search

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://badssl.com
Apache License 2.0
2.78k stars 186 forks source link

reversed-chain.badssl.com is broken #485

Closed ngorskikh closed 2 years ago

ngorskikh commented 2 years ago

Looks like the server is misconfigured:

curl -o /dev/null -sv -k https://reversed-chain.badssl.com/ ``` * Trying 104.154.89.105:443... * Connected to reversed-chain.badssl.com (104.154.89.105) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem * CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [239 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [108 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [1278 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [333 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [70 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): { [1 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=BadSSL Fallback. Unknown subdomain or no SNI.; CN=badssl-fallback-unknown-subdomain-or-no-sni * start date: Aug 8 21:17:05 2016 GMT * expire date: Aug 8 21:17:05 2018 GMT * issuer: C=US; ST=California; L=San Francisco; O=BadSSL; CN=BadSSL Intermediate Certificate Authority * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > GET / HTTP/1.1 > Host: reversed-chain.badssl.com > User-Agent: curl/7.77.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 421 Misdirected Request < Server: nginx/1.10.3 (Ubuntu) < Date: Tue, 14 Dec 2021 17:30:32 GMT < Content-Type: application/octet-stream < Content-Length: 284 < Connection: keep-alive < { [284 bytes data] * Connection #0 to host reversed-chain.badssl.com left intact ```
intgr commented 2 years ago

This would have been a useful test case for me as well, please fix.

christhompson commented 2 years ago

This is currently impossible to serve in nginx, as the server will refuse to start as it sees the cert and private key mismatch and aborts. See https://github.com/chromium/badssl.com/pull/443#issuecomment-784556007 for more context.

I should fully remove it so that this stops tripping people who see it and wish it worked.

christhompson commented 2 years ago

The prod server was missing the commit from #470. Fixed so this should no longer show on the homepage listing.

janbrasna commented 2 years ago

@christhompson However it still shows as the last item on Dashboard, leading people to open new issues as #503 :( — seems the https://badssl.com/dashboard/sets.js wasn't deployed back then.