koichirok/badssl.com

:lock: Memorable site for testing clients against bad SSL configs.

Visit badssl.com for a list of test subdomains, including:

• self-signed.badssl.com
• expired.badssl.com
• mixed.badssl.com
• rc4.badssl.com
• hsts.badssl.com

Server Setup

Stock Ubuntu VM, DNS A records for badssl.com. and *.badssl.com. pointing to the VM.

Testing and development

1. Follow the instructions to install Docker.

2. Clone into the badssl repo by running git clone https://github.com/chromium/badssl.com && cd badssl.com.

3. In order to access the various badssl subdomains locally you will need to add them to your system hosts file. Run make list-hosts and copy and paste the output into /etc/hosts.

4. Start Docker by running make serve.

5. You can now navigate to badssl.test in your browser, and you should see a certificate error.

6. The badssl root certificate is at certs/sets/test/gen/crt/ca-root.crt. In order to get the rest of the badssl subdomains working, you will need to add this to your machine's list of trusted certificates.

   • On macOS, drag certs/sets/test/gen/crt/ca-root.crt into the login section of the program Keychain Access. A BadSSL Root Certificate Authority entry should appear in the list. Double-click on this entry and select "Always Trust" from the drop-down menu next to "Secure Sockets Layer (SSL)." Close the window to save your changes.

     If you are already familiar with this process, you can instead run this command:

     security add-trusted-cert -r trustRoot -p ssl \
       -k "$HOME/Library/Keychains/login.keychain" certs/sets/test/gen/crt/ca-root.crt

7. In order to preserve the client and root certificates even after running make clean, run:

cd certs/sets/test
mkdir -p pregen/crt pregen/key
cp gen/crt/ca-root.crt pregen/crt/ca-root.crt
cp gen/crt/client.crt pregen/crt/client.crt
cp gen/crt/client-ca-root.crt pregen/crt/client-ca-root.crt
cp gen/key/ca-root.key pregen/key/ca-root.key
cp gen/key/client.key pregen/key/client.key
cp gen/key/client-ca-root.key pregen/key/client-ca-root.key

Acknowledgments

badssl.com is hosted on Google Cloud infrastructure and co-maintained by:

• April King, Mozilla Firefox
• Lucas Garron, formerly Google Chrome
• Chris Thompson, Google Chrome

Several public badssl.com certificates required special issuance processes. Most certificates were graciously issued for free, thanks to help from:

• Vincent Lynch, The SSL Store (sha1-2016, sha1-2017)
• Richard Barnes, Mozilla (1000-sans, 10000-sans)
• Clint Wilson, DigiCert (most wildcards)
• Andrew Ayer, SSLMate (invalid-expected-sct)
• Rob Stradling, Comodo (1000-sans, 10000-sans, no-subject, no-common-name, sha1-intermediate, ѕрооғ)

Various subdomains and test pages are also implemented by external contributors.

Disclaimer

badssl.com is meant for manual testing of security UI in web clients.

Most subdomains are likely to have stable functionality, but anything could change without notice. If you would like a documented guarantee for a particular use case, please file an issue. (Alternatively, you could make a fork and host your own copy.)

badssl.com is not an official Google product. It is offered "AS-IS" and without any warranties.