Open stefanb opened 6 years ago
Hi Štefan! I think we internally detect when a client certificate is requested, but we currently don't handle it well in the analysis phase. I will fix this, but I don't think I will be able to give it a better look before March. Just FYI. Thanks!
No rush, i just saw a room for improvement. The real problem is only when client certificate is required and hardenize is returning very misleading results.
Example: a bank that is requiring client certificates the results are completely wrong and misleading: https://www.hardenize.com/report/klik.nlb.si#www_https reports
And in the left menu the diagnosis is completely wrong:
every item below that:
For comparison, sslyze reports more details:
and later
openssl test reports:
It would be also interesting to see the criteria of of acceptable client certificates in cases where client certificate is optional, eg on: https://edavki.durs.si, where openssl test reports: