search

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://badssl.com
Apache License 2.0
2.83k stars 191 forks source link

mozilla-xxx.badssl.com servers are not compliant with current Mozilla profile #483

Open nabla-c0d3 opened 2 years ago

nabla-c0d3 commented 2 years ago

The mozilla-xxx.badssl.com servers used to test Mozilla compliance are not actually compliant with the latest Mozilla profile, which is version 5.6.

This was tested using using SSLyze version 5.0.0.

For mozilla-old.badssl.com:

    mozilla-old.badssl.com:443: FAILED - Not compliant with Mozilla's "old" configuration.

        * maximum_certificate_lifespan: Certificate life span is 785 days, should be less than 366.
        * ciphers: Cipher suites {'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_SEED_CBC_SHA', 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_SEED_CBC_SHA'} are supported, but should be rejected.

For mozilla-intermediate.badssl.com:

    mozilla-intermediate.badssl.com:443: FAILED - Not compliant with Mozilla's "intermediate" configuration.

        * maximum_certificate_lifespan: Certificate life span is 785 days, should be less than 366.
        * tls_versions: TLS versions {'TLSv1.1', 'TLSv1'} are supported, but should be rejected.
        * ciphers: Cipher suites {'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384'} are supported, but should be rejected.

For mozilla-modern.badssl.com:

    mozilla-modern.badssl.com:443: FAILED - Not compliant with Mozilla's "modern" configuration.

        * maximum_certificate_lifespan: Certificate life span is 785 days, should be less than 90.
        * certificate_types: Deployed certificate types are {'rsa'}, should have at least one of {'ecdsa'}.
        * certificate_signatures: Deployed certificate signatures are {'sha256WithRSAEncryption'}, should have at least one of {'ecdsa-with-SHA512', 'ecdsa-with-SHA256', 'ecdsa-with-SHA384'}.
        * tls_versions: TLS versions {'TLSv1.2'} are supported, but should be rejected.
        * ciphers: Cipher suites {'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'} are supported, but should be rejected.

Thanks for maintaining badssl.com btw - it is immensely helpful 👌.