I have always maintained a set of echo HTTP(S) services for testing various things. You can always count on your own service to be up when you need it. At some point, I added variants to test different TLS versions and NGINX configurations, including SSL curve configurations.
These all terminate TLS at the NGINX reverse proxy, with a simple NodeJS application server in the backend. It echoes useful things like headers, query parameters, and so on. I try to keep these up all of the time for my own testing, but don't count on them being up for some long lived service.
A standard echo service is great for many things like quickly getting your
external IP, and to test for external internet reachability. I've used this
over the years for multiple purposes -- simply curl and pipe to jq
for processing. You can quickly see if certain headers are being passed as
expected, query parameters, form-fields, or if the site is reachable at all. In
example, if you're writing a http-request library, you can hit this endpoint,
and ensure that your query parameters are coming through as expected. If not,
something is likely wrong in your library. There are numerous similar services,
but for my own work over the years, this has been useful.
As for the TLS variants, I've used these in the past to ensure that the certain older HTTP-clients cannot be downgraded into using insecure ciphers. I've also used these to test the behavior of NGINX's TLS configurations, to see if a setting behaves the way I expect it to behave.
You can enumerate the the server supported certificates using good old nmap like so:
nmap --script ssl-enum-ciphers echo-tls-1-3.fahmidur.com -p 443
You can also test out the behavior of connecting with an insecure client using openssl s_client like so:
openssl s_client -connect echo-tls-1-3.fahmidur.com:443 -tls1_1
You see that, when we attempt to connect to a TLSv1.3 server, we get a failure, this is the expected result.
CONNECTED(00000003) 40F76ADDD8750000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104: ...
A stricter HTTPS server comes at the cost of compatibility with the set of clients that connect to it. You can create a very strict server, but you will almost certainly prevent older clients from being able to connect to your server. This is part of the constant search for balance between security and usability.
Some more details to follow about the specific ciphers in use in the near future.
Some people are also interested in whether or not they are using a quantum-safe or post-quantum algorithm. As futuristic as it may sound, this stuff is available now and it's currently in use. Hybrid post-quantum schemes are currently available in major browsers like Chrome and Firefox. To find out more about the state of the post-quantum internet, check out this great blog post by Bas Westerbaan of Cloudflare.
I've created a quick test of PQC support in NGINX using Docker and Docker-Compose. The work is mainly based on a Linode Guide for PQC with Nginx on Debian 11. The repo is called Try-Nginx-PQC-1. It will spin up a container running NGINX, configured with the Open Quantum Safe (OQS) provider for Post-Quantum algorithms in OpenSSL. And there's a small web-server that echoes back the $ssl_curve parameter that NGINX uses when terminating the TLS connection. At the moment, this is a local-only test repo, but in the near future, I might put this up on some domain or port on one of my servers.