|
2024-06-28
| ||
| 22:27 | • Closed ticket [9773973cfc]: Library fails most tests from badssl.com plus 5 other changes artifact: 8cb8ab1889 user: bohagan | |
|
2018-09-22
| ||
| 09:29 | • New ticket [9773973cfc]. artifact: aad93e274f user: anonymous | |
| Ticket Hash: | 9773973cfc90212087f851de2c94014ef72339d1 | |||
| Title: | Library fails most tests from badssl.com | |||
| Status: | Closed | Type: | Code Defect | |
| Severity: | Severe | Priority: | Immediate | |
| Subsystem: | Resolution: | Fixed | ||
| Last Modified: | 2024-06-28 22:27:24 | |||
| Version Found In: | 1.7.16 | |||
| User Comments: | ||||
|
anonymous added on 2018-09-22 09:29:33:
The website https://badssl.com/ collects various test cases for insecure TLS connections, such as expired or incorrect hostnames in certificates. I can get many of them to pass by using explicit settings: -tls1 0 -tls1.1 0 -tls1.2 1 -require 1 -cafile /etc/ssl/cert.pem -cipher {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256} -autoservername 1 But others seem to be impossible to pass the tests with the current library. I can manually fix the hostname/wildcard matching by using a -command callback (there is another bug covering this), but I cannot either get it to reject a revoked certificate or a SHA-1 intermediate cert. These could be done via the -command callback, but unfortunately the raw certificate field passed to this callback is truncated so cannot be parsed. bohagan added on 2024-06-28 22:27:24: A test suite was added to check the certificates at badssl.com. See commit [6729942f381c0f1a]. Since some of these certificates have expired, the test suite checks for the actual response rather than the planned one. | ||||