15 comments

[ 2.0 ms ] story [ 52.1 ms ] thread
Would love a tool that checks your website for these problems.
(comment deleted)
I use sslcheck for this. https://pypi.org/project/sslcheck/

Badssl is good to see how clients react to a badly configured certificate, which is a different thing from checking whether your certificate or web site are badly configured.

(comment deleted)
(comment deleted)
(comment deleted)
One thing they don't cover is name constraints; There's a bunch of ways that they can fail, and some surprising ways they don't - The default is permit all, so if you have a Web CA with name constraints, you should remember to add poison-pill constraints for e-mail addresses as well.

It's of course not super easy for badssl to show such - They'd need an intermediate cert of their own, or close cooperation with a CA, but IRSG should definitely do so.