tls-attacker
SUPPORTS_OCSP_STAPLING and SUPPORTS_TLS13_SESSION_TICKETS missing from JSON output
SUPPORTS_OCSP_STAPLING is no longer included in the json output. The guideline report says, that SUPPORTS_OSCP wasn't tested, yet.
"checkName": "Certificates shall be issued by CA that publishes revocation information in OCSP responses",
"adherence": "CHECK_FAILED",
"hint": null,
"property": "SUPPORTS_OCSP",
"expectedResult": {
"type": "TestResults",
"value": "TRUE"
},
"actualResult": {
"type": "TestResults",
"value": "NOT_TESTED_YET"
}
However, the certificateReportList in CERTIFICATE_CHAINS[value] cleary states that OSCP Stapling is not supported:
"weakDebianKey": null,
"issuer": "C=US O=DigiCert Inc CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1",
"x509SignatureAlgorithm": "SHA256_WITH_RSA_ENCRYPTION",
"signatureAlgorithm": "RSA_PKCS1",
"namedCurve": null,
"hashAlgorithm": "SHA256",
"extendedValidation": null,
"certificateTransparency": null,
"ocspMustStaple": null,
"crlSupported": null,
"ocspSupported": false, <<<<<<<<<<<<<<
"revoked": null,
Further SUPPORTS_TLS13_SESSION_TICKETS is missing from the JSON output.
We temporarily removed OCSP support. We switched our ASN.1 and X.509 implementation to our own, which does not support X.509 extensions yet, we will re add it once we can. That the property is still false is due to insufficient removal:
https://github.com/tls-attacker/TLS-Scanner-Development/blob/37cb506fff18535555197a9239fab4d9af7861ab/TLS-Scanner-Core/src/main/java/de/rub/nds/tlsscanner/core/probe/certificate/CertificateReportGenerator.java#L153
This should set it to false instead.
Regarding the session tickets, I think we replaced this property with:
ISSUES_TLS13_SESSION_TICKETS_AFTER_HANDSHAKE,
ISSUES_TLS13_SESSION_TICKETS_WITH_APPLICATION_DATA
@XoMEX is that correct?
