[SSL Observatory] public TLS/SSL test server ?

[=JeffH]

Hi,

Is there a public TLS/SSL test server ?

It'd be great to have one that offers, on various ports say, and via various 
domain names, server certs and cert chains that are "non-standard" or broken in 
different fashions, e.g....


1. straight-up self-signed end-entity cert, no cert chain offered.


2. expired cert, otherwise legit, chains to public well-known root CA


3. otherwise legit cert, chains to public well-known root CA, but the presented 
CN-ID [1] and DNS-ID do not match the source domain name used to initiate the 
connection.


4. otherwise legit cert, chains to a specified root CA, the CA cert is 
available to the client, however, client is unable to obtain neither a CRL nor 
a OCSP response.


5. otherwise legit cert, chains to a specified root CA, the CA cert is 
available to the client, however, CRL is expired.


6. otherwise legit cert, but is "transvalid" per PeterE's definition..

The transvalid column contains the output of openssl verify called with their 
trusted root repositories /and/ any intermediate CA certs that were in
the chain presented by that webserver, /plus/ extra intermediate CA certs that 
look like they were missing from the chain presented by the webserver.


7. otherwise legit cert, chains to a specified root CA, the CA cert is 
available to the client, however, contains factorizable public key.


8. others...


Having the above would be quite useful for testing various TLS/SSL clients 
against.

Anyone know of one already existing or wish to contribute to setting one up?

thanks,

=JeffH

[1] CN-ID and DNS-ID  are concise PKIX certificate "identifier type" 
designations established in RFC6125 <https://tools.ietf.org/html/rfc6125>.