whatsmychaincert icon indicating copy to clipboard operation
whatsmychaincert copied to clipboard
verified publisher icon SSLMate

Support for STARTTLS based services

Open BenBE opened this issue 10 years ago • 3 comments

Please implement support for testing STARTTLS based services.

BenBE avatar Aug 25 '15 18:08 BenBE

This would be nice, but it's low priority: STARTTLS is annoying to implement because it's intertwined with the application protocol, and whatsmychaincert is mainly focused on the browser use-case which doesn't use STARTTLS.

AGWA avatar Aug 28 '15 09:08 AGWA

Sure. BTW: There is an RFC for STARTTLS with HTTP: https://tools.ietf.org/html/rfc2817 - It's just hardly ever implemented ;-)

Also a word on STARTTLS: Most services can be supported by sending a more or less dump request prior to the TLS handshake. The most complicated case I've seen was SMTP with two required checks (EHLO response containing STARTTLS + response on STARTTLS command) to boot properly. On contrast MySQL and XMPP are static in regards to STARTTLS bootup. For implementation hints you might want to take a look into my SSL test.

BenBE avatar Aug 28 '15 12:08 BenBE

For reference: https://github.com/benbe/ssltest/blob/master/src/de/dogcraft/ssltest/tests/STARTTLS.java

Indeed, that doesn't look awful. I thought XMPP would be worse. Though IIRC the XMPP STARTTLS support in OpenSSL's s_client was broken for a while, so there must be something tricky about it.

Thank goodness STARTTLS with HTTP never caught on!

AGWA avatar Aug 28 '15 20:08 AGWA