TLS Health Report for huawei.com

TLS Health Report for huawei.com

Huawei.com has a substantial TLS deployment, with 534 total certificates identified and 271 actively used across 660 hosts and 494 unique IPs. The environment is relatively diverse, showing certificates from multiple Certificate Authorities (CAs), including Actalis S.p.A. (109 certificates), DigiCert, Inc. (87), GlobalSign nv-sa (39), and Let’s Encrypt (12). RSA remains the dominant key type (356 certificates), with only 4 pure ECDSA certificates and 7 that support both RSA and ECDSA.

Certificate Lifecycle & Expiry Status

Huawei is generally keeping up with certificate renewals, but there are 4 expired certificates and 10 set to expire within the next month. Three certificates will expire within 15 days, including high-visibility endpoints like *.mail02.huawei.com (expires 2025-09-22, issued by GlobalSign). Another three are due within 15–30 days, and four within 30–45 days. This indicates a moderate renewal workload but suggests there is some room for proactive rotation to avoid downtime.

TLS Version Deployment

TLS 1.2 and TLS 1.3 dominate the deployment, with 713 hosts supporting TLS 1.2 and 479 supporting TLS 1.3. However, a non-trivial number of endpoints still support deprecated protocols: TLS 1.1 on 132 hosts and TLS 1.0 on 68 hosts. In total, 60 hostnames still negotiate deprecated TLS versions, representing a potential compliance and security risk if not restricted to legacy use cases.

Cipher Suite Strength

The scan detected 43 hostnames offering weak or legacy cipher suites. Some concerning findings include:

  • CAMELLIA and ARIA ciphers on 36+ hosts, which are rarely used in modern environments.
  • RC4-based ciphers (e.g., TLS_RSA_WITH_RC4_128_SHA) still present on at least 7 hosts, which is strongly discouraged due to cryptographic weaknesses.
  • 3DES (TLS_RSA_WITH_3DES_EDE_CBC_SHA) present on 5 hosts, vulnerable to the Sweet32 attack.
  • A small number of servers even offer TLS_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_IDEA_CBC_SHA, which are considered obsolete.

The presence of these ciphers may indicate outdated servers or load balancers that have not had their cipher lists updated.

Certificate Authority Usage

Huawei’s CA landscape is diverse, with Actalis S.p.A. serving as the top issuer, followed by DigiCert and GlobalSign. Let’s Encrypt certificates are used for a handful of endpoints, likely for development or secondary services (store-support-ru.huawei.com, newslettereu.huawei.com). This CA diversity provides resilience but can complicate auditing and policy enforcement.

Key Observations

  • Good Adoption of TLS 1.3: Nearly half of the hosts already support TLS 1.3, aligning with best practices for modern encryption.
  • Legacy Cleanup Needed: The use of TLS 1.0/1.1 and weak ciphers like RC4 and 3DES should be systematically phased out.
  • Renewal Process Mostly Healthy: Most certificates have more than 45 days of validity remaining, but expired certificates still exist and should be removed or replaced.
  • RSA-Dominated Deployment: Very limited use of ECDSA might impact performance on modern clients that benefit from lighter key exchange mechanisms.

Recommendations

  1. Phase Out Deprecated TLS Versions by disabling TLS 1.0 and 1.1 across all public-facing endpoints.
  2. Audit Cipher Suites to remove RC4, 3DES, and other obsolete ciphers. Standardize on AES-GCM and ChaCha20-Poly1305 suites.
  3. Expand ECDSA Usage to improve handshake performance and reduce computational cost.
  4. Tighten Renewal Monitoring by automatically renewing before 30 days to avoid the appearance of expired certificates in production.
  5. Review CA Strategy to ensure alignment with internal policy and simplify trust chain management.

This analysis was conducted using SSLBoard’s comprehensive TLS scanning capabilities, which examine certificate transparency logs and perform live TLS protocol testing across your entire domain infrastructure.