Support TLSv1 on DH (and other?) tests #49
Comments
|
It's totally a fair use case. After all, the site is called "bad ssl". Would you mind testing if that serves your need for those domains? |
|
A slight problem with the DH*.badssl.com domains. It looks like RSA-3DES snuck in on the TLS1/SSLv3 protocol configs so DH2048.badssl.com is visible on winXP with ie6 because it connects using a non-DHE cipher suite (and thus gives false positives). Other than that, this is exactly what I needed. |
|
Here is the output from sslyze for dh2048.badssl.com, it believes that only SSLv3 ciphers are non-DHE. ssllabs.com seemed to think it was connecting via tlsv1 and 3DES for IE8+XP, but as that is an simulation, I'm more inclined to test sslyze here.
|
|
Closing this issue because the original ask was completed (but opening a new issue given the false positive problem) |
Most sites that enable DHE, do so to get Forward Secrecy on older clients that don't support ECDHE. By only negotiating TLSv1.2 and TLSv1.1 on the DH2048/1024/512 pages, none of the legacy systems/browsers can even connect to the page. Appreciate this may not be the primary use case for this project/site but it would be very useful to be able to confirm DH2048 support on things like OS X before 10.9, Chrome before 22, Firefox before 23 and lots and lots of mobile devices.
The text was updated successfully, but these errors were encountered: