edvinanet / tls-o-matic Goto Github PK
View Code? Open in Web Editor NEWTLS labs
License: Creative Commons Zero v1.0 Universal
TLS labs
License: Creative Commons Zero v1.0 Universal
Sindarina on twitter: "Still on reserved ports? Bad form, that. I could understand needing to support older tests, but publishing new ones with them?!"
Hi there,
I was trying to issue a client certificate to test a positive result for "Test 8 :: Client Certificate required" and happened to notice that the test8 certificate and the test8 private key checked into the repo don't match!
The public key of the certificate specifies an RSA public key with one modulus (dumped with openssl x509 -in test8.tls-o-matic.com.cert -noout -text
):
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c7:5b:3a:8b:e9:9b:c5:7b:72:f6:68:4a:d2:5c:
53:43:e6:fa:d0:8d:d4:4d:5e:c4:38:43:55:0d:8d:
49:8c:54:98:04:ab:66:04:ce:ce:01:71:18:ef:08:
ed:dc:cf:63:4a:18:13:83:85:82:fa:2b:c1:3d:71:
ab:ec:aa:58:69:20:e9:78:79:8c:5f:64:90:df:88:
47:fc:a9:0b:53:8b:9d:90:c3:37:64:1c:8c:dd:7e:
24:7a:af:6a:00:03:4b:01:a8:2d:e2:17:e7:71:75:
fc:60:b3:90:20:01:7c:75:50:09:9c:02:43:91:20:
8c:d8:37:00:06:a8:ad:9d:a0:4c:33:ff:6a:16:03:
33:d5:98:e6:d4:8c:8e:9b:02:e0:29:0e:d3:b8:e2:
90:33:81:12:22:4d:5a:ac:4f:bf:e5:49:a3:3f:29:
c4:64:db:b9:09:a8:bb:b5:2c:e9:c2:8a:28:21:ac:
ae:06:4a:84:62:a5:93:b9:48:45:3b:91:76:33:46:
22:50:0f:e4:e6:c3:0d:df:ba:6f:22:b6:da:d3:ba:
32:db:bd:1b:00:b1:0d:85:8d:71:34:ae:04:49:61:
11:fa:97:74:0f:0a:bf:c6:7a:eb:f7:0d:e7:eb:1d:
77:a4:ba:40:23:d2:af:07:72:19:1c:87:d3:10:fc:
c2:45
Exponent: 65537 (0x10001)
and the corresponding private key in the repo has a different RSA modulus (dumped with openssl rsa -in test8.tls-o-matic.com.key -modulus
):
9C:7F:33:CA:47:E8:B7:1B:B7:D4:B6:E6:BD:18:E2:03:F4:B6:98:94:37:2E:21:47:4C:61:5F:8B:30:3D:0C:E4:1C:41:C0:1C:69:13:7D:3F:5A:AC:3C:F6:3B:AC:6C:DA:16:1D:91:2F:23:9D:6E:C6:B5:A5:56:09:93:CF:24:DF:61:6E:AE:D4:A0:53:C7:74:F0:59:C1:3F:0E:4B:BA:43:82:B0:D7:5C:11:6F:E1:5E:23:96:A9:91:70:90:0E:F7:C4:1E:DD:89:63:D2:E1:A5:99:91:F8:B5:2F:62:95:E1:DA:05:7B:FE:A2:FD:99:A2:CA:E0:AF:66:14:90:B8:47:A4:60:D8:96:2B:65:DA:FF:A0:22:11:FC:BE:C3:CE:F7:62:08:1A:9B:3A:70:8F:09:A8:24:C0:DA:EA:ED:13:83:E3:93:13:8D:C7:C8:E9:2A:73:63:2E:5D:4C:64:19:55:32:4F:9C:DF:8D:7A:36:B5:07:A1:DB:79:8C:A1:5B:AA:AD:70:72:07:8D:0F:18:2F:0A:73:6B:BA:F3:0D:62:A1:AF:62:F5:32:45:76:47:36:04:04:D4:BA:A9:C2:93:71:8C:B2:48:E7:30:8E:30:77:85:53:C8:7E:41:0C:22:1B:AB:5A:8B:6C:63:FA:C7:8C:E7:ED:1D:1B:AF:0F:EC:45
Was there a mistake committing the certificate & key? Perhaps I'm doing something wrong? A mystery either way :-)
Thanks!
Being a TLS proponent here, I think it should redirect to https://www.tls-o-matic.com. :)
See https://badssl.com.
Maybe use m4 or something else to generate apache server.conf without hard coded paths to config files. Like "server22.include"
Sort out server22.include and server.include in httpd/generic
Nothing wrong. Don't worry.
Certificate chain
0 s:/O=TLS Hosting Company/CN=test15.tls-o-matic.com
i:/O=Intermediate 1 tls-o-matic.com/CN=TLS-o-matic-intermediate-1
1 s:/O=TLS-O-Matic Intermediate CA 1/CN=TLS-o-matic-intermediate-1
Server certificate
-----BEGIN CERTIFICATE-----
MIIDyjCCArKgAwIBAgICECMwDQYJKoZIhvcNAQELBQAwTjEnMCUGA1UECgweSW50
ZXJtZWRpYXRlIDEgdGxzLW8tbWF0aWMuY29tMSMwIQYDVQQDDBpUTFMtby1tYXRp
Yy1pbnRlcm1lZGlhdGUtMTAeFw0xNTAzMDIwNjQyNDNaFw0xNjAzMDEwNjQyNDNa
MD8xHDAaBgNVBAoME1RMUyBIb3N0aW5nIENvbXBhbnkxHzAdBgNVBAMMFnRlc3Qx
NS50bHMtby1tYXRpYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC9kuOwUn9OuL+85iHfy5vARUuJxL/5nL3svIZ2WXFrJqCkUVOpCOI0K8s8Ja6p
jhLqeQFVVBHDT87xr+pR3KvQTZvONKoGDY45gc9ErAzK9fi7LAselGVvpJpjF6jD
qvTKolk3/YNK44hR1+oo8UJDf2sJ2RYvL/wWxCDLV/4FXvCngY+4atuoh6FOZqMA
Gs3/JTDkgEmBo2wh9iSWE8rubiPXRdm8kCUeOiaRxRvpjcf0+H+5ZqWIXyJo1jum
+755+O0Mc/YLGRkS+qU/1HB98iU08bWHdY9XPpcj5dQqE9t+7JL/tLNDbakt8168
8R7eB452Hr5MpnidIndHfVRjAgMBAAGjgcAwgb0wCQYDVR0TBAIwADATBgNVHSUE
DDAKBggrBgEFBQcDATA6BglghkgBhvhCAQ0ELRYrVExTLU8tTWF0aWMgTm8gVmFs
aWRhdGlvbiBDZXJ0aWZpY2F0ZSDwn5KwIDAdBgNVHQ4EFgQUEg07frLNP/Bnh4ai
XL+j2gGz01wwHwYDVR0jBBgwFoAUj2sf5501XDzU6ht5pYOt/peai9EwHwYDVR0R
BBgwFoEUaW5mb0B0bHMtby1tYXRpYy5jb20wDQYJKoZIhvcNAQELBQADggEBAMeR
YsNRFBVtuQLMJCe2EUDy3BYUKS2tBGGwoeffRLg4u2dWtWsIToLe3toj2prJVOHa
sBi/7STQrdwmlRqXadmgsSoxixQ0GXyZE7LFT1XOZY3X8sNPYOOwAUgqZZVC7cki
HKm4rb0bKJLUF9ZEg2m8F8hzBjurPFqdTiWvJXNfJaA4pNYPuRl1msZJ4F7depWl
P3MsL3OEqbP9w/pvfHukukrWJtPbjkVNtR2PJGmDKbvnScH63gUcfxRVdQYLRabH
2CDmq/ULFCHAmqSVESI7OlmqEOfX5MkVqTwdHHcP/jYFyt7N1t7RdC1lewlwWdbJ
fNoWM9lK7Ce5frWtCVs=
-----END CERTIFICATE-----
Certificate chain
0 s:/O=TLS Hosting Company/CN=test15.tls-o-matic.com
i:/O=Intermediate 1 tls-o-matic.com/CN=TLS-o-matic-intermediate-1
1 s:/O=TLS-O-Matic Intermediate CA 1/CN=TLS-o-matic-intermediate-1
Server certificate
-----BEGIN CERTIFICATE-----
MIIDyjCCArKgAwIBAgICECMwDQYJKoZIhvcNAQELBQAwTjEnMCUGA1UECgweSW50
ZXJtZWRpYXRlIDEgdGxzLW8tbWF0aWMuY29tMSMwIQYDVQQDDBpUTFMtby1tYXRp
Yy1pbnRlcm1lZGlhdGUtMTAeFw0xNTAzMDIwNjQyNDNaFw0xNjAzMDEwNjQyNDNa
MD8xHDAaBgNVBAoME1RMUyBIb3N0aW5nIENvbXBhbnkxHzAdBgNVBAMMFnRlc3Qx
NS50bHMtby1tYXRpYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC9kuOwUn9OuL+85iHfy5vARUuJxL/5nL3svIZ2WXFrJqCkUVOpCOI0K8s8Ja6p
jhLqeQFVVBHDT87xr+pR3KvQTZvONKoGDY45gc9ErAzK9fi7LAselGVvpJpjF6jD
qvTKolk3/YNK44hR1+oo8UJDf2sJ2RYvL/wWxCDLV/4FXvCngY+4atuoh6FOZqMA
Gs3/JTDkgEmBo2wh9iSWE8rubiPXRdm8kCUeOiaRxRvpjcf0+H+5ZqWIXyJo1jum
+755+O0Mc/YLGRkS+qU/1HB98iU08bWHdY9XPpcj5dQqE9t+7JL/tLNDbakt8168
8R7eB452Hr5MpnidIndHfVRjAgMBAAGjgcAwgb0wCQYDVR0TBAIwADATBgNVHSUE
DDAKBggrBgEFBQcDATA6BglghkgBhvhCAQ0ELRYrVExTLU8tTWF0aWMgTm8gVmFs
aWRhdGlvbiBDZXJ0aWZpY2F0ZSDwn5KwIDAdBgNVHQ4EFgQUEg07frLNP/Bnh4ai
XL+j2gGz01wwHwYDVR0jBBgwFoAUj2sf5501XDzU6ht5pYOt/peai9EwHwYDVR0R
BBgwFoEUaW5mb0B0bHMtby1tYXRpYy5jb20wDQYJKoZIhvcNAQELBQADggEBAMeR
YsNRFBVtuQLMJCe2EUDy3BYUKS2tBGGwoeffRLg4u2dWtWsIToLe3toj2prJVOHa
sBi/7STQrdwmlRqXadmgsSoxixQ0GXyZE7LFT1XOZY3X8sNPYOOwAUgqZZVC7cki
HKm4rb0bKJLUF9ZEg2m8F8hzBjurPFqdTiWvJXNfJaA4pNYPuRl1msZJ4F7depWl
P3MsL3OEqbP9w/pvfHukukrWJtPbjkVNtR2PJGmDKbvnScH63gUcfxRVdQYLRabH
2CDmq/ULFCHAmqSVESI7OlmqEOfX5MkVqTwdHHcP/jYFyt7N1t7RdC1lewlwWdbJ
fNoWM9lK7Ce5frWtCVs=
-----END CERTIFICATE-----
subject=/O=TLS Hosting Company/CN=test15.tls-o-matic.com
No client certificate CA names sent
This certificate DOESNT have SNI host extensions
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4131 (0x1023)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Intermediate 1 tls-o-matic.com, CN=TLS-o-matic-intermediate-1
Validity
Not Before: Mar 2 06:42:43 2015 GMT
Not After : Mar 1 06:42:43 2016 GMT
Subject: O=TLS Hosting Company, CN=test15.tls-o-matic.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:92:e3:b0:52:7f:4e:b8:bf:bc:e6:21:df:cb:
9b:c0:45:4b:89:c4:bf:f9:9c:bd:ec:bc:86:76:59:
71:6b:26:a0:a4:51:53:a9:08:e2:34:2b:cb:3c:25:
ae:a9:8e:12:ea:79:01:55:54:11:c3:4f:ce:f1:af:
ea:51:dc
cf:44:ac:0c:ca:f5:f8:bb:2c:0b:1e:94:65:6f:a4:
9a:63:17:a8:c3:aa:f4:ca:a2:59:37:fd:83:4a:e3:
88:51:d7:ea:28:f1:42:43:7f:6b:09:d9:16:2f:2f:
fc:16:c4:20:cb:57:fe:05:5e:f0:a7:81:8f:b8:6a:
db:a8:87:a1:4e:66:a3:00:1a
49:81:a3:6c:21:f6:24:96:13:ca:ee:6e:23:d7:45:
d9:bc:90:25:1e:3a:26:91:c5:1b:e9:8d:c7:f4:f8:
7f:b9:66:a5:88:5f:22:68:d6:3b:a6:fb:be:79:f8:
ed:0c:73:f6:0b:19:19:12:fa:a5:3f:d4:70:7d:f2:
25:34:f1:b5:87:75:8f:57:3e:97:23:e5:d4:2a:13:
db:7e:ec:92:ff:b4:b3:43:6d:a9:2d:f3:5e:bc:f1:
1e
54:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication
Netscape Comment:
TLS-O-Matic No Validation Certificate
X509v3 Subject Key Identifier:
12:0D:3B:7E:B2:CD:3F:F0:67:87:86:A2:5C:BF:A3:DA:01:B3:D3:5C
X509v3 Authority Key Identifier:
keyid:8F:6B:1F:E7:9D:35:5C:3C:D4:EA:1B:79:A5:83:AD:FE:97:9A:8B:D1
X509v3 Subject Alternative Name:
email:[email protected]
Signature Algorithm: sha256WithRSAEncryption
c7:91:62:c3:51:14:15:6d:b9:02:cc:24:27:b6:11:40:f2:dc:
16:14:29:2d:ad:04:61:b0:a1:e7:df:44:b8:38:bb:67:56:b5:
6b:08:4e:82:de:de:da:23:da:9a:c9:54:e1:da:b0:18:bf:ed:
24:d0:ad:dc:26:95:1a:97:69:d9:a0:b1:2a:31:8b:14:34:19:
7c:99:13:b2:c5:4f:55:ce:65:8d:d7:f2:c3:4f:60:e3:b0:01:
48:2a:65:95:42:ed:c9:22:1c:a9:b8:ad:bd:1b:28:92:d4:17:
d6:44:83:69:bc:17:c8:73:06:3b:ab:3c:5a:9d:4e:25:af:25:
73:5f:25:a0:38:a4:d6:0f:b9:19:75:9a:c6:49:e0:5e:dd:7a:
95:a5:3f:73:2c:2f:73:84:a9:b3:fd:c3:fa:6f:7c:7b:a4:ba:
4a:d6:26:d3:db:8e:45:4d:b5:1d:8f:24:69:83:29:bb:e7:49:
c1:fa:de:05:1c:7f:14:55:75:06:0b:45:a6:c7:d8:20:e6:ab:
f5:0b:14:21:c0:9a:a4:95:11:22:3b:3a:59:aa:10:e7:d7:e4:
c9:15:a9:3c:1d:1c:77:0f:fe:36:05:ca:de:cd:d6:de:d1:74:
2d:65:7b:09:70:59:d6:c9:7c:da:16:33:d9:4a:ec:27:b9:7e:
b5:ad:09:5b
Installing the tls-o-matic root ca requires you to trust plaintext HTTP.
I'm connected to a wifi named "(); :(){:|:};:" And I'm not sure I trust it.
I want to try the TLS O matic tests with my web browser.
There is no safe way for me to do that.
Remember that old flaw when you set a CN or SAN to be "hostname\0another host" which caused much problems back in the days? Would be neat to have a test specifically for that just to make sure there aren't clients still using strcmp() or similar to match the cert names.
Anders Löwinger asked for DANE support in Facebook.
I've tried several tests but the connections are refused.
https://test6.tls-o-matic.com:406/
https://test17.tls-o-matic.com:417/
https://test20.tls-o-matic.com:420/
Remove "tls-o-matic.com" from file names of certificates and keys
https://www.tls-o-matic.com is not-so-pretty as it could be ;) I went here to see if I could make a simple pull request to improve it.
http://www.tls-o-matic.com/https/test13/
link to "next test" doesn't work.
I’ve noticed two minor issues in TLS-o-matic:
https://www.tls-o-matic.com/https/test16/
...the “Next test” button links to the URL
https://www.tls-o-matic.com/test17
(which displays the wrong contents) instead of
https://www.tls-o-matic.com/https/test17
^^^^^
with the correct contents.
https://www.tls-o-matic.com/ca/ec/
https://www.tls-o-matic.com/https/test30/
and
https://www.tls-o-matic.com/https/test31/
seem wrong. Are these supposed to be tags?
Thanks a lot for providing this very useful resource.
I’ve really enjoyed reading the tests and I’m looking
forward to future contents.
(From Karsten Weiss in e-mail)
A link on the front page to the test index would be nice for reference visitors. I couldn't find one. Maybe it's there, but the navigation could be more clear?
Some things off the top of my mind:
Somewhat a prerequisite if you'd like someone to help out with this would be to fix #15.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.