testssl.sh 

@[email protected]
403 Followers
45 Following
192 Posts

Fled from the birdsite to a separate account.

Toots mostly in EN about testssl.sh and related stuff.

main web sitehttps://testssl.sh
Githubhttps://testssl.sh/dev
testssl.sh Apr 17
abadideaApr 17
it seems someone decided to prove you really can just publish any nonsense protocol draft with the IETF https://www.ietf.org/archive/id/draft-meow-mrrp-00.html
Meow

Meow meow meow meow Meow Meow Meow (MEOW). MEOW meow meow meow meow-meow meow meow meow Meow meow meow, meow meow meow meow meow meow meow meow meow meow meow meow meow Meow. Meow meow meow, mrrp meow meow meow meow meow meow meow MEOW meow meow meow meow meow MEOW MEOW, meow meow meow meow meow meow meow mrow meow meow. Meow meow meow meow meow meow meow meow meow meow meow meow meow MEOW MEOW. Meow meow meow MEOW MEOW, meow meow meow Meow MEOW, MEOW, MEOW, MEOW, MEOW, meow MEOW meow meow meow meow MEOW MEOW. Meow meow Meow MEOW meow MEOW, meow meow meow meow meow meow moew meow meow meow meow meow meow meow meow meow MEOW meow. Meow meow meow MEOW MEOW meow meow nya meow meow meow meow meow meow meow meow MEOW-MEOW meow. Meow MEOW meow meow meow meow MEOW MEOW meow meow meow meow meow meow MEOW MEOW.

testssl.sh Apr 16
badkeysApr 15

I reported an insecure DKIM key to Deutsche Telekom / T-Systems. They first asked me to further explain things (not sure why 'Here's your DKIM private key' needs more explanation, but whatever...). Then they told me it's out of scope for their bugbounty.

I guess then there's really no reason not to tell you: They have a 384 bit RSA DKIM key configured at: dkim._domainkey.t-systems.nl

384 bit RSA is... how shall I put it? I think 512 bit is the lowest RSA key size that was ever really used. 384 bit RSA is crackable in a few hours on a modern PC (using cado-nfs). The private key is:
-----BEGIN RSA PRIVATE KEY-----
MIHxAgEAAjEAtTliQYV2Xvx1OGkDyOL799BTFEuobY2dn2AgtiKCQgrh78NVK1JK
j0yRXgNnPpGBAgMBAAECMF0t+TBZUCi8xATSMij7VLTxv5Xi5OIXesNiXOKtYIRP
LkpYfR5PggaMScfbmqSssQIZAMwOhm9d7Y7Qi7I2j1AlYbiqdtqO54T7FQIZAONa
9dJFkC6lM3EPXR+0SZ4dqwwpiM0nvQIYYgz8thi5JK264ohq9sTvnu9yKvUN9I09
AhgfgMYZKcxtujRjkSZtMzUUNLYzzDmJe90CGDKwqcBI0v9ChaR8WHht+/chMdxj
7ez94w==
-----END RSA PRIVATE KEY-----

testssl.sh Apr 15

#OpenSSL 4.0 has been released!

And the busy bee dcooper16 made some adjustments to #testssl.sh - syntax when using OpenSSL 4.0 with testssl.sh. And features like curveSM2 and curveSM2MLKEM768 .

https://github.com/openssl/openssl/blob/openssl-4.0/CHANGES.md#changes-between-36-and-400-14-apr-2026

openssl/CHANGES.md at openssl-4.0 · openssl/openssl

TLS/SSL and crypto library. Contribute to openssl/openssl development by creating an account on GitHub.

GitHub
testssl.sh Apr 9

TL;DR: OpenSSH has since version 9.0 PQC kx enabled. Use it!

You might want to check the key exchange algos for SSH, if you had hardened them on the client or server side like years back -- unless you want your ssh sessions be vulnerable to "store now, decrypt later" attacks .

Only newer #OpenSSH clients (>10.1) issue a warning if the kx is not #PQC safe.

https://www.openssh.org/pq.html

(ssh -v , look for "kex: algorithm ")

testssl.sh Apr 4
BSIApr 4

**Kurzfristige Maßnahmen erforderlich: Austausch von TLS-Zertifikaten der D-Trust GmbH**

Die D-Trust GmbH tauscht kurzfristig TLS-Website-Zertifikate aus, die zwischen dem 15.03.2025 und dem 02.04.2026, 10:45 Uhr, ausgestellt wurden. Diese Zertifikate verlieren bereits am Montag, 06.04.2026, 17:00 Uhr, ihre Gültigkeit und sind ab diesem Zeitpunkt nicht mehr einsetzbar! [1/x]

testssl.sh Apr 1

Feisty Ducks Newsletter sheds some light onto Merkle Tree Certificates and their complexity.

Also there's some little background information about why Google recently scared us wrt quantum computer break through.

https://www.feistyduck.com/newsletter/issue_135_web_pki_reimagined_with_merkle_tree_certificates

Web PKI Reimagined with Merkle Tree Certificates | Feisty Duck

testssl.sh Mar 27

https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/

2029. You're serious ? If so, why ?

#PQC

Quantum frontiers may be closer than they appear

An overview of how Google is accelerating its timeline for post-quantum cryptography migration.

Google
Show threadtestssl.sh Feb 13

Also, it was time to release a snapshot of the 3.3dev branch which stabilized well enough and has a good set of features to be released.

https://github.com/testssl/testssl.sh/releases/tag/v3.3dev-snapshot-2602

Enjoy && eat the meal while it's hot ;-)

testssl.sh Feb 12

Small version bump: 3.2.3 for the old branch of testssl.sh was just released

https://github.com/testssl/testssl.sh/releases/tag/v3.2.3

Get it while it's hot ;-)

testssl.sh Feb 9

RFC: What should the rating for #STARTTLS be like?

https://github.com/testssl/testssl.sh/issues/2987