This repository was archived by the owner on Jul 21, 2025. It is now read-only.
This repository was archived by the owner on Jul 21, 2025. It is now read-only.
mozilla-xxx.badssl.com servers are not compliant with current Mozilla profile #483
Description
The mozilla-xxx.badssl.com servers used to test Mozilla compliance are not actually compliant with the latest Mozilla profile, which is version 5.6.
This was tested using using SSLyze version 5.0.0.
For mozilla-old.badssl.com:
mozilla-old.badssl.com:443: FAILED - Not compliant with Mozilla's "old" configuration.
* maximum_certificate_lifespan: Certificate life span is 785 days, should be less than 366.
* ciphers: Cipher suites {'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_SEED_CBC_SHA', 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_SEED_CBC_SHA'} are supported, but should be rejected.
For mozilla-intermediate.badssl.com:
mozilla-intermediate.badssl.com:443: FAILED - Not compliant with Mozilla's "intermediate" configuration.
* maximum_certificate_lifespan: Certificate life span is 785 days, should be less than 366.
* tls_versions: TLS versions {'TLSv1.1', 'TLSv1'} are supported, but should be rejected.
* ciphers: Cipher suites {'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384'} are supported, but should be rejected.
For mozilla-modern.badssl.com:
mozilla-modern.badssl.com:443: FAILED - Not compliant with Mozilla's "modern" configuration.
* maximum_certificate_lifespan: Certificate life span is 785 days, should be less than 90.
* certificate_types: Deployed certificate types are {'rsa'}, should have at least one of {'ecdsa'}.
* certificate_signatures: Deployed certificate signatures are {'sha256WithRSAEncryption'}, should have at least one of {'ecdsa-with-SHA512', 'ecdsa-with-SHA256', 'ecdsa-with-SHA384'}.
* tls_versions: TLS versions {'TLSv1.2'} are supported, but should be rejected.
* ciphers: Cipher suites {'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'} are supported, but should be rejected.
Thanks for maintaining badssl.com btw - it is immensely helpful 👌.