Missing Acceptable client certificate CA names

[stefanb]

Example: a bank that is requiring client certificates the results are completely wrong and misleading: https://www.hardenize.com/report/klik.nlb.si#www_https reports

Test failed We've detected serious problems that require your immediate attention. URL: https://klik.nlb.si Analysis HTTP connection failed We were not able to successfully complete this request. Message: Received fatal alert: handshake_failure

Analysis No HTTPS service This server provides only unencrypted (plaintext) HTTP service. Its traffic is thus not protected and fully exposed to monitoring and modification in transit. It provides no confidentiality and exposes the visitors to persistent tracking.

And in the left menu the diagnosis is completely wrong:

TLS: No A/AAAA records

every item below that:

No HTTPS

For comparison, sslyze reports more details:

WARNING: Server REQUIRED client authentication, specific plugins will fail.

and later

ERROR #0: ClientCertificateRequested - Server requested a client certificate issued by one of the following CAs: /C=SI/O=NLB d.d./2.5.4.97=VATSI-91132550/CN=ACNLB RootCA, /C=SI/O=NLB d.d./2.5.4.97=VATSI-91132550/CN=ACNLB SubCA, /C=SI/O=ACNLB.

openssl test reports:

Acceptable client certificate CA names /C=SI/O=ACNLB /C=SI/O=NLB d.d./2.5.4.97=VATSI-91132550/CN=ACNLB SubCA /C=SI/O=NLB d.d./2.5.4.97=VATSI-91132550/CN=ACNLB RootCA

It would be also interesting to see the criteria of of acceptable client certificates in cases where client certificate is optional, eg on: https://edavki.durs.si, where openssl test reports:

Acceptable client certificate CA names /C=SI/O=ACNLB /C=SI/O=NLB/O=CA /C=SI/O=POSTA/OU=POSTArCA /C=SI/O=Halcom/CN=Halcom CA FO /C=SI/O=Halcom/CN=Halcom CA PO /C=SI/O=Halcom/CN=Halcom CA PO 2 /C=SI/O=Halcom/CN=Halcom Root CA /C=SI/O=Halcom d.d./CN=Halcom CA PO 3 /C=si/O=state-institutions/OU=sigen-ca /C=si/O=state-institutions/OU=sigov-ca /C=si/O=state-institutions/OU=sitest-ca /C=SI/O=Halcom/CN=Halcom Secure Server CA 1 /C=SI/O=NLB d.d./2.5.4.97=VATSI-91132550/CN=ACNLB SubCA /C=SI/O=NLB d.d./2.5.4.97=VATSI-91132550/CN=ACNLB RootCA /C=SI/O=Republika Slovenija/2.5.4.97=VATSI-17659957/CN=SIGOV-CA /C=SI/O=Republika Slovenija/2.5.4.97=VATSI-17659957/CN=SIGEN-CA G2 /C=SI/O=Republika Slovenija/2.5.4.97=VATSI-17659957/CN=SI-TRUST Root /C=SI/O=Halcom d.d./2.5.4.97=VATSI-43353126/CN=Halcom CA FO e-signature 1 /C=SI/O=Halcom d.d./2.5.4.97=VATSI-43353126/CN=Halcom CA PO e-signature 1 /C=SI/O=Halcom d.d./2.5.4.97=VATSI-43353126/CN=Halcom Root Certificate Authority /C=SI/O=state authorities/OU=servers/serialNumber=1236655210038/CN=edavki.durs.si /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority /C=si/O=state-institutions/OU=web-certificates/OU=Servers/serialNumber=1234776210018/CN=EDAVKI.DURS.SI /C=si/O=state-institutions/OU=web-certificates/OU=Servers/serialNumber=1236655210013/CN=edavki.durs.si /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA /serialNumber=24182711000/1.3.6.1.4.1.311.60.2.1.3=SI/businessCategory=Private Organization/C=SI/postalCode=1000/ST=Ljubljana/L=Ljubljana/street=Smartinska cesta 55/O=MINISTRSTVO ZA FINANCE FINAN\xC4\x8CNA UPRAVA REPUBLIKE SLOVENIJE/OU=COMODO EV SSL/CN=edavki.durs.si

[ivanr]

Hi Štefan! I think we internally detect when a client certificate is requested, but we currently don't handle it well in the analysis phase. I will fix this, but I don't think I will be able to give it a better look before March. Just FYI. Thanks!

[stefanb]

No rush, i just saw a room for improvement. The real problem is only when client certificate is required and hardenize is returning very misleading results.