########################################################### testssl.sh 3.1dev from https://testssl.sh/dev/  This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/  ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] on f6a661432a56:/home/testssl/bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")  Start 2020-05-15 13:54:02 -->> 10.43.138.208:8443 (aai) <<-- A record via: /etc/hosts rDNS (10.43.138.208): ip-10-43-138-208.eu-west-1.compute.internal. Service detected: HTTP  Testing protocols via sockets except NPN+ALPN   SSLv2 not offered (OK)  SSLv3 not offered (OK)  TLS 1 offered (deprecated)  TLS 1.1 offered (deprecated)  TLS 1.2 offered (OK)  TLS 1.3 not offered and downgraded to a weaker protocol  ALPN/HTTP2 not offered  Testing cipher categories   NULL ciphers (no encryption) not offered (OK)  Anonymous NULL Ciphers (no authentication) not offered (OK)  Export ciphers (w/o ADH+NULL) not offered (OK)  LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)  Triple DES Ciphers / IDEA not offered  Obsoleted CBC ciphers (AES, ARIA etc.) offered  Strong encryption (AEAD ciphers) with no FS offered (OK)  Forward Secrecy strong encryption (AEAD ciphers) offered (OK)  Testing server's cipher preferences   Has server cipher order? yes (OK)  Negotiated protocol TLSv1.2  Negotiated cipher ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)  Cipher per protocol Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 - SSLv3 - TLSv1 (server order) TLSv1.1 (server order) TLSv1.2 (server order) TLSv1.3 -  Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4   FS is offered (OK)  DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA  Elliptic curves offered: prime256v1  Testing server defaults (Server Hello)   TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "encrypt-then-mac/#22" "extended master secret/#23"  Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily  SSL Session ID support yes  Session Resumption Tickets: yes, ID: yes  TLS clock skew Random values, no fingerprinting possible  Signature Algorithm SHA256 with RSA  Server key size RSA 2048 bits (exponent is 65537)  Server key usage Digital Signature, Non Repudiation, Key Encipherment  Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication  Serial / Fingerprints 26982CFA36BECF06 / SHA1 7652A08EE354893B06DD312C3B5B9A8EB1E534FB SHA256 D2E75ED1380CBE86DFA46C70E005BCE2A151A57507FDBC5C19FC16721D06D4BB  Common Name (CN) aai.onap   subjectAltName (SAN) aai.onap aai-sparky-be.onap aai.api.simpledemo.onap.org aai.elasticsearch.simpledemo.onap.org aai.gremlinserver.simpledemo.onap.org aai.hbase.simpledemo.onap.org aai.searchservice.simpledemo.onap.org aai.simpledemo.onap.org aai.ui.simpledemo.onap.org   Issuer intermediateCA_9 (ONAP from US)  Trust (hostname) certificate does not match supplied URI (same w/o SNI)  Chain of trust NOT ok (chain incomplete)  EV cert (experimental) no  ETS/"eTLS", visibility info not present  Certificate Validity (UTC) 135 >= 60 days (2019-09-27 19:34 --> 2020-09-27 19:34)  # of certificates provided 2  Certificate Revocation List --  OCSP URI -- NOT ok -- neither CRL nor OCSP URI provided  OCSP stapling not offered  OCSP must staple extension --  DNS CAA RR (experimental) not offered  Certificate Transparency --  Testing HTTP header response @ "/"   HTTP Status Code  403 Forbidden  HTTP clock skew 0 sec from localtime  Strict Transport Security 185 days=16000000 s, includeSubDomains, preload  Public Key Pinning --  Server banner (no "Server" line in header, interesting!)  Application banner --  Cookie(s) (none issued at "/") -- maybe better try target URL of 30x  Security headers --  Reverse Proxy banner --  Testing vulnerabilities   Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension  CCS (CVE-2014-0224) not vulnerable (OK)  Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)  ROBOT not vulnerable (OK)  Secure Renegotiation (RFC 5746) supported (OK)  Secure Client-Initiated Renegotiation not vulnerable (OK)  CRIME, TLS (CVE-2012-4929) not vulnerable (OK)  BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested  POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support  TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK)  SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)  FREAK (CVE-2015-0204) not vulnerable (OK)  DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=D2E75ED1380CBE86DFA46C70E005BCE2A151A57507FDBC5C19FC16721D06D4BB could help you to find out  LOGJAM (CVE-2015-4000), experimental common prime with 2048 bits detected: HAProxy (2048 bits), but no DH EXPORT ciphers  BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA  VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated)  LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches  RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)  Running client simulations (HTTP) via sockets  Android 4.4.2 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Android 7.0 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 9.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 10.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Chrome 74 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Chrome 79 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Firefox 66 (Win 8.1/10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Firefox 71 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) IE 6 XP No connection IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256) IE 8 XP No connection IE 11 Win 7 TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit DH  IE 11 Win 8.1 TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit DH  IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Edge 17 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Opera 66 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 12.1 (iOS 12.2) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 13.0 (macOS 10.14.6) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 6u45 No connection Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Java 8u161 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 12.0.1 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.1d (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Thunderbird (68.3) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)  Rating (experimental)   Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)  Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide  Protocol Support (weighted) 0 (0)  Key Exchange (weighted) 0 (0)  Cipher Strength (weighted) 0 (0)  Final Score 0  Overall Grade T  Grade cap reasons Grade capped to T. Issues with certificate (chain incomplete) Grade capped to M. Domain name mismatch Grade capped to B. TLS 1.1 offered Grade capped to B. TLS 1.0 offered Grade capped to A. Uses known DH key exchange parameters  Done 2020-05-15 13:54:58 [ 58s] -->> 10.43.138.208:8443 (aai) <<--  ########################################################### testssl.sh 3.1dev from https://testssl.sh/dev/  This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/  ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] on 3589056328e2:/home/testssl/bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")  Start 2020-05-15 13:55:01 -->> 10.43.100.244:9516 (aai) <<-- A record via: /etc/hosts rDNS (10.43.100.244): ip-10-43-100-244.eu-west-1.compute.internal. Service detected: certificate-based authentication => skipping all HTTP checks  Testing protocols via sockets except NPN+ALPN   SSLv2 not offered (OK)  SSLv3 not offered (OK)  TLS 1 not offered  TLS 1.1 not offered  TLS 1.2 offered (OK)  TLS 1.3 not offered and downgraded to a weaker protocol  ALPN/HTTP2 not offered  Testing cipher categories   NULL ciphers (no encryption) not offered (OK)  Anonymous NULL Ciphers (no authentication) not offered (OK)  Export ciphers (w/o ADH+NULL) not offered (OK)  LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)  Triple DES Ciphers / IDEA not offered  Obsoleted CBC ciphers (AES, ARIA etc.) offered  Strong encryption (AEAD ciphers) with no FS not offered  Forward Secrecy strong encryption (AEAD ciphers) offered (OK)  Testing server's cipher preferences   Has server cipher order? yes (OK)  Negotiated protocol TLSv1.2  Negotiated cipher ECDHE-RSA-AES256-SHA384, 521 bit ECDH (P-521)  Cipher per protocol Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 - SSLv3 - TLSv1 - TLSv1.1 - TLSv1.2 (server order) TLSv1.3 -  Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4   FS is offered (OK)  DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384  Elliptic curves offered: prime256v1 secp384r1 secp521r1  Testing server defaults (Server Hello)   TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "extended master secret/#23"  Session Ticket RFC 5077 hint no -- no lifetime advertised  SSL Session ID support yes  Session Resumption Tickets no, Client Auth: ID resumption test not supported  TLS clock skew -1 sec from localtime  Signature Algorithm SHA256 with RSA  Server key size RSA 2048 bits (exponent is 65537)  Server key usage --  Server extended key usage --  Serial / Fingerprints 5D41BAF2 / SHA1 FD31D772442F2AD241C765AE83C2E2C5EF5B2C42 SHA256 48E4F191D554F88E10201A511CE7E3AEC95F7FBBFB073FD901D706B3BA4F38B2  Common Name (CN) ONAP   subjectAltName (SAN) *.onap aai.api.simpledemo.onap.org aai.elasticsearch.simpledemo.onap.org aai.gremlinserver.simpledemo.onap.org aai.hbase.simpledemo.onap.org aai.searchservice.simpledemo.onap.org aai.simpledemo.onap.org aai.ui.simpledemo.onap.org localhost 127.0.0.1   Issuer ONAP (ONAP from GB)  Trust (hostname) certificate does not match supplied URI (same w/o SNI)  Chain of trust NOT ok (self signed)  EV cert (experimental) no  ETS/"eTLS", visibility info not present  Certificate Validity (UTC) 3364 >= 60 days (2019-07-31 15:59 --> 2029-07-31 15:59) >= 10 years is way too long  # of certificates provided 1  Certificate Revocation List --  OCSP URI -- NOT ok -- neither CRL nor OCSP URI provided  OCSP stapling not offered  OCSP must staple extension --  DNS CAA RR (experimental) not offered  Certificate Transparency --  Testing vulnerabilities   Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension  CCS (CVE-2014-0224) not vulnerable (OK)  Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension  ROBOT Server does not support any cipher suites that use RSA key transport  Secure Renegotiation (RFC 5746) supported (OK)  Secure Client-Initiated Renegotiation client x509-based authentication prevents this from being tested  CRIME, TLS (CVE-2012-4929) not vulnerable (OK)  BREACH (CVE-2013-3587) cannot be tested (server side requires x509 authentication) First request failed (HTTP header request stalled and was terminated) POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support  TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered  SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)  FREAK (CVE-2015-0204) not vulnerable (OK)  DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=48E4F191D554F88E10201A511CE7E3AEC95F7FBBFB073FD901D706B3BA4F38B2 could help you to find out  LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok): common prime: RFC2409/Oakley Group 2 (1024 bits), but no DH EXPORT ciphers  BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1  LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches  RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Could not determine the protocol, only simulating generic clients.  Running client simulations via sockets  Android 4.4.2 TLSv1.2 DHE-RSA-AES256-SHA256, 1024 bit DH  Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 521 bit ECDH (P-521) Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Android 7.0 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 9.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 10.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Chrome 74 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Chrome 79 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Firefox 66 (Win 8.1/10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Firefox 71 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) IE 6 XP No connection IE 8 Win 7 No connection IE 8 XP No connection IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Edge 17 (Win 10) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Opera 66 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Safari 12.1 (iOS 12.2) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Safari 13.0 (macOS 10.14.6) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Java 6u45 No connection Java 7u25 No connection Java 8u161 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Java 12.0.1 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.1d (Debian) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Thunderbird (68.3) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)  Rating (experimental)   Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)  Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide  Protocol Support (weighted) 0 (0)  Key Exchange (weighted) 0 (0)  Cipher Strength (weighted) 0 (0)  Final Score 0  Overall Grade T  Grade cap reasons Grade capped to T. Issues with certificate (self signed) Grade capped to M. Domain name mismatch Grade capped to A. Uses known DH key exchange parameters  Done 2020-05-15 13:55:31 [ 32s] -->> 10.43.100.244:9516 (aai) <<--  ########################################################### testssl.sh 3.1dev from https://testssl.sh/dev/  This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/  ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] on d172eda1c578:/home/testssl/bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")  Start 2020-05-15 13:55:34 -->> 10.43.201.133:8453 (aai) <<-- A record via: /etc/hosts rDNS (10.43.201.133): ip-10-43-201-133.eu-west-1.compute.internal.  10.43.201.133:8453 doesn't seem to be a TLS/SSL enabled server  The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) -->   ########################################################### testssl.sh 3.1dev from https://testssl.sh/dev/  This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/  ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] on 151bbb514fae:/home/testssl/bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")  Start 2020-05-15 13:55:39 -->> 10.43.176.243:8443 (aai) <<-- A record via: /etc/hosts rDNS (10.43.176.243): ip-10-43-176-243.eu-west-1.compute.internal. Oops: TCP connect problem Unable to open a socket to 10.43.176.243:8443.   ########################################################### testssl.sh 3.1dev from https://testssl.sh/dev/  This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/  ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers] on 6e1f49c0591b:/home/testssl/bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")  Start 2020-05-15 13:55:41 -->> 10.43.21.73:8000 (aai) <<-- A record via: /etc/hosts rDNS (10.43.21.73): ip-10-43-21-73.eu-west-1.compute.internal. Service detected: HTTP  Testing protocols via sockets except NPN+ALPN   SSLv2 not offered (OK)  SSLv3 not offered (OK)  TLS 1 not offered  TLS 1.1 not offered  TLS 1.2 offered (OK)  TLS 1.3 not offered and downgraded to a weaker protocol  ALPN/HTTP2 not offered  Testing cipher categories   NULL ciphers (no encryption) not offered (OK)  Anonymous NULL Ciphers (no authentication) not offered (OK)  Export ciphers (w/o ADH+NULL) not offered (OK)  LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)  Triple DES Ciphers / IDEA not offered  Obsoleted CBC ciphers (AES, ARIA etc.) offered  Strong encryption (AEAD ciphers) with no FS not offered  Forward Secrecy strong encryption (AEAD ciphers) offered (OK)  Testing server's cipher preferences   Has server cipher order? yes (OK)  Negotiated protocol TLSv1.2  Negotiated cipher ECDHE-RSA-AES256-SHA384, 521 bit ECDH (P-521)  Cipher per protocol Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 - SSLv3 - TLSv1 - TLSv1.1 - TLSv1.2 (server order) TLSv1.3 -  Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4   FS is offered (OK)  DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384  Elliptic curves offered: prime256v1 secp384r1 secp521r1  Testing server defaults (Server Hello)   TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "extended master secret/#23"  Session Ticket RFC 5077 hint no -- no lifetime advertised  SSL Session ID support yes  Session Resumption Tickets no, ID: no  TLS clock skew -1 sec from localtime  Signature Algorithm SHA256 with RSA  Server key size RSA 2048 bits (exponent is 65537)  Server key usage Digital Signature, Non Repudiation, Key Encipherment  Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication  Serial / Fingerprints 598FB99207FF507F / SHA1 375F2415CEA81838AF35E5082253AFA783627962 SHA256 9C915B016E93769DE1CBDA25E98949D35F2EA4EA18678CD0E179745AE90AF6AF  Common Name (CN) aai.onap   subjectAltName (SAN) aai.onap aai-sparky-be.onap aai.api.simpledemo.onap.org aai.elasticsearch.simpledemo.onap.org aai.gremlinserver.simpledemo.onap.org aai.hbase.simpledemo.onap.org aai.searchservice.simpledemo.onap.org aai.simpledemo.onap.org aai.ui.simpledemo.onap.org   Issuer intermediateCA_9 (ONAP from US)  Trust (hostname) certificate does not match supplied URI (same w/o SNI)  Chain of trust NOT ok (chain incomplete)  EV cert (experimental) no  ETS/"eTLS", visibility info not present  Certificate Validity (UTC) expired (2019-03-26 03:27 --> 2020-03-26 03:27)  # of certificates provided 2  Certificate Revocation List --  OCSP URI -- NOT ok -- neither CRL nor OCSP URI provided  OCSP stapling not offered  OCSP must staple extension --  DNS CAA RR (experimental) not offered  Certificate Transparency --  Testing HTTP header response @ "/"   HTTP Status Code  302 Found, redirecting to "https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm"  HTTP clock skew 0 sec from localtime  Strict Transport Security not offered  Public Key Pinning --  Server banner (no "Server" line in header, interesting!)  Application banner --  Cookie(s) (none issued at "/") -- maybe better try target URL of 30x  Security headers --  Reverse Proxy banner --  Testing vulnerabilities   Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension  CCS (CVE-2014-0224) not vulnerable (OK)  Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension  ROBOT Server does not support any cipher suites that use RSA key transport  Secure Renegotiation (RFC 5746) supported (OK)  Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat  CRIME, TLS (CVE-2012-4929) not vulnerable (OK)  BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested  POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support  TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered  SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)  FREAK (CVE-2015-0204) not vulnerable (OK)  DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=9C915B016E93769DE1CBDA25E98949D35F2EA4EA18678CD0E179745AE90AF6AF could help you to find out  LOGJAM (CVE-2015-4000), experimental VULNERABLE (NOT ok): common prime: RFC2409/Oakley Group 2 (1024 bits), but no DH EXPORT ciphers  BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1  LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches  RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)  Running client simulations (HTTP) via sockets  Android 4.4.2 TLSv1.2 DHE-RSA-AES256-SHA256, 1024 bit DH  Android 5.0.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 521 bit ECDH (P-521) Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Android 7.0 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 9.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 10.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Chrome 74 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Chrome 79 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Firefox 66 (Win 8.1/10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Firefox 71 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) IE 6 XP No connection IE 8 Win 7 No connection IE 8 XP No connection IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Edge 17 (Win 10) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Opera 66 (Win 10) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Safari 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Safari 9 OS X 10.11 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Safari 10 OS X 10.12 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Safari 12.1 (iOS 12.2) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Safari 13.0 (macOS 10.14.6) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Apple ATS 9 iOS 9 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Java 6u45 No connection Java 7u25 No connection Java 8u161 TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Java 12.0.1 (OpenJDK) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.1d (Debian) TLSv1.2 ECDHE-RSA-AES256-SHA384, 256 bit ECDH (P-256) Thunderbird (68.3) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)  Rating (experimental)   Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)  Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide  Protocol Support (weighted) 0 (0)  Key Exchange (weighted) 0 (0)  Cipher Strength (weighted) 0 (0)  Final Score 0  Overall Grade T  Grade cap reasons Grade capped to T. Issues with certificate (chain incomplete) Grade capped to T. Certificate expired Grade capped to M. Domain name mismatch Grade capped to A. Uses known DH key exchange parameters Grade capped to A. HSTS is not offered  Done 2020-05-15 13:56:22 [ 42s] -->> 10.43.21.73:8000 (aai) <<--