always return certHostnames

[roycewilliams]

If possible, it would be better if certHostnames was always present. I would rather check the grade (and/or the cert issues bitfield) to definitively determine if a mismatch exists, and always have certHostnames available for diagnostic purposes.

[ivanr]

Could you please explain how you would use this field? Because it would contain a collection of all hostnames in all certificates, it might contain names that are not related to the main server. For example, sometimes one hostname variant points to a good cert, and then there's another with a mismatch. How would certHostname be useful in this situation?

[roycewilliams]

certHostnames is similar to serverSignature and serverName in that they are mostly informational, but can have security implications.

For certHostnames, this is true even when there is no mismatch, because potentially sensitive information about their setup is publicly visible -- for example, whether or not internal domains and hostnames are being leaked unintentionally.

Knowing whether and how wildcard certs are used is useful for understanding the overall TLS architecture and how it is "zoned" - which hosts are wildcarded and how they are grouped. This is important for assessing TLS security posture.

Test results are often used by a layperson stakeholder -- someone who is administratively associated with the organization, but not technical -- who has been charged with driving a "cleanup" of their SSL/TLS posture. Test results are also used by pentesters. In both cases, it is important for users of the test results to see all of the above -- because that's what the attacker can see.

[roycewilliams]

Hmm, that's unfortunate. I would actually expect the resulting code to be simpler, not more complex.