testssl.sh 
RFC: What should the rating for #STARTTLS be like?
jomo@testssl regarding the "client issue" argument: isn't supporting bad TLS options always a client issue? Why give null cipher a bad rating if it's a client issue? As long as modern TLS is also available.
@jomo
... because modern browsers are very strict as opposed to some STARTTLS clients. Browsers sent only strong and medium crypto these days and always have been checking the certificate properly.
... because modern browsers are very strict as opposed to some STARTTLS clients. Browsers sent only strong and medium crypto these days and always have been checking the certificate properly.
@testssl yeah this seems to support my argument. If a server offers SSL 1.0 and TLS 1.3 you should give it a good rating if you want to follow the "client issue" stance because it's a client issue when SSL is used and modern browsers won't connect, right?
Or you can give it a bad rating because it offers bad options, and in that case you should also do this for STARTTLS. As you know, implementations are often flawed and it won't happen with direct TLS.
Anything else seems inconsistent to me.