribution Points	http://validation.identrust.com/crl/hydrantidcao1.crl
OCSP Revoked
OCSP URL	http://commercial.ocsp.identrust.com
OCSP Stapling	not offered
OCSP Must Staple Extension	--
DNS CAA Record	Iodef=mailto:infosec@cisco.com Issuewild=identrust.com Issuewild=quovadisglobal.com issue=amazon.com issue=digicert.com issue=globalsign.com issue=identrust.com issue=pki.goog issue=quovadisglobal.com issue=sectigo.com
Certificate Transparency	yes (certificate extension)

HTTP response

Category	Finding
HTTP Status Code	200 OK ('/')
HTTP Clock Skew	0 seconds from localtime
HSTS	not offered
Server Banner	Apache
Banner Application	No application banner found
Cookie Count	0 at '/'
Security Headers	--
Reverse Proxy Banner	--

Vulnerabilities

Category	Finding
Heartbleed	not vulnerable, no heartbeat extension
CCS	not vulnerable
Ticketbleed	no session ticket extension
ROBOT	not vulnerable
Secure Renegotiation	VULNERABLE
Secure Client Renegotiation	not vulnerable
CRIME TLS	not vulnerable
BREACH	not vulnerable, no HTTP compression - only supplied '/' tested
POODLE SSL	not vulnerable, no SSLv3
Fallback SCSV	no protocol below TLS 1.2 offered
SWEET32	not vulnerable
FREAK	not vulnerable
DROWN	not vulnerable on this host and port
DROWN Hint	Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see censys.io
LOGJAM	not vulnerable, no DH EXPORT ciphers,
LOGJAM Common Primes	no DH key with <= TLS 1.2
BEAST	not vulnerable, no SSL3 or TLS1
LUCKY13	potentially vulnerable, uses TLS CBC ciphers
RC4	not vulnerable

Ciphers

Name	Key Exchange	Encryption	Key Length	IANA ID
ECDHE-RSA-AES256-GCM-SHA384	ECDH 256	AESGCM	256	xc030
ECDHE-RSA-AES256-SHA384	ECDH 256	AES	256	xc028
ECDHE-RSA-AES256-SHA	ECDH 256	AES	256	xc014
AES256-GCM-SHA384	RSA	AESGCM	256	x9d
AES256-SHA256	RSA	AES	256	x3d
AES256-SHA	RSA	AES	256	x35
ECDHE-RSA-AES128-GCM-SHA256	ECDH 256	AESGCM	128	xc02f
ECDHE-RSA-AES128-SHA256	ECDH 256	AES	128	xc027
ECDHE-RSA-AES128-SHA	ECDH 256	AES	128	xc013
AES128-GCM-SHA256	RSA	AESGCM	128	x9c
AES128-SHA256	RSA	AES	128	x3c
AES128-SHA	RSA	AES	128	x2f

Client Simulation

Category	Connection via
Android 4.4.2	TLSv1.2 AES128-GCM-SHA256
Android 5.0	TLSv1.2 AES128-GCM-SHA256
Android 6.0	TLSv1.2 AES128-GCM-SHA256
Android 7.0	TLSv1.2 AES128-GCM-SHA256
Android 8.1	TLSv1.2 AES128-GCM-SHA256
Android 9.0	TLSv1.2 AES128-GCM-SHA256
Android X	TLSv1.2 AES128-GCM-SHA256
Chrome 74 Windows 10	TLSv1.2 AES128-GCM-SHA256
Chrome 79 Windows 10	TLSv1.2 AES128-GCM-SHA256
Firefox 66 Windows 8.1/10	TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Firefox 71 Windows 10	TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
IE 6 Windows XP	No connection
IE 8 Windows 7	No connection
IE 8 Windows XP	No connection
IE 11 Windows 7	TLSv1.2 AES128-GCM-SHA256
IE 11 Windows 8.1	TLSv1.2 AES128-GCM-SHA256
IE 11 Windows Phone 8.1	TLSv1.2 AES128-SHA256
IE 11 Windows 10	TLSv1.2 AES128-GCM-SHA256
Edge 15 Windows 10	TLSv1.2 AES128-GCM-SHA256
Edge 17 Windows 10	TLSv1.2 AES128-GCM-SHA256
Opera 66 Windows 10	TLSv1.2 AES128-GCM-SHA256
Safari 9 IOS9	TLSv1.2 AES128-GCM-SHA256
Safari 9 OSX 10.11	TLSv1.2 AES128-GCM-SHA256
Safari 10 OSX 10.12	TLSv1.2 AES128-GCM-SHA256
Safari 12.1 iOS 12.2	TLSv1.2 AES128-GCM-SHA256
Safari 13.0 OSX 10.14.6	TLSv1.2 AES128-GCM-SHA256
Apple ATS 9 IOS9	TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
Java 6u45	No connection
Java 7u25	No connection
Java 8u161	TLSv1.2 AES128-GCM-SHA256
Java 11.0.2 (OpenJDK)	TLSv1.2 AES128-GCM-SHA256
Java 12.0.1 (OpenJDK)	TLSv1.2 AES128-GCM-SHA256
OpenSSL 1.02e	TLSv1.2 AES128-GCM-SHA256
OpenSSL 1.10l (Debian)	TLSv1.2 AES128-GCM-SHA256
OpenSSL 1.11d (Debian)	TLSv1.2 AES128-GCM-SHA256
Thunderbird 68.3	TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256

About

Contact