Ticket Change Details
Overview

Artifact ID: aad93e274f4f9bcbfc0bab6fe91b769ed4828bd9d8c2afff8a9c3a784a84e034
Ticket: 9773973cfc90212087f851de2c94014ef72339d1
Library fails most tests from badssl.com
User & Date: anonymous 2018-09-22 09:29:33
Changes

  1. Change foundin to "1.7.16"
  2. Change icomment to:

    The website https://badssl.com/ collects various test cases for insecure TLS connections, such as expired or incorrect hostnames in certificates. I can get many of them to pass by using explicit settings:

    -tls1 0 -tls1.1 0 -tls1.2 1 -require 1 -cafile /etc/ssl/cert.pem -cipher {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256} -autoservername 1

    But others seem to be impossible to pass the tests with the current library. I can manually fix the hostname/wildcard matching by using a -command callback (there is another bug covering this), but I cannot either get it to reject a revoked certificate or a SHA-1 intermediate cert. These could be done via the -command callback, but unfortunately the raw certificate field passed to this callback is truncated so cannot be parsed.

  3. Change login to "anonymous"
  4. Change mimetype to "text/x-fossil-wiki"
  5. Change private_contact to "4d3bc24d727f6c89fb1509fef02f21887282efcc"
  6. Change severity to "Severe"
  7. Change status to "Open"
  8. Change title to "Library fails most tests from badssl.com"
  9. Change type to "Code Defect"