A server that serves up various bad (and good) TLS certificates and configurations for the sake of testing.

• Domains
• Running Locally
• Installing
• Generating New Certificates

Various "good" configurations:

• domain-match.badtls.io:10000
• wildcard-match.badtls.io:10001
• san-match.badtls.io:10002
• required-auth.badtls.io:10003
• optional-auth.badtls.io:10004
• dh1024.badtls.io:10005
• no-san.badtls.io:10006

Various "bad" configurations:

• expired-1963.badtls.io:11000
• future.badtls.io:11001
• domain-mismatch.badtls.io:11002
• san-mismatch.badtls.io:11003
• weak-sig.badtls.io:11004
• bad-key-usage.badtls.io:11005
• expired.badtls.io:11006
• wildcard.mismatch.badtls.io:11007
• rc4.badtls.io:11008
• rc4-md5.badtls.io:11009

In order to properly test TLS connections, the CA certificate used for the various domains will need to be added to the trust store/list used by the code or application being tested.

The CA certificate is located at certs/ca.crt.

To use the certificates for testing, nginx must be installed. All of the domains run on non-privileged ports for ease-of-use.

To start nginx, execute:

bash ./scripts/local.sh

To install the nginx configuration, web files and certificates on a server, invoke the following command:

python scripts/install.py {nginx_conf_dir} {nginx_ssl_dir} {wwwroot_dir}

• {nginx_conf_dir} should be a folder to copy the badtls.conf file into
• {nginx_ssl_dir} should be a folder in which to create a subfolder named badtls_certs, which will contain all certificates, keys and related files
• {wwwroot_dir} should be a folder in which to create a subfolder named badtls_wwwroot which will contain the webfiles

The values provided will be used to customize the badtls.conf file. All that is necessary will be to add an include directive into the main nginx.conf:

http {
    ...

    include  relative/path/to/badtls.conf;
}

By default, the install script will not overwrite existing files/directories. To have existing files and folders replaced, add the overwrite parameter to the arguments:

python scripts/install.py overwite {nginx_conf_dir} {nginx_ssl_dir} {wwwroot_dir}

Additionally, socat will need to be configured to run on port 10003 using the configuration from scripts/local.sh. This allows proper testing of a host requiring client certificates. Unfortunately nginx does not allow requiring certificates at the TLS protocol level.

New certificates and keys can be generated if you wish to run your own instance of the domains.

Python 2.6, 2.7 or 3.2+ with the following packages:

• asn1crypto
• oscrypto
• certbuilder
• crlbuilder

The simplest way to install them is:

pip install certbuilder crlbuilder

To generate all keys and certificates, execute the following, replacing {domain} with the domain name you with to use:

python scripts/generate.py {domain}

If only domain certs need to be regenerated, use:

python scripts/generate.py --regen-certs {domain}