Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/chromium/badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://github.com/chromium/badssl.com

browser chrome https mitm nginx python rcpp security sha1 ssl testing tls

Last synced: 2 months ago
JSON representation

:lock: Memorable site for testing clients against bad SSL configs.

Lists

README 

        


  




Visit [`badssl.com`](https://badssl.com/) for a list of test subdomains, including:



- [`self-signed.badssl.com`](https://self-signed.badssl.com)

- [`expired.badssl.com`](https://expired.badssl.com)

- [`mixed.badssl.com`](https://mixed.badssl.com)

- [`rc4.badssl.com`](https://rc4.badssl.com)

- [`hsts.badssl.com`](https://hsts.badssl.com)



## Server Setup



Stock Ubuntu VM, DNS A records for `badssl.com.` and `*.badssl.com.` pointing to the VM.



### Testing and development



1. Follow the instructions to [install Docker.](https://www.docker.com/get-docker)

2. Clone into the badssl repo by running `git clone https://github.com/chromium/badssl.com && cd badssl.com`.

3. In order to access the various badssl subdomains locally you will need to add them to your [system hosts file](https://bencane.com/2013/10/29/managing-dns-locally-with-etchosts/). Run `make list-hosts` and copy and paste the output into `/etc/hosts`.

4. Start Docker by running `make serve`.

5. You can now navigate to `badssl.test` in your browser, and you should see a certificate error.

6. The badssl root certificate is at `certs/sets/test/gen/crt/ca-root.crt`. In order to get the rest of the badssl subdomains working, you will need to add this to your machine's list of trusted certificates.

    - On `macOS`, drag `certs/sets/test/gen/crt/ca-root.crt` into the login section of the program Keychain Access. A BadSSL Root Certificate Authority entry should appear in the list. Double-click on this entry and select "Always Trust" from the drop-down menu next to "Secure Sockets Layer (SSL)." Close the window to save your changes.



      If you are already familiar with this process, you can instead run this command:



      ```sh

      security add-trusted-cert -r trustRoot -p ssl \

        -k "$HOME/Library/Keychains/login.keychain" certs/sets/test/gen/crt/ca-root.crt

      ```



7. In order to preserve the client and root certificates even after running `make clean`, run:



```sh

cd certs/sets/test

mkdir -p pregen/crt pregen/key

cp gen/crt/ca-root.crt pregen/crt/ca-root.crt

cp gen/crt/client.crt pregen/crt/client.crt

cp gen/crt/client-ca-root.crt pregen/crt/client-ca-root.crt

cp gen/key/ca-root.key pregen/key/ca-root.key

cp gen/key/client.key pregen/key/client.key

cp gen/key/client-ca-root.key pregen/key/client-ca-root.key

```



## Acknowledgments



badssl.com is hosted on Google Cloud infrastructure and co-maintained by:



- [April King](https://github.com/april), Mozilla Firefox

- [Lucas Garron](https://github.com/lgarron), formerly Google Chrome

- [Chris Thompson](https://github.com/christhompson), Google Chrome



Several public badssl.com certificates required special issuance processes. Most certificates were graciously issued for free, thanks to help from:



- [Vincent Lynch](https://twitter.com/vtlynch), [The SSL Store](https://www.thesslstore.com/) (`sha1-2016`, `sha1-2017`)

- [Richard Barnes](https://twitter.com/rlbarnes), Mozilla (`1000-sans`, `10000-sans`)

- [Clint Wilson](https://twitter.com/clintw_), [DigiCert](https://www.digicert.com/) (most wildcards)

- [Andrew Ayer](https://github.com/agwa), [SSLMate](https://sslmate.com/) (`invalid-expected-sct`)

- [Rob Stradling](https://github.com/robstradling), [Comodo](https://www.comodo.com/) (`1000-sans`, `10000-sans`, `no-subject`, `no-common-name`, `sha1-intermediate`, `ѕрооғ`)



Various subdomains and test pages are also implemented by [external contributors](https://github.com/chromium/badssl.com/graphs/contributors).



## Disclaimer



`badssl.com` is meant for *manual* testing of security UI in web clients.



Most subdomains are likely to have stable functionality, but anything *could* change without notice. If you would like a documented guarantee for a particular use case, please file an issue. (Alternatively, you could make a fork and host your own copy.)



badssl.com is not an official Google product. It is offered "AS-IS" and without any warranties.