Open wbond opened 8 years ago
You may find https://badssl.com useful :)
I use badssl.com and tls-o-matic.com in the tests already. Unfortunately badssl.com doesn't have client auth, I don't believe. And tls-o-matic doesn't seem configured quite right to allow generating various test cases from.
How should the client act when you have two valid client certificates in the OS trust store?
Eventually I ran into issues with tls-o-matic.com downtime. Combined with the need to be able to provide tests for client certs, caused me to write https://github.com/wbond/badtls.io.
It is designed in such a way that it is fairly easy to add new configurations, although it is tightly-coupled to nginx (and socat) right now. For an enterprising soul, it shouldn't be too hard to add Apache configs.
This gets us the ability to test against a server that allows client auth and requires client auth. However, it only tests interactions with OpenSSL (through nginx for the optional auth, and socat for the required auth). While not a strict requirement for CI, it would be good to test with some other TLS servers, such as IIS, Apache, a Go server, and a Java server.
simply adding comment to say that this is a feature I would like to see implemented. I've encountered an issue while trying to validate certificate on servers that requires ssl
authentication:
oscrypto.errors.TLSError: TLS handshake failed - client authentication required
Unfortunately I don't really have time to work on oscrypto these days - it does most of what I've needed, and my projects using it are in need or work before I would have time to invest in this library.
I am open to someone taking up the torch to do the research and implementation of what APIs in OpenSSL, Security Framework (Mac) and SChannel (Windows) need to be called to set up client auth. I can certainly give pointers and review code.
The most complicated part of this is testing. We need to find a reliable way to test various scenarios including:
Ideally we would use something like tls-o-matic.com, however they do not provide good and bad client certs to test with.
I have no interest in creating a VM for this since it will complicate testing.