555ce31ab8
In the data provided by https://api.dev.ssllabs.com/api/v3/getClients, Chrome 57 Win 7 and Firefox 53 Win 7 send ClientHellos that indicate support for TLSv1.3 draft 18, but the highest_protocol for each of these is specified as 0x0303. The result is that if the server being tested supports TLSV1.3 draft 18, `run_client_simulation()` will incorrectly report "No connection" for these servers since the DETECTED_TLS_VERSION (0x0304) will be higher than the specified highest_protocol. This PR fixes the problem by changing the highest_protocol to 0x0304. Note that another solution to this problem would be to change the ClientHello messages for these two browsers. It is my understanding that TLSv1.3 is disabled by default for these browsers, so presumably the ClientHello messages would not specify TLSv1.3 support if they were configured with TLSv1.3 support disabled. |
||
---|---|---|
.. | ||
Apple.pem | ||
ca_hashes.txt | ||
cipher-mapping.txt | ||
client_simulation.txt | ||
client-simulation.txt | ||
common-primes.txt | ||
curves.txt | ||
Linux.pem | ||
Microsoft.pem | ||
Mozilla.pem | ||
README.md | ||
tls_data.txt |
Certificate stores
The certificate stores were retrieved by
- Mozilla; see https://curl.haxx.se/docs/caextract.html
- Linux: Just copied from an up-to-date Linux machine
- Microsoft: Following command pulls all certificates from Windows Update services: (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions):
CertUtil -syncWithWU -f -f .
. - Apple: It comes from Apple OS X keychain app. Open Keychain Access utility, i.e. In the Finder window, under Favorites --> "Applications" --> "Utilities" (OR perform a Spotlight Search for Keychain Access) --> "Keychain Access" (2 click). In that window --> "Keychains" --> "System" --> "Category" --> "All Items" Select all CA certificates except for Developer ID Certification Authority, "File" --> "Export Items"
In this directory you can also save e.g. your company Root CA(s) in PEM
format, extension pem
. This has two catches momentarily: You will still
get a warning for the other certificate stores while scanning internal net-
works. Second catch: If you scan other hosts in the internet the check against
your Root CA will fail, too. This will be fixed in the future, see #230.
Further needed files
-
tls_data.txt
contains lists of cipher suites and private keys for sockets-based tests -
cipher-mapping.txt
contains information about all of the cipher suites defined for SSL/TLS -
ca_hashes.txt
is used for HPKP test in order to have a fast comparison with known CAs. Use~/utils/create_ca_hashes.sh
for an update -
common-primes.txt
is used for LOGJAM -
client-simulation.txt
as the name indicates it's the data for the client simulation. Use~/utils/update_client_sim_data.pl
for an update. Note: This list has been manually edited to sort it and weed it out.