Hi,
Is there a public TLS/SSL test server ?
It'd be great to have one that offers, on various ports say, and via various
domain names, server certs and cert chains that are "non-standard" or broken in
different fashions, e.g....
1. straight-up self-signed end-entity cert, no cert chain offered.
2. expired cert, otherwise legit, chains to public well-known root CA
3. otherwise legit cert, chains to public well-known root CA, but the presented
CN-ID [1] and DNS-ID do not match the source domain name used to initiate the
connection.
4. otherwise legit cert, chains to a specified root CA, the CA cert is
available to the client, however, client is unable to obtain neither a CRL nor
a OCSP response.
5. otherwise legit cert, chains to a specified root CA, the CA cert is
available to the client, however, CRL is expired.
6. otherwise legit cert, but is "transvalid" per PeterE's definition..
The transvalid column contains the output of openssl verify called with their
trusted root repositories /and/ any intermediate CA certs that were in
the chain presented by that webserver, /plus/ extra intermediate CA certs that
look like they were missing from the chain presented by the webserver.
7. otherwise legit cert, chains to a specified root CA, the CA cert is
available to the client, however, contains factorizable public key.
8. others...
Having the above would be quite useful for testing various TLS/SSL clients
against.
Anyone know of one already existing or wish to contribute to setting one up?
thanks,
=JeffH
[1] CN-ID and DNS-ID are concise PKIX certificate "identifier type"
designations established in RFC6125 <https://tools.ietf.org/html/rfc6125>.
