httpbin VS badssl.com

We proceed to define routes to https://httpbin.org/ to test our setup. Let's call the route to /get:

https://httpbin.org/ is an excellent tool for learning (and testing) the basics. Take a few minutes to explore the endpoints they provide. You can also use different response codes to test your apps error handling, etc

export FABI_PROD="http://httpbin.org/" export FABI_LOCAL="http://0.0.0.0:8000/"

use anyhow; use embedded_svc::http::client::Client; use embedded_svc::wifi::{AuthMethod, ClientConfiguration, Configuration}; use esp_idf_hal::peripherals::Peripherals; use esp_idf_svc::eventloop::EspSystemEventLoop; use esp_idf_svc::http::client::{Configuration as HttpConfig, EspHttpConnection}; use esp_idf_svc::nvs::EspDefaultNvsPartition; use esp_idf_svc::wifi::{BlockingWifi, EspWifi}; fn main() -> anyhow::Result<()> { esp_idf_sys::link_patches(); // Configure Wifi let peripherals = Peripherals::take().unwrap(); let sysloop = EspSystemEventLoop::take()?; let nvs = EspDefaultNvsPartition::take()?; let mut wifi = BlockingWifi::wrap( EspWifi::new(peripherals.modem, sysloop.clone(), Some(nvs))?, sysloop, )?; wifi.set_configuration(&Configuration::Client(ClientConfiguration { ssid: "SSID".into(), bssid: None, auth_method: AuthMethod::None, password: "PASSWORD".into(), channel: None, }))?; // Start Wifi wifi.start()?; // Connect Wifi wifi.connect()?; // Wait until the network interface is up wifi.wait_netif_up()?; // Print Out Wifi Connection Configuration while !wifi.is_connected().unwrap() { // Get and print connection configuration let config = wifi.get_configuration().unwrap(); println!("Waiting for station {:?}", config); } println!("Wifi Connected, Intiatlizing HTTP"); // HTTP Configuration // Create HTTPS Connection Handle let httpconnection = EspHttpConnection::new(&HttpConfig { use_global_ca_store: true, crt_bundle_attach: Some(esp_idf_sys::esp_crt_bundle_attach), ..Default::default() })?; // Create HTTPS Client let mut httpclient = Client::wrap(httpconnection); // HTTP Request Submission // Define URL let url = "https://httpbin.org/get"; // Prepare request let request = httpclient.get(url)?; // Log URL and type of request println!("-> GET {}", url); // Submit Request and Store Response let response = request.submit()?; // HTTP Response Processing let status = response.status(); println!("<- {}", status); match response.header("Content-Length") { Some(data) => { println!("Content-Length: {}", data); } None => { println!("No Content-Length Header"); } } match response.header("Date") { Some(data) => { println!("Date: {}", data); } None => { println!("No Date Header"); } } Ok(()) }

has_domain: whether the matched route references an upstream with a domain, e.g., http://httpbin.org, or not, e.g., 192.168.0.1

But where does the data go now? By default, the form data is sent to the URL of the page containing the form — the current page, actually. Generally, all the data should be sent to a server to store and be handled. We can set up a server like Next.js, but it's a big separate topic to discover. You can learn more about it in our tutorial. In this post, I suggest concentrating on uploading staff and using httpbin — a simple OSS HTTP Request & Response Service.

Probably to demo it? I wish Google had "this link will always be considered harmful", like the stuff on https://badssl.com/.

With SSLVersionMin, I think TLS 1.0 and TLS 1.1 protocols are already disabled (they were originally going to be disabled in 2020, but it was postponed). If I try going to test pages on https://badssl.com/ that use those protocols, Brave displays an "Unsupported protocol" error page with error code ERR_SSL_VERSION_OR_CIPHER_MISMATCH – with no option for the user to bypass the error page. However, I'm not sure why InTune won't allow you to configure it to TLS 1.2 minimum version anyway.

See https://badssl.com/, or for a simple example of what happen when you access a page redirected by naughty DNS, set your private DNS to family.adguard-dns.com, then try opening PornHub.

.DESCRIPTION This cmdlet tests a URI for connectivity, and checks whether the TLS certificate is valid, expired, expiring soon, and returns information about the certificate when used with InformationLevel 'Detailed'. .PARAMETER Uri Specifies an HTTP/HTTPS URI. For example, https://www.powershellgallery.com .PARAMETER InformationLevel Specifies whether to return detailed information, or a simple $true or $false. .EXAMPLE Test-Uri https://badssl.com/ Returns a detailed TestUriResult with an IsTrusted property value of $true under normal circumstances. .EXAMPLE Test-Uri https://badssl.com/ -InformationLevel Quiet Returns a value of $true under normal circumstances. .EXAMPLE Test-Uri https://expired.badssl.com/ Returns a detailed TestUriResult with an IsExpired property value of $true .EXAMPLE Test-Uri https://expired.badssl.com/ Returns a detailed TestUriResult with an IsExpired property value of $true .EXAMPLE Test-Uri https://tls-v1-1.badssl.com:1011/ -SslProtocol Tls11 Returns a detailed TestUriResult where IsTrusted and UriTestSucceeded are $true, because we've specified to use SslProtocol Tls11. .EXAMPLE Test-Uri https://tls-v1-1.badssl.com:1011/ Returns a detailed TestUriResult where IsTrusted and UriTestSucceeded are $false, because only Tls12 and Tls13 are trusted by default. #> [CmdletBinding()] param ( [Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName, Position = 0)] [uri[]] $Uri, [Parameter()] [System.Security.Authentication.SslProtocols[]] $SslProtocol = @([System.Security.Authentication.SslProtocols]::Tls12, [System.Security.Authentication.SslProtocols]::Tls13), [Parameter()] [ValidateSet('Detailed', 'Quiet')] [string] $InformationLevel = 'Detailed' ) process { [System.Security.Authentication.SslProtocols]$trustedProtocols = 0 $SslProtocol | Foreach-Object { $trustedProtocols = $trustedProtocols -bor $_ } foreach ($address in $Uri) { $result = [pscustomobject]@{ PSTypeName = 'TestUriResult' Uri = $address RemoteAddress = $null RemotePort = $null SourceAddress = $null RemoteCertificate = $null CipherAlgorithm = $null HashAlgorithm = $null SslProtocol = $null TcpTestSucceeded = $false UriTestSucceeded = $false IsExpired = $false IsExpiring = $false IsTrusted = $false } try { $tcpClient = [net.sockets.tcpclient]::new($address.Host, $address.Port) $result.TcpTestSucceeded = $true $result.RemoteAddress = $tcpClient.Client.RemoteEndPoint.Address $result.RemotePort = $tcpClient.Client.RemoteEndPoint.Port $result.SourceAddress = $tcpclient.Client.LocalEndPoint.Address if ($address.Scheme -eq 'https') { $stream = $tcpClient.GetStream() $sslStream = [net.security.sslstream]::new($stream, $false, { $true }) $protocols = 0; [enum]::GetValues([System.Security.Authentication.SslProtocols]) | Where-Object { $_ -match '(Ssl|Tls)' } | Foreach-Object { $protocols = $protocols -bor $_ } $sslStream.AuthenticateAsClient($address.Host, $null, $protocols, $true) $certInfo = [security.cryptography.x509certificates.x509certificate2]::new($sslStream.RemoteCertificate) $result.SslProtocol = $sslStream.SslProtocol $result.RemoteCertificate = $certInfo $result.CipherAlgorithm = $sslStream.CipherAlgorithm $result.HashAlgorithm = $sslStream.HashAlgorithm $result.IsExpired = $certInfo.NotAfter -le (Get-Date) $result.IsExpiring = $certInfo.NotAfter -le (Get-Date).AddDays(30) $result.IsTrusted = $certInfo.Verify() -and ($sslStream.SslProtocol -band $trustedProtocols) $result.UriTestSucceeded = $result.IsTrusted -and !$result.IsExpired -and ($sslStream.SslProtocol -band $trustedProtocols) if (-not ($sslStream.SslProtocol -band $trustedProtocols)) { Write-Warning "The transport layer security protocol $($sslStream.SslProtocol) is not in the list of trusted protocols: $trustedProtocols." } if ($result.IsExpired) { Write-Warning "Certificate for '$address' is expired. Subject='$($result.RemoteCertificate.Subject)'; NotAfter='$($result.RemoteCertificate.NotAfter.ToString('o'))'" } elseif ($result.IsExpiring) { Write-Warning "Certificate for '$address' expires in 30 days or less. Subject='$($result.RemoteCertificate.Subject)'; NotAfter='$($result.RemoteCertificate.NotAfter.ToString('o'))'" } } } catch { Write-Error -ErrorRecord $_ } finally { if ($sslStream) { $sslStream.Dispose() } if ($stream) { $stream.Dispose() } if ($tcpClient) { $tcpClient.Dispose() } } if ($InformationLevel -eq 'Quiet') { $result.UriTestSucceeded } else { $result } } }

Just use https://badssl.com/ to test the various errors.

For developers needing to test responses to various SSL issues there is https://badssl.com. Not my site, but one I use frequently to demonstrate the result of bad/incorrectly configured certificates.

https://badssl.com/ is a nice website, it shows all the ways ssl can be misconfigured. So you can see how it affects connections.

Modern Web Browsers implement robust, thorough control over SSL/TLS connections, including trust list management, protocol downgrade protection, etc. Using an HTTPS interception proxy therefore means the proxy has to implement all those controls, properly. At the very least, this shouldn't have any problems connecting to https://badssl.com/ (Google's test site, although I don't think this is currently maintained).