A new version has been released of our tool which we use to assess TLS clients security: v0.8.3.
The corresponding packages for various Ubuntu versions are prepared in
ppa:gremwell/qsslcaudit. Packaging for Kali is handled by Kali maintainers.
Each time you dive into the process of TLS handshake you figure out that there is much more deeper. This time several minor improvements have been implemented to address unexpected outcomes which we observed.
For instance: set SAN (subject alternative name) when crafting a custom certificate, set expiration time to 1 year instead of 10, use SHA256 digest to sign the certificate. Without these changes modern browsers (and WebViews) will not trust a certificate even if it is signed by the trusted authority.
As was mentioned in Github issue, there are clients which may not trust any of ciphers provided by our rogue TLS server. This case has to be handled separately.
We believe that there still many hidden "gems" in the TLS world from its practical perspective, thus, expect new releases.