Deep SSL/TLS Vulnerability Test
This report provides a deep analysis of the SSL/TLS configuration of uat1.novartis.com. It checks for protocol support, cipher strength, and known vulnerabilities.
Scan Results
Testing all IP addresses (port 443): 172.64.154.11 104.18.33.245 ----------------------------------------------------- Start 2026-05-25 06:41:25 -->> 172.64.154.11:443 (uat1.novartis.com) <<-- Further IP addresses: 104.18.33.245 rDNS (172.64.154.11): -- Service detected: HTTP Testing for server implementation bugs No bugs found. Testing HTTP header response @ "/" HTTP Status Code 200 OK HTTP clock skew +1721104 sec from localtime HTTP Age (RFC 7234) 1721104 IPv4 address in header set-cookie: __cf_bm=uom8sMkYh5iFQ6gS1fqlAOJcKU.v9d1dHchHyLTWqHM-1779691311.8654144-1.0.1.1-5k82MkZTYYH9qEIlWymuJGmd7fuluawWSAcpcWaf2Q1uJPvuGD7hZVAY9nIUoeU24VyLoEg_rb1.RpNbsSbLe4GR_PJu0iUoADzzmDSi.kriBS.YBFQMb6NxKixyDXaY; HttpOnly; SameSite=None; Secure; Path=/; Domain=novartis.com; Expires=Mon, 25 May 2026 07:11:52 GMT (check if it's your IP address or e.g. a cluster IP) Strict Transport Security 365 days=31536000 s, includeSubDomains Public Key Pinning -- Server banner cloudflare Application banner -- Cookie(s) 1 issued: 1/1 secure, 1/1 HttpOnly Security headers X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy-Report-Only: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://unpkg.com https://acsbapp.com https://snap.licdn.com https://sc-static.net https://tr.snapchat.com https://maps.googleapis.com https://static.ads-twitter.com https://analytics.twitter.com https://connect.facebook.net https://cdn.cookielaw.org https://www.youtube.com https://static.addtoany.com https://cdnjs.cloudflare.com https://www.googletagmanager.com https://js-agent.newrelic.com https://geolocation.onetrust.com https://bam-cell.nr-data.net https://cdnsecakmi.kaltura.com https://cdnapisec.kaltura.com http://cdnapi.kaltura.com https://cfvod.kaltura.com https://www.google-analytics.com https://cdn.jsdelivr.net https://script.crazyegg.com https://static.cloudflareinsights.com https://www.google.com https://www.gstatic.com https://bam.nr-data.net https://hm.baidu.com/hm.js https://www.clarity.ms https://www.googleadservices.com blob: https://vjs.zencdn.net/5.0/video.min.js https://analytics.tiktok.com; object-src 'self' 'unsafe-inline' 'unsafe-eval' https: data; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.cookielaw.org https://acsbapp.com https://sc-static.net https://tr.snapchat.com https://maps.googleapis.com https://fonts.googleapis.com https://www.youtube.com https://static.addtoany.com https://cdnjs.cloudflare.com https://www.googletagmanager.com https://js-agent.newrelic.com https://geolocation.onetrust.com https://bam-cell.nr-data.net https://script.crazyegg.com https://static.cloudflareinsights.com https://cdnapisec.kaltura.com https://cfvod.kaltura.com https://vjs.zencdn.net/5.0/video-js.min.css https://analytics.tiktok.com; frame-ancestors 'self' X-XSS-Protection: 1; mode=block Cache-Control: max-age=60, public, s-maxage=2628000, stale-if-error=180, stale-while-revalidate=180 Reverse Proxy banner Via: varnish x-cache: HIT x-cache-hits: 5945 Testing vulnerabilities Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) potentially NOT ok, "br gzip" HTTP compression detected. - only supplied "/" tested Can be ignored for static pages or if no secrets in the page POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=B02080A63C8299A50C8F5989F974E6F45F92B4B9979A8FAEC225AEB6E950C863 LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) Winshock (CVE-2014-6321), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Done 2026-05-25 06:42:10 [ 53s] -->> 172.64.154.11:443 (uat1.novartis.com) <<-- ----------------------------------------------------- Start 2026-05-25 06:42:10 -->> 104.18.33.245:443 (uat1.novartis.com) <<-- Further IP addresses: 172.64.154.11 rDNS (104.18.33.245): -- Service detected: HTTP Testing for server implementation bugs No bugs found. Testing HTTP header response @ "/" HTTP Status Code 200 OK HTTP clock skew +1721153 sec from localtime HTTP Age (RFC 7234) 1721153 IPv4 address in header set-cookie: __cf_bm=AbWart_IvaGvNfG489ltJiPTURcWhp1r.vdHgnQy.fk-1779691360.8683388-1.0.1.1-YR0ATQjH2qTdp3GHNlyV8gokjxR.p1JfqhDNjDmjcvq0KoqhUlbEOsVexTDDnb3E2Ulcbq9.VpgNJAEw.deY3Xvo93wMYqpM1cgp0K18I0DwlXdLWhf.pIweKM_D7nIe; HttpOnly; SameSite=None; Secure; Path=/; Domain=novartis.com; Expires=Mon, 25 May 2026 07:12:41 GMT (check if it's your IP address or e.g. a cluster IP) Strict Transport Security 365 days=31536000 s, includeSubDomains Public Key Pinning -- Server banner cloudflare Application banner -- Cookie(s) 1 issued: 1/1 secure, 1/1 HttpOnly Security headers X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy-Report-Only: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://unpkg.com https://acsbapp.com https://snap.licdn.com https://sc-static.net https://tr.snapchat.com https://maps.googleapis.com https://static.ads-twitter.com https://analytics.twitter.com https://connect.facebook.net https://cdn.cookielaw.org https://www.youtube.com https://static.addtoany.com https://cdnjs.cloudflare.com https://www.googletagmanager.com https://js-agent.newrelic.com https://geolocation.onetrust.com https://bam-cell.nr-data.net https://cdnsecakmi.kaltura.com https://cdnapisec.kaltura.com http://cdnapi.kaltura.com https://cfvod.kaltura.com https://www.google-analytics.com https://cdn.jsdelivr.net https://script.crazyegg.com https://static.cloudflareinsights.com https://www.google.com https://www.gstatic.com https://bam.nr-data.net https://hm.baidu.com/hm.js https://www.clarity.ms https://www.googleadservices.com blob: https://vjs.zencdn.net/5.0/video.min.js https://analytics.tiktok.com; object-src 'self' 'unsafe-inline' 'unsafe-eval' https: data; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.cookielaw.org https://acsbapp.com https://sc-static.net https://tr.snapchat.com https://maps.googleapis.com https://fonts.googleapis.com https://www.youtube.com https://static.addtoany.com https://cdnjs.cloudflare.com https://www.googletagmanager.com https://js-agent.newrelic.com https://geolocation.onetrust.com https://bam-cell.nr-data.net https://script.crazyegg.com https://static.cloudflareinsights.com https://cdnapisec.kaltura.com https://cfvod.kaltura.com https://vjs.zencdn.net/5.0/video-js.min.css https://analytics.tiktok.com; frame-ancestors 'self' X-XSS-Protection: 1; mode=block Cache-Control: max-age=60, public, s-maxage=2628000, stale-if-error=180, stale-while-revalidate=180 Reverse Proxy banner Via: varnish x-cache: HIT x-cache-hits: 5975 Testing vulnerabilities Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) potentially NOT ok, "br gzip" HTTP compression detected. - only supplied "/" tested Can be ignored for static pages or if no secrets in the page POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=B02080A63C8299A50C8F5989F974E6F45F92B4B9979A8FAEC225AEB6E950C863 LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) Winshock (CVE-2014-6321), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Done 2026-05-25 06:43:02 [ 105s] -->> 104.18.33.245:443 (uat1.novartis.com) <<-- ----------------------------------------------------- Done testing now all IP addresses (on port 443): 172.64.154.11 104.18.33.245
About this Scan
This scan uses testssl.sh to check for:
- Protocols: SSLv2, SSLv3, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
- Vulnerabilities: Heartbleed, POODLE, FREAK, Logjam, DROWN, etc.
- Cipher Suites: Weak ciphers, perfect forward secrecy (PFS) support.