For the lazy… My stock Firefox 26 (current stable) failed until I set security.tls.version.max to 3 and security.ssl3.rsa_fips_des_ede3_sha to false (in about:config)
That’s interesting. Just to contrast, I’m use Firefox Nightly 29.0a1 (2014-01-06), and it passes with the default security config. It’s good to see that Mozilla is being proactive then. I wonder when these defaults were changed.
This looks like a reasonable quick rating of SSL clients. If you’d like to test an SSL server, the canonical tool is Qualys SSL Labs https://www.ssllabs.com/.
Since it looks like this is targeted at non-browser clients, it’s worth nothing that this won’t test the most common SSL mistake: not validating server certificates. Many HTTPS libraries won’t validate certificates by default for compatibility / since maintaining lists of CAs is hard, making it trivial to man-in-the-middle such applications.
The examples from this 2012 paper “The Most Dangerous Code in the World:
Validating SSL Certiļ¬cates in Non-Browser Software” are a great read: https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
For the lazy… My stock Firefox 26 (current stable) failed until I set
security.tls.version.maxto3andsecurity.ssl3.rsa_fips_des_ede3_shatofalse(in about:config)That’s interesting. Just to contrast, I’m use Firefox Nightly 29.0a1 (2014-01-06), and it passes with the default security config. It’s good to see that Mozilla is being proactive then. I wonder when these defaults were changed.
It looks like they changed in Firefox 27, but I’m still on 26 and can’t confirm for sure.
This looks like a reasonable quick rating of SSL clients. If you’d like to test an SSL server, the canonical tool is Qualys SSL Labs https://www.ssllabs.com/.
Since it looks like this is targeted at non-browser clients, it’s worth nothing that this won’t test the most common SSL mistake: not validating server certificates. Many HTTPS libraries won’t validate certificates by default for compatibility / since maintaining lists of CAs is hard, making it trivial to man-in-the-middle such applications.
The examples from this 2012 paper “The Most Dangerous Code in the World: Validating SSL Certiļ¬cates in Non-Browser Software” are a great read: https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
And by great, I mean terrifying.