We chose centos5, centos6 and centos7 for this TryTLS-shootout based on the CentOS End of Support Schedule.
docker run -ti --rm centos7# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)| python2-requests | python2-urllib2 | python3-urllib | go-nethttp | java-https | java-net | php-file-get-contents |
|---|---|---|---|---|---|---|
| FAIL(RC4) | FAIL(POODLE,RC4,CHK) | PASS | PASS | PASS | PASS | PASS w/NO SNI |
# python --version
Python 2.7.5# trytls https python python2-requests/run.py
platform: Linux (CentOS Linux 7.2.1511)
runner: trytls 0.3.4 (CPython 2.7.5, OpenSSL 1.0.1e-fips)
stub: python python2-requests/run.py
PASS protect against Apple's TLS vulnerability CVE-2014-1266 [reject www.ssllabs.com:10443]
PASS protect against the FREAK attack [reject www.ssllabs.com:10444]
PASS protect against the Logjam attack [reject www.ssllabs.com:10445]
PASS protect against FREAK attack (test server 1) [reject cve.freakattack.com:443]
PASS protect against FREAK attack (test server 2) [reject cve2.freakattack.com:443]
PASS protection against POODLE attack [reject sslv3.dshield.org:443]
PASS support for TLS server name indication (SNI) [accept badssl.com:443]
PASS self-signed certificate [reject self-signed.badssl.com:443]
PASS expired certificate [reject expired.badssl.com:443]
PASS wrong hostname in certificate [reject wrong.host.badssl.com:443]
PASS SHA-256 signature [accept sha256.badssl.com:443]
PASS 1000 subjectAltNames [accept 1000-sans.badssl.com:443]
PASS incomplete chain of trust [reject incomplete-chain.badssl.com:443]
PASS Superfish CA [reject superfish.badssl.com:443]
PASS eDellRoot CA [reject edellroot.badssl.com:443]
PASS DSDTestProvider CA [reject dsdtestprovider.badssl.com:443]
PASS support for TLS server name indication (SNI) [accept tlsfun.de:443]
PASS self-signed certificate (temporarily using badssl.com) [reject self-signed.badssl.com:443]
PASS eDellRoot CA #2 [reject badcert-edell.tlsfun.de:443]
PASS valid certificate Common Name [accept domain-match.badtls.io:10000]
output: /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning
PASS valid wildcard certificate Common Name [accept wildcard-match.badtls.io:10001]
output: /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning
PASS support for Subject Alternative Name (SAN) [accept san-match.badtls.io:10002]
PASS TLS handshake with 1024 bit Diffie-Hellman (DH) [accept dh1024.badtls.io:10005]
output: /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning
PASS certificate expired in year 1963 [reject expired-1963.badtls.io:11000]
PASS certificate validity starts in future [reject future.badtls.io:11001]
PASS mismatch in certificate's Common Name [reject domain-mismatch.badtls.io:11002]
output: /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning
PASS Subject Alternative Name (SAN) mismatch [reject san-mismatch.badtls.io:11003]
PASS certificate has invalid key usage for HTTPS connection [reject bad-key-usage.badtls.io:11005]
PASS expired certificate [reject expired.badtls.io:11006]
PASS invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
output: /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning
FAIL denies use of RC4 ciphers (RFC7465) [reject rc4.badtls.io:11008]
output: /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning
PASS denies use of MD5 signature algorithm (RFC6151) [reject weak-sig.badtls.io:11004]
PASS denies use of RC4 with MD5 ciphers [reject rc4-md5.badtls.io:11009]
PASS valid localhost certificate [accept localhost:43040]
output: /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning
PASS invalid localhost certificate [reject localhost:37192]
output: /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning
PASS use only the given CA bundle, not system's [reject sha256.badssl.com:443]# python --version
Python 2.7.5# trytls https python python2-urllib2/run.py
platform: Linux (CentOS Linux 7.2.1511)
runner: trytls 0.3.4 (CPython 2.7.5, OpenSSL 1.0.1e-fips)
stub: python python2-urllib2/run.py
PASS protect against Apple's TLS vulnerability CVE-2014-1266 [reject www.ssllabs.com:10443]
PASS protect against the FREAK attack [reject www.ssllabs.com:10444]
PASS protect against the Logjam attack [reject www.ssllabs.com:10445]
PASS protect against FREAK attack (test server 1) [reject cve.freakattack.com:443]
PASS protect against FREAK attack (test server 2) [reject cve2.freakattack.com:443]
FAIL protection against POODLE attack [reject sslv3.dshield.org:443]
PASS support for TLS server name indication (SNI) [accept badssl.com:443]
FAIL self-signed certificate [reject self-signed.badssl.com:443]
SKIP expired certificate [reject expired.badssl.com:443]
reason: stub didn't reject a self-signed certificate
SKIP wrong hostname in certificate [reject wrong.host.badssl.com:443]
reason: stub didn't reject a self-signed certificate
SKIP SHA-256 signature [accept sha256.badssl.com:443]
reason: stub didn't reject a self-signed certificate
SKIP 1000 subjectAltNames [accept 1000-sans.badssl.com:443]
reason: stub didn't reject a self-signed certificate
SKIP incomplete chain of trust [reject incomplete-chain.badssl.com:443]
reason: stub didn't reject a self-signed certificate
SKIP Superfish CA [reject superfish.badssl.com:443]
reason: stub didn't reject a self-signed certificate
SKIP eDellRoot CA [reject edellroot.badssl.com:443]
reason: stub didn't reject a self-signed certificate
SKIP DSDTestProvider CA [reject dsdtestprovider.badssl.com:443]
reason: stub didn't reject a self-signed certificate
PASS support for TLS server name indication (SNI) [accept tlsfun.de:443]
FAIL self-signed certificate (temporarily using badssl.com) [reject self-signed.badssl.com:443]
SKIP eDellRoot CA #2 [reject badcert-edell.tlsfun.de:443]
reason: stub didn't reject a self-signed certificate
PASS valid certificate Common Name [accept domain-match.badtls.io:10000]
PASS valid wildcard certificate Common Name [accept wildcard-match.badtls.io:10001]
PASS support for Subject Alternative Name (SAN) [accept san-match.badtls.io:10002]
PASS TLS handshake with 1024 bit Diffie-Hellman (DH) [accept dh1024.badtls.io:10005]
PASS certificate expired in year 1963 [reject expired-1963.badtls.io:11000]
PASS certificate validity starts in future [reject future.badtls.io:11001]
PASS mismatch in certificate's Common Name [reject domain-mismatch.badtls.io:11002]
PASS Subject Alternative Name (SAN) mismatch [reject san-mismatch.badtls.io:11003]
PASS certificate has invalid key usage for HTTPS connection [reject bad-key-usage.badtls.io:11005]
PASS expired certificate [reject expired.badtls.io:11006]
PASS invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
FAIL denies use of RC4 ciphers (RFC7465) [reject rc4.badtls.io:11008]
PASS denies use of MD5 signature algorithm (RFC6151) [reject weak-sig.badtls.io:11004]
PASS denies use of RC4 with MD5 ciphers [reject rc4-md5.badtls.io:11009]
PASS valid localhost certificate [accept localhost:35691]
PASS invalid localhost certificate [reject localhost:40624]
PASS use only the given CA bundle, not system's [reject sha256.badssl.com:443]# scl enable rh-python35 python --version
Python 3.5.1# scl enable rh-python35 trytls https python python3-urllib/run.py
platform: Linux (CentOS Linux 7.2.1511)
runner: trytls 0.3.4 (CPython 2.7.5, OpenSSL 1.0.1e-fips)
stub: python python3-urllib/run.py
PASS protect against Apple's TLS vulnerability CVE-2014-1266 [reject www.ssllabs.com:10443]
PASS protect against the FREAK attack [reject www.ssllabs.com:10444]
PASS protect against the Logjam attack [reject www.ssllabs.com:10445]
PASS protect against FREAK attack (test server 1) [reject cve.freakattack.com:443]
PASS protect against FREAK attack (test server 2) [reject cve2.freakattack.com:443]
PASS protection against POODLE attack [reject sslv3.dshield.org:443]
PASS support for TLS server name indication (SNI) [accept badssl.com:443]
PASS self-signed certificate [reject self-signed.badssl.com:443]
PASS expired certificate [reject expired.badssl.com:443]
PASS wrong hostname in certificate [reject wrong.host.badssl.com:443]
PASS SHA-256 signature [accept sha256.badssl.com:443]
PASS 1000 subjectAltNames [accept 1000-sans.badssl.com:443]
PASS incomplete chain of trust [reject incomplete-chain.badssl.com:443]
PASS Superfish CA [reject superfish.badssl.com:443]
PASS eDellRoot CA [reject edellroot.badssl.com:443]
PASS DSDTestProvider CA [reject dsdtestprovider.badssl.com:443]
PASS support for TLS server name indication (SNI) [accept tlsfun.de:443]
PASS self-signed certificate (temporarily using badssl.com) [reject self-signed.badssl.com:443]
PASS eDellRoot CA #2 [reject badcert-edell.tlsfun.de:443]
PASS valid certificate Common Name [accept domain-match.badtls.io:10000]
PASS valid wildcard certificate Common Name [accept wildcard-match.badtls.io:10001]
PASS support for Subject Alternative Name (SAN) [accept san-match.badtls.io:10002]
PASS TLS handshake with 1024 bit Diffie-Hellman (DH) [accept dh1024.badtls.io:10005]
PASS certificate expired in year 1963 [reject expired-1963.badtls.io:11000]
PASS certificate validity starts in future [reject future.badtls.io:11001]
PASS mismatch in certificate's Common Name [reject domain-mismatch.badtls.io:11002]
PASS Subject Alternative Name (SAN) mismatch [reject san-mismatch.badtls.io:11003]
PASS certificate has invalid key usage for HTTPS connection [reject bad-key-usage.badtls.io:11005]
PASS expired certificate [reject expired.badtls.io:11006]
PASS invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
PASS denies use of RC4 ciphers (RFC7465) [reject rc4.badtls.io:11008]
PASS denies use of MD5 signature algorithm (RFC6151) [reject weak-sig.badtls.io:11004]
PASS denies use of RC4 with MD5 ciphers [reject rc4-md5.badtls.io:11009]
PASS valid localhost certificate [accept localhost:32914]
PASS invalid localhost certificate [reject localhost:38483]
PASS use only the given CA bundle, not system's [reject sha256.badssl.com:443]# go version
go version go1.6.3 linux/amd64# trytls https go-nethttp/run
platform: Linux (CentOS Linux 7.2.1511)
runner: trytls 0.3.4 (CPython 2.7.5, OpenSSL 1.0.1e-fips)
stub: go-nethttp/run
PASS protect against Apple's TLS vulnerability CVE-2014-1266 [reject www.ssllabs.com:10443]
output: Get https://www.ssllabs.com:10443: crypto/rsa: verification error
PASS protect against the FREAK attack [reject www.ssllabs.com:10444]
output: Get https://www.ssllabs.com:10444: tls: unexpected ServerKeyExchange
PASS protect against the Logjam attack [reject www.ssllabs.com:10445]
output: Get https://www.ssllabs.com:10445: remote error: handshake failure
PASS protect against FREAK attack (test server 1) [reject cve.freakattack.com:443]
output: Get https://cve.freakattack.com:443: tls: unexpected ServerKeyExchange
PASS protect against FREAK attack (test server 2) [reject cve2.freakattack.com:443]
output: Get https://cve2.freakattack.com:443: tls: unexpected ServerKeyExchange
PASS protection against POODLE attack [reject sslv3.dshield.org:443]
output: Get https://sslv3.dshield.org:443: tls: server selected unsupported protocol version 300
PASS support for TLS server name indication (SNI) [accept badssl.com:443]
PASS self-signed certificate [reject self-signed.badssl.com:443]
output: Get https://self-signed.badssl.com:443: x509: certificate signed by unknown authority
PASS expired certificate [reject expired.badssl.com:443]
output: Get https://expired.badssl.com:443: x509: certificate has expired or is not yet valid
PASS wrong hostname in certificate [reject wrong.host.badssl.com:443]
output: Get https://wrong.host.badssl.com:443: x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com
PASS SHA-256 signature [accept sha256.badssl.com:443]
PASS 1000 subjectAltNames [accept 1000-sans.badssl.com:443]
PASS incomplete chain of trust [reject incomplete-chain.badssl.com:443]
output: Get https://incomplete-chain.badssl.com:443: x509: certificate signed by unknown authority
PASS Superfish CA [reject superfish.badssl.com:443]
output: Get https://superfish.badssl.com:443: x509: certificate signed by unknown authority
PASS eDellRoot CA [reject edellroot.badssl.com:443]
output: Get https://edellroot.badssl.com:443: x509: certificate signed by unknown authority
PASS DSDTestProvider CA [reject dsdtestprovider.badssl.com:443]
output: Get https://dsdtestprovider.badssl.com:443: x509: certificate signed by unknown authority
PASS support for TLS server name indication (SNI) [accept tlsfun.de:443]
PASS self-signed certificate (temporarily using badssl.com) [reject self-signed.badssl.com:443]
output: Get https://self-signed.badssl.com:443: x509: certificate signed by unknown authority
PASS eDellRoot CA #2 [reject badcert-edell.tlsfun.de:443]
output: Get https://badcert-edell.tlsfun.de:443: x509: certificate signed by unknown authority
SKIP valid certificate Common Name [accept domain-match.badtls.io:10000]
SKIP valid wildcard certificate Common Name [accept wildcard-match.badtls.io:10001]
SKIP support for Subject Alternative Name (SAN) [accept san-match.badtls.io:10002]
SKIP TLS handshake with 1024 bit Diffie-Hellman (DH) [accept dh1024.badtls.io:10005]
SKIP certificate expired in year 1963 [reject expired-1963.badtls.io:11000]
SKIP certificate validity starts in future [reject future.badtls.io:11001]
SKIP mismatch in certificate's Common Name [reject domain-mismatch.badtls.io:11002]
SKIP Subject Alternative Name (SAN) mismatch [reject san-mismatch.badtls.io:11003]
SKIP certificate has invalid key usage for HTTPS connection [reject bad-key-usage.badtls.io:11005]
SKIP expired certificate [reject expired.badtls.io:11006]
SKIP invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
SKIP denies use of RC4 ciphers (RFC7465) [reject rc4.badtls.io:11008]
SKIP denies use of MD5 signature algorithm (RFC6151) [reject weak-sig.badtls.io:11004]
SKIP denies use of RC4 with MD5 ciphers [reject rc4-md5.badtls.io:11009]
SKIP valid localhost certificate [accept localhost:42740]
SKIP invalid localhost certificate [reject localhost:39308]
SKIP use only the given CA bundle, not system's [reject sha256.badssl.com:443]# java -version
java version "1.7.0_111"
OpenJDK Runtime Environment (rhel-2.6.7.2.el7_2-x86_64 u111-b01)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)# trytls https java -classpath java-https Run
platform: Linux (CentOS Linux 7.2.1511)
runner: trytls 0.3.4 (CPython 2.7.5, OpenSSL 1.0.1e-fips)
stub: java -classpath java-https Run
PASS protect against Apple's TLS vulnerability CVE-2014-1266 [reject www.ssllabs.com:10443]
PASS protect against the FREAK attack [reject www.ssllabs.com:10444]
PASS protect against the Logjam attack [reject www.ssllabs.com:10445]
PASS protect against FREAK attack (test server 1) [reject cve.freakattack.com:443]
PASS protect against FREAK attack (test server 2) [reject cve2.freakattack.com:443]
PASS protection against POODLE attack [reject sslv3.dshield.org:443]
PASS support for TLS server name indication (SNI) [accept badssl.com:443]
PASS self-signed certificate [reject self-signed.badssl.com:443]
PASS expired certificate [reject expired.badssl.com:443]
PASS wrong hostname in certificate [reject wrong.host.badssl.com:443]
PASS SHA-256 signature [accept sha256.badssl.com:443]
PASS 1000 subjectAltNames [accept 1000-sans.badssl.com:443]
PASS incomplete chain of trust [reject incomplete-chain.badssl.com:443]
PASS Superfish CA [reject superfish.badssl.com:443]
PASS eDellRoot CA [reject edellroot.badssl.com:443]
PASS DSDTestProvider CA [reject dsdtestprovider.badssl.com:443]
PASS support for TLS server name indication (SNI) [accept tlsfun.de:443]
PASS self-signed certificate (temporarily using badssl.com) [reject self-signed.badssl.com:443]
PASS eDellRoot CA #2 [reject badcert-edell.tlsfun.de:443]
SKIP valid certificate Common Name [accept domain-match.badtls.io:10000]
SKIP valid wildcard certificate Common Name [accept wildcard-match.badtls.io:10001]
SKIP support for Subject Alternative Name (SAN) [accept san-match.badtls.io:10002]
SKIP TLS handshake with 1024 bit Diffie-Hellman (DH) [accept dh1024.badtls.io:10005]
SKIP certificate expired in year 1963 [reject expired-1963.badtls.io:11000]
SKIP certificate validity starts in future [reject future.badtls.io:11001]
SKIP mismatch in certificate's Common Name [reject domain-mismatch.badtls.io:11002]
SKIP Subject Alternative Name (SAN) mismatch [reject san-mismatch.badtls.io:11003]
SKIP certificate has invalid key usage for HTTPS connection [reject bad-key-usage.badtls.io:11005]
SKIP expired certificate [reject expired.badtls.io:11006]
SKIP invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
SKIP denies use of RC4 ciphers (RFC7465) [reject rc4.badtls.io:11008]
SKIP denies use of MD5 signature algorithm (RFC6151) [reject weak-sig.badtls.io:11004]
SKIP denies use of RC4 with MD5 ciphers [reject rc4-md5.badtls.io:11009]
SKIP valid localhost certificate [accept localhost:39004]
SKIP invalid localhost certificate [reject localhost:40276]
SKIP use only the given CA bundle, not system's [reject sha256.badssl.com:443]# java -version
java version "1.7.0_111"
OpenJDK Runtime Environment (rhel-2.6.7.2.el7_2-x86_64 u111-b01)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)# trytls https java -classpath java-net Run
platform: Linux (CentOS Linux 7.2.1511)
runner: trytls 0.3.4 (CPython 2.7.5, OpenSSL 1.0.1e-fips)
stub: java -classpath java-net Run
PASS protect against Apple's TLS vulnerability CVE-2014-1266 [reject www.ssllabs.com:10443]
PASS protect against the FREAK attack [reject www.ssllabs.com:10444]
PASS protect against the Logjam attack [reject www.ssllabs.com:10445]
PASS protect against FREAK attack (test server 1) [reject cve.freakattack.com:443]
PASS protect against FREAK attack (test server 2) [reject cve2.freakattack.com:443]
PASS protection against POODLE attack [reject sslv3.dshield.org:443]
PASS support for TLS server name indication (SNI) [accept badssl.com:443]
PASS self-signed certificate [reject self-signed.badssl.com:443]
PASS expired certificate [reject expired.badssl.com:443]
PASS wrong hostname in certificate [reject wrong.host.badssl.com:443]
PASS SHA-256 signature [accept sha256.badssl.com:443]
PASS 1000 subjectAltNames [accept 1000-sans.badssl.com:443]
PASS incomplete chain of trust [reject incomplete-chain.badssl.com:443]
PASS Superfish CA [reject superfish.badssl.com:443]
PASS eDellRoot CA [reject edellroot.badssl.com:443]
PASS DSDTestProvider CA [reject dsdtestprovider.badssl.com:443]
PASS support for TLS server name indication (SNI) [accept tlsfun.de:443]
PASS self-signed certificate (temporarily using badssl.com) [reject self-signed.badssl.com:443]
PASS eDellRoot CA #2 [reject badcert-edell.tlsfun.de:443]
SKIP valid certificate Common Name [accept domain-match.badtls.io:10000]
SKIP valid wildcard certificate Common Name [accept wildcard-match.badtls.io:10001]
SKIP support for Subject Alternative Name (SAN) [accept san-match.badtls.io:10002]
SKIP TLS handshake with 1024 bit Diffie-Hellman (DH) [accept dh1024.badtls.io:10005]
SKIP certificate expired in year 1963 [reject expired-1963.badtls.io:11000]
SKIP certificate validity starts in future [reject future.badtls.io:11001]
SKIP mismatch in certificate's Common Name [reject domain-mismatch.badtls.io:11002]
SKIP Subject Alternative Name (SAN) mismatch [reject san-mismatch.badtls.io:11003]
SKIP certificate has invalid key usage for HTTPS connection [reject bad-key-usage.badtls.io:11005]
SKIP expired certificate [reject expired.badtls.io:11006]
SKIP invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
SKIP denies use of RC4 ciphers (RFC7465) [reject rc4.badtls.io:11008]
SKIP denies use of MD5 signature algorithm (RFC6151) [reject weak-sig.badtls.io:11004]
SKIP denies use of RC4 with MD5 ciphers [reject rc4-md5.badtls.io:11009]
SKIP valid localhost certificate [accept localhost:44907]
SKIP invalid localhost certificate [reject localhost:36998]
SKIP use only the given CA bundle, not system's [reject sha256.badssl.com:443]# php --version
PHP 5.4.16 (cli) (built: Aug 11 2016 21:24:59)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies# trytls https php php-file-get-contents/run.php
platform: Linux (CentOS Linux 7.2.1511)
runner: trytls 0.3.4 (CPython 2.7.5, OpenSSL 1.0.1e-fips)
stub: php php-file-get-contents/run.php
PASS protect against Apple's TLS vulnerability CVE-2014-1266 [reject www.ssllabs.com:10443]
PASS protect against the FREAK attack [reject www.ssllabs.com:10444]
PASS protect against the Logjam attack [reject www.ssllabs.com:10445]
PASS protect against FREAK attack (test server 1) [reject cve.freakattack.com:443]
PASS protect against FREAK attack (test server 2) [reject cve2.freakattack.com:443]
PASS protection against POODLE attack [reject sslv3.dshield.org:443]
FAIL support for TLS server name indication (SNI) [accept badssl.com:443]
SKIP self-signed certificate [reject self-signed.badssl.com:443]
reason: could not detect SNI support
SKIP expired certificate [reject expired.badssl.com:443]
reason: could not detect SNI support
SKIP wrong hostname in certificate [reject wrong.host.badssl.com:443]
reason: could not detect SNI support
SKIP SHA-256 signature [accept sha256.badssl.com:443]
reason: could not detect SNI support
SKIP 1000 subjectAltNames [accept 1000-sans.badssl.com:443]
reason: could not detect SNI support
SKIP incomplete chain of trust [reject incomplete-chain.badssl.com:443]
reason: could not detect SNI support
SKIP Superfish CA [reject superfish.badssl.com:443]
reason: could not detect SNI support
SKIP eDellRoot CA [reject edellroot.badssl.com:443]
reason: could not detect SNI support
SKIP DSDTestProvider CA [reject dsdtestprovider.badssl.com:443]
reason: could not detect SNI support
FAIL support for TLS server name indication (SNI) [accept tlsfun.de:443]
SKIP self-signed certificate (temporarily using badssl.com) [reject self-signed.badssl.com:443]
reason: could not detect SNI support
SKIP eDellRoot CA #2 [reject badcert-edell.tlsfun.de:443]
reason: could not detect SNI support
SKIP valid certificate Common Name [accept domain-match.badtls.io:10000]
SKIP valid wildcard certificate Common Name [accept wildcard-match.badtls.io:10001]
SKIP support for Subject Alternative Name (SAN) [accept san-match.badtls.io:10002]
SKIP TLS handshake with 1024 bit Diffie-Hellman (DH) [accept dh1024.badtls.io:10005]
SKIP certificate expired in year 1963 [reject expired-1963.badtls.io:11000]
SKIP certificate validity starts in future [reject future.badtls.io:11001]
SKIP mismatch in certificate's Common Name [reject domain-mismatch.badtls.io:11002]
SKIP Subject Alternative Name (SAN) mismatch [reject san-mismatch.badtls.io:11003]
SKIP certificate has invalid key usage for HTTPS connection [reject bad-key-usage.badtls.io:11005]
SKIP expired certificate [reject expired.badtls.io:11006]
SKIP invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
SKIP denies use of RC4 ciphers (RFC7465) [reject rc4.badtls.io:11008]
SKIP denies use of MD5 signature algorithm (RFC6151) [reject weak-sig.badtls.io:11004]
SKIP denies use of RC4 with MD5 ciphers [reject rc4-md5.badtls.io:11009]
SKIP valid localhost certificate [accept localhost:46667]
SKIP invalid localhost certificate [reject localhost:42779]
SKIP use only the given CA bundle, not system's [reject sha256.badssl.com:443]