I’m building a service with https callbacks and I’m wondering if there is a “badssl equivalent” library that I can use to make sure that the errors and logs I generate if one of my customers fails to set up ssl correctly, are correct and meaningful.
I suppose I could reach out to badssl in local testing or ci, but I feel like that’s “being a bad citizen”, are there others in my situation and what do people do?
Alternatively if no such thing exists, maybe we should build one?
I’ve used badssl in the past but switched to generating local CAs and certificates, and then trusting the former (or not trusting when that’s the case being tested.)
I choose large time spans (-5, +50y) and commit the certificates and keys to the repo, in the hope that either that’s long enough for my project to become irrelevant or for a more robust approach to be found,
I use OpenSSL and faketime for this.
In case it helps you, feel free to copy/modify my Makefiles, it’s just boilerplate:
(And to give credit where credit is due, @voltone’s blog motivated me to do so in the first place. [Thank you!] I don’t know the libraries he suggested, but they’re very likely more wieldy than generating the stuff using make.)
The library that @voltone pointed out is authored by him and is (I think) the canonical library for certificate work at a useable abstraction level in Elixir. I think they are eminently approachable as one strategy for this kind of work.
I was kind of hoping that @voltone would show up in this thread! (Bram is why I know about badssl in the first place) Bram thank you so much for those libs. I’d used x509 lib before, didn’t know the test libs were a thing! So I guess now at least one person will be using it