edvinanet / tls-o-matic Goto Github PK

Sindarina on twitter: "Still on reserved ports? Bad form, that. I could understand needing to support older tests, but publishing new ones with them?!"

Hi there,

I was trying to issue a client certificate to test a positive result for "Test 8 :: Client Certificate required" and happened to notice that the test8 certificate and the test8 private key checked into the repo don't match!

The public key of the certificate specifies an RSA public key with one modulus (dumped with openssl x509 -in test8.tls-o-matic.com.cert -noout -text):

            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c7:5b:3a:8b:e9:9b:c5:7b:72:f6:68:4a:d2:5c:
                    53:43:e6:fa:d0:8d:d4:4d:5e:c4:38:43:55:0d:8d:
                    49:8c:54:98:04:ab:66:04:ce:ce:01:71:18:ef:08:
                    ed:dc:cf:63:4a:18:13:83:85:82:fa:2b:c1:3d:71:
                    ab:ec:aa:58:69:20:e9:78:79:8c:5f:64:90:df:88:
                    47:fc:a9:0b:53:8b:9d:90:c3:37:64:1c:8c:dd:7e:
                    24:7a:af:6a:00:03:4b:01:a8:2d:e2:17:e7:71:75:
                    fc:60:b3:90:20:01:7c:75:50:09:9c:02:43:91:20:
                    8c:d8:37:00:06:a8:ad:9d:a0:4c:33:ff:6a:16:03:
                    33:d5:98:e6:d4:8c:8e:9b:02:e0:29:0e:d3:b8:e2:
                    90:33:81:12:22:4d:5a:ac:4f:bf:e5:49:a3:3f:29:
                    c4:64:db:b9:09:a8:bb:b5:2c:e9:c2:8a:28:21:ac:
                    ae:06:4a:84:62:a5:93:b9:48:45:3b:91:76:33:46:
                    22:50:0f:e4:e6:c3:0d:df:ba:6f:22:b6:da:d3:ba:
                    32:db:bd:1b:00:b1:0d:85:8d:71:34:ae:04:49:61:
                    11:fa:97:74:0f:0a:bf:c6:7a:eb:f7:0d:e7:eb:1d:
                    77:a4:ba:40:23:d2:af:07:72:19:1c:87:d3:10:fc:
                    c2:45
                Exponent: 65537 (0x10001)

and the corresponding private key in the repo has a different RSA modulus (dumped with openssl rsa -in test8.tls-o-matic.com.key -modulus):

9C:7F:33:CA:47:E8:B7:1B:B7:D4:B6:E6:BD:18:E2:03:F4:B6:98:94:37:2E:21:47:4C:61:5F:8B:30:3D:0C:E4:1C:41:C0:1C:69:13:7D:3F:5A:AC:3C:F6:3B:AC:6C:DA:16:1D:91:2F:23:9D:6E:C6:B5:A5:56:09:93:CF:24:DF:61:6E:AE:D4:A0:53:C7:74:F0:59:C1:3F:0E:4B:BA:43:82:B0:D7:5C:11:6F:E1:5E:23:96:A9:91:70:90:0E:F7:C4:1E:DD:89:63:D2:E1:A5:99:91:F8:B5:2F:62:95:E1:DA:05:7B:FE:A2:FD:99:A2:CA:E0:AF:66:14:90:B8:47:A4:60:D8:96:2B:65:DA:FF:A0:22:11:FC:BE:C3:CE:F7:62:08:1A:9B:3A:70:8F:09:A8:24:C0:DA:EA:ED:13:83:E3:93:13:8D:C7:C8:E9:2A:73:63:2E:5D:4C:64:19:55:32:4F:9C:DF:8D:7A:36:B5:07:A1:DB:79:8C:A1:5B:AA:AD:70:72:07:8D:0F:18:2F:0A:73:6B:BA:F3:0D:62:A1:AF:62:F5:32:45:76:47:36:04:04:D4:BA:A9:C2:93:71:8C:B2:48:E7:30:8E:30:77:85:53:C8:7E:41:0C:22:1B:AB:5A:8B:6C:63:FA:C7:8C:E7:ED:1D:1B:AF:0F:EC:45

Was there a mistake committing the certificate & key? Perhaps I'm doing something wrong? A mystery either way :-)

Thanks!

Being a TLS proponent here, I think it should redirect to https://www.tls-o-matic.com. :)

See https://badssl.com.

Maybe use m4 or something else to generate apache server.conf without hard coded paths to config files. Like "server22.include"

Sort out server22.include and server.include in httpd/generic

Nothing wrong. Don't worry.

[spider@tear tmp]$ openssl s_client -connect test15a.tls-o-matic.com:415 -tls1_2

Certificate chain
0 s:/O=TLS Hosting Company/CN=test15.tls-o-matic.com
i:/O=Intermediate 1 tls-o-matic.com/CN=TLS-o-matic-intermediate-1
1 s:/O=TLS-O-Matic Intermediate CA 1/CN=TLS-o-matic-intermediate-1

i:/O=D&O TLS-O-MATIC CERTIFICATE AUTHORITY AB/CN=tls-o-matic.com

Server certificate
-----BEGIN CERTIFICATE-----
MIIDyjCCArKgAwIBAgICECMwDQYJKoZIhvcNAQELBQAwTjEnMCUGA1UECgweSW50
ZXJtZWRpYXRlIDEgdGxzLW8tbWF0aWMuY29tMSMwIQYDVQQDDBpUTFMtby1tYXRp
Yy1pbnRlcm1lZGlhdGUtMTAeFw0xNTAzMDIwNjQyNDNaFw0xNjAzMDEwNjQyNDNa
MD8xHDAaBgNVBAoME1RMUyBIb3N0aW5nIENvbXBhbnkxHzAdBgNVBAMMFnRlc3Qx
NS50bHMtby1tYXRpYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC9kuOwUn9OuL+85iHfy5vARUuJxL/5nL3svIZ2WXFrJqCkUVOpCOI0K8s8Ja6p
jhLqeQFVVBHDT87xr+pR3KvQTZvONKoGDY45gc9ErAzK9fi7LAselGVvpJpjF6jD
qvTKolk3/YNK44hR1+oo8UJDf2sJ2RYvL/wWxCDLV/4FXvCngY+4atuoh6FOZqMA
Gs3/JTDkgEmBo2wh9iSWE8rubiPXRdm8kCUeOiaRxRvpjcf0+H+5ZqWIXyJo1jum
+755+O0Mc/YLGRkS+qU/1HB98iU08bWHdY9XPpcj5dQqE9t+7JL/tLNDbakt8168
8R7eB452Hr5MpnidIndHfVRjAgMBAAGjgcAwgb0wCQYDVR0TBAIwADATBgNVHSUE
DDAKBggrBgEFBQcDATA6BglghkgBhvhCAQ0ELRYrVExTLU8tTWF0aWMgTm8gVmFs
aWRhdGlvbiBDZXJ0aWZpY2F0ZSDwn5KwIDAdBgNVHQ4EFgQUEg07frLNP/Bnh4ai
XL+j2gGz01wwHwYDVR0jBBgwFoAUj2sf5501XDzU6ht5pYOt/peai9EwHwYDVR0R
BBgwFoEUaW5mb0B0bHMtby1tYXRpYy5jb20wDQYJKoZIhvcNAQELBQADggEBAMeR
YsNRFBVtuQLMJCe2EUDy3BYUKS2tBGGwoeffRLg4u2dWtWsIToLe3toj2prJVOHa
sBi/7STQrdwmlRqXadmgsSoxixQ0GXyZE7LFT1XOZY3X8sNPYOOwAUgqZZVC7cki
HKm4rb0bKJLUF9ZEg2m8F8hzBjurPFqdTiWvJXNfJaA4pNYPuRl1msZJ4F7depWl
P3MsL3OEqbP9w/pvfHukukrWJtPbjkVNtR2PJGmDKbvnScH63gUcfxRVdQYLRabH
2CDmq/ULFCHAmqSVESI7OlmqEOfX5MkVqTwdHHcP/jYFyt7N1t7RdC1lewlwWdbJ
fNoWM9lK7Ce5frWtCVs=
-----END CERTIFICATE-----

[spider@tear tmp]$ openssl s_client -connect test15b.tls-o-matic.com:415 -tls1_2

Certificate chain
0 s:/O=TLS Hosting Company/CN=test15.tls-o-matic.com
i:/O=Intermediate 1 tls-o-matic.com/CN=TLS-o-matic-intermediate-1
1 s:/O=TLS-O-Matic Intermediate CA 1/CN=TLS-o-matic-intermediate-1

i:/O=D&O TLS-O-MATIC CERTIFICATE AUTHORITY AB/CN=tls-o-matic.com

Server certificate
-----BEGIN CERTIFICATE-----
MIIDyjCCArKgAwIBAgICECMwDQYJKoZIhvcNAQELBQAwTjEnMCUGA1UECgweSW50
ZXJtZWRpYXRlIDEgdGxzLW8tbWF0aWMuY29tMSMwIQYDVQQDDBpUTFMtby1tYXRp
Yy1pbnRlcm1lZGlhdGUtMTAeFw0xNTAzMDIwNjQyNDNaFw0xNjAzMDEwNjQyNDNa
MD8xHDAaBgNVBAoME1RMUyBIb3N0aW5nIENvbXBhbnkxHzAdBgNVBAMMFnRlc3Qx
NS50bHMtby1tYXRpYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC9kuOwUn9OuL+85iHfy5vARUuJxL/5nL3svIZ2WXFrJqCkUVOpCOI0K8s8Ja6p
jhLqeQFVVBHDT87xr+pR3KvQTZvONKoGDY45gc9ErAzK9fi7LAselGVvpJpjF6jD
qvTKolk3/YNK44hR1+oo8UJDf2sJ2RYvL/wWxCDLV/4FXvCngY+4atuoh6FOZqMA
Gs3/JTDkgEmBo2wh9iSWE8rubiPXRdm8kCUeOiaRxRvpjcf0+H+5ZqWIXyJo1jum
+755+O0Mc/YLGRkS+qU/1HB98iU08bWHdY9XPpcj5dQqE9t+7JL/tLNDbakt8168
8R7eB452Hr5MpnidIndHfVRjAgMBAAGjgcAwgb0wCQYDVR0TBAIwADATBgNVHSUE
DDAKBggrBgEFBQcDATA6BglghkgBhvhCAQ0ELRYrVExTLU8tTWF0aWMgTm8gVmFs
aWRhdGlvbiBDZXJ0aWZpY2F0ZSDwn5KwIDAdBgNVHQ4EFgQUEg07frLNP/Bnh4ai
XL+j2gGz01wwHwYDVR0jBBgwFoAUj2sf5501XDzU6ht5pYOt/peai9EwHwYDVR0R
BBgwFoEUaW5mb0B0bHMtby1tYXRpYy5jb20wDQYJKoZIhvcNAQELBQADggEBAMeR
YsNRFBVtuQLMJCe2EUDy3BYUKS2tBGGwoeffRLg4u2dWtWsIToLe3toj2prJVOHa
sBi/7STQrdwmlRqXadmgsSoxixQ0GXyZE7LFT1XOZY3X8sNPYOOwAUgqZZVC7cki
HKm4rb0bKJLUF9ZEg2m8F8hzBjurPFqdTiWvJXNfJaA4pNYPuRl1msZJ4F7depWl
P3MsL3OEqbP9w/pvfHukukrWJtPbjkVNtR2PJGmDKbvnScH63gUcfxRVdQYLRabH
2CDmq/ULFCHAmqSVESI7OlmqEOfX5MkVqTwdHHcP/jYFyt7N1t7RdC1lewlwWdbJ
fNoWM9lK7Ce5frWtCVs=
-----END CERTIFICATE-----
subject=/O=TLS Hosting Company/CN=test15.tls-o-matic.com

issuer=/O=Intermediate 1 tls-o-matic.com/CN=TLS-o-matic-intermediate-1

No client certificate CA names sent

This certificate DOESNT have SNI host extensions

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4131 (0x1023)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Intermediate 1 tls-o-matic.com, CN=TLS-o-matic-intermediate-1
Validity
Not Before: Mar 2 06:42:43 2015 GMT
Not After : Mar 1 06:42:43 2016 GMT
Subject: O=TLS Hosting Company, CN=test15.tls-o-matic.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:92:e3:b0:52:7f:4e:b8:bf:bc:e6:21:df:cb:
9b:c0:45:4b:89:c4:bf:f9:9c:bd:ec:bc:86:76:59:
71:6b:26:a0:a4:51:53:a9:08:e2:34:2b:cb:3c:25:
ae:a9:8e:12:ea:79:01:55:54:11:c3:4f:ce:f1:af:
ea:51:dc🆎d0:4d:9b:ce:34:aa:06:0d:8e:39:81:
cf:44:ac:0c:ca:f5:f8:bb:2c:0b:1e:94:65:6f:a4:
9a:63:17:a8:c3:aa:f4:ca:a2:59:37:fd:83:4a:e3:
88:51:d7:ea:28:f1:42:43:7f:6b:09:d9:16:2f:2f:
fc:16:c4:20:cb:57:fe:05:5e:f0:a7:81:8f:b8:6a:
db:a8:87:a1:4e:66:a3:00:1a💿ff:25:30:e4:80:
49:81:a3:6c:21:f6:24:96:13:ca:ee:6e:23:d7:45:
d9:bc:90:25:1e:3a:26:91:c5:1b:e9:8d:c7:f4:f8:
7f:b9:66:a5:88:5f:22:68:d6:3b:a6:fb:be:79:f8:
ed:0c:73:f6:0b:19:19:12:fa:a5:3f:d4:70:7d:f2:
25:34:f1:b5:87:75:8f:57:3e:97:23:e5:d4:2a:13:
db:7e:ec:92:ff:b4:b3:43:6d:a9:2d:f3:5e:bc:f1:
1e🇩🇪07:8e:76:1e:be:4c:a6:78:9d:22:77:47:7d:
54:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication
Netscape Comment:
TLS-O-Matic No Validation Certificate 💰
X509v3 Subject Key Identifier:
12:0D:3B:7E:B2:CD:3F:F0:67:87:86:A2:5C:BF:A3:DA:01:B3:D3:5C
X509v3 Authority Key Identifier:
keyid:8F:6B:1F:E7:9D:35:5C:3C:D4:EA:1B:79:A5:83:AD:FE:97:9A:8B:D1

        X509v3 Subject Alternative Name: 
            email:[email protected]
Signature Algorithm: sha256WithRSAEncryption
     c7:91:62:c3:51:14:15:6d:b9:02:cc:24:27:b6:11:40:f2:dc:
     16:14:29:2d:ad:04:61:b0:a1:e7:df:44:b8:38:bb:67:56:b5:
     6b:08:4e:82:de:de:da:23:da:9a:c9:54:e1:da:b0:18:bf:ed:
     24:d0:ad:dc:26:95:1a:97:69:d9:a0:b1:2a:31:8b:14:34:19:
     7c:99:13:b2:c5:4f:55:ce:65:8d:d7:f2:c3:4f:60:e3:b0:01:
     48:2a:65:95:42:ed:c9:22:1c:a9:b8:ad:bd:1b:28:92:d4:17:
     d6:44:83:69:bc:17:c8:73:06:3b:ab:3c:5a:9d:4e:25:af:25:
     73:5f:25:a0:38:a4:d6:0f:b9:19:75:9a:c6:49:e0:5e:dd:7a:
     95:a5:3f:73:2c:2f:73:84:a9:b3:fd:c3:fa:6f:7c:7b:a4:ba:
     4a:d6:26:d3:db:8e:45:4d:b5:1d:8f:24:69:83:29:bb:e7:49:
     c1:fa:de:05:1c:7f:14:55:75:06:0b:45:a6:c7:d8:20:e6:ab:
     f5:0b:14:21:c0:9a:a4:95:11:22:3b:3a:59:aa:10:e7:d7:e4:
     c9:15:a9:3c:1d:1c:77:0f:fe:36:05:ca:de:cd:d6:de:d1:74:
     2d:65:7b:09:70:59:d6:c9:7c:da:16:33:d9:4a:ec:27:b9:7e:
     b5:ad:09:5b

Installing the tls-o-matic root ca requires you to trust plaintext HTTP.

I'm connected to a wifi named "(); :(){:|:};:" And I'm not sure I trust it.

I want to try the TLS O matic tests with my web browser.

There is no safe way for me to do that.

Remember that old flaw when you set a CN or SAN to be "hostname\0another host" which caused much problems back in the days? Would be neat to have a test specifically for that just to make sure there aren't clients still using strcmp() or similar to match the cert names.

Anders Löwinger asked for DANE support in Facebook.

I've tried several tests but the connections are refused.
https://test6.tls-o-matic.com:406/
https://test17.tls-o-matic.com:417/
https://test20.tls-o-matic.com:420/

Remove "tls-o-matic.com" from file names of certificates and keys

https://www.tls-o-matic.com is not-so-pretty as it could be ;) I went here to see if I could make a simple pull request to improve it.

Inspired by https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/

http://www.tls-o-matic.com/https/test13/

link to "next test" doesn't work.

I’ve noticed two minor issues in TLS-o-matic:

1. In the page of test #16 at the URL...

https://www.tls-o-matic.com/https/test16/

...the “Next test” button links to the URL

https://www.tls-o-matic.com/test17

(which displays the wrong contents) instead of

https://www.tls-o-matic.com/https/test17
^^^^^

with the correct contents.

1. The “HTTPS” and/or “EC” links at the bottom of

https://www.tls-o-matic.com/ca/ec/
https://www.tls-o-matic.com/https/test30/
and
https://www.tls-o-matic.com/https/test31/

seem wrong. Are these supposed to be tags?

Thanks a lot for providing this very useful resource.
I’ve really enjoyed reading the tests and I’m looking
forward to future contents.

(From Karsten Weiss in e-mail)

A link on the front page to the test index would be nice for reference visitors. I couldn't find one. Maybe it's there, but the navigation could be more clear?

Some things off the top of my mind:

• The website uses too many different fonts. A good rule of thumb is to have max 3-4 different text styles on a website. That includes colors, italics, size etc.
• Text in images is neither good interms of accessibility (blind people etc.) nor SEO friendly.
• Gray text against black background is almost not readable.
• The Edvina logo at the bottom of the page looks pasted in. I suggest the white background is made transparent.

Somewhat a prerequisite if you'd like someone to help out with this would be to fix #15.