-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support TLSv1 on DH (and other?) tests #49
Comments
It's totally a fair use case. After all, the site is called "bad ssl". Would you mind testing if that serves your need for those domains? |
A slight problem with the DH*.badssl.com domains. It looks like RSA-3DES snuck in on the TLS1/SSLv3 protocol configs so DH2048.badssl.com is visible on winXP with ie6 because it connects using a non-DHE cipher suite (and thus gives false positives). Other than that, this is exactly what I needed. |
Here is the output from sslyze for dh2048.badssl.com, it believes that only SSLv3 ciphers are non-DHE. ssllabs.com seemed to think it was connecting via tlsv1 and 3DES for IE8+XP, but as that is an simulation, I'm more inclined to test sslyze here.
|
Closing this issue because the original ask was completed (but opening a new issue given the false positive problem) |
Most sites that enable DHE, do so to get Forward Secrecy on older clients that don't support ECDHE. By only negotiating TLSv1.2 and TLSv1.1 on the DH2048/1024/512 pages, none of the legacy systems/browsers can even connect to the page. Appreciate this may not be the primary use case for this project/site but it would be very useful to be able to confirm DH2048 support on things like OS X before 10.9, Chrome before 22, Firefox before 23 and lots and lots of mobile devices.
The text was updated successfully, but these errors were encountered: