Open BenBE opened 9 years ago
This would be nice, but it's low priority: STARTTLS is annoying to implement because it's intertwined with the application protocol, and whatsmychaincert is mainly focused on the browser use-case which doesn't use STARTTLS.
Sure. BTW: There is an RFC for STARTTLS with HTTP: https://tools.ietf.org/html/rfc2817 - It's just hardly ever implemented ;-)
Also a word on STARTTLS: Most services can be supported by sending a more or less dump request prior to the TLS handshake. The most complicated case I've seen was SMTP with two required checks (EHLO response containing STARTTLS + response on STARTTLS command) to boot properly. On contrast MySQL and XMPP are static in regards to STARTTLS bootup. For implementation hints you might want to take a look into my SSL test.
For reference: https://github.com/benbe/ssltest/blob/master/src/de/dogcraft/ssltest/tests/STARTTLS.java
Indeed, that doesn't look awful. I thought XMPP would be worse. Though IIRC the XMPP STARTTLS support in OpenSSL's s_client was broken for a while, so there must be something tricky about it.
Thank goodness STARTTLS with HTTP never caught on!
Please implement support for testing STARTTLS based services.