On 19 May 2012 00:03, =JeffH <[email protected]> wrote: > Are there also yet more issues that'd be good to test for?
Off the top of my head, although not all of these may be applicable: - Overbroad Wildcard Certs: *.com, *.* - Certs for domains not on the http://publicsuffix.org/ list - MD5 signatures - Short Public modulii - Debian Weak Key And then getting away from the certificate side of things and more for TLS, you could enumerate all the different algorithms and test each individually: - Signature Algorithm Test Suite: RSA, DSA, ECDSA - Hash Algorithm Test Suite: SHA1, SHA224, SHA256, SHA384, SHA512 - Key Exchange: DHE-RSA, DHE-DSS, ECDH-ECSA, ECDHE-ECDSA, etc... There's a good overview here: https://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations although I suppose the RFCs and IANA would be the definitive sources. -tom
