Update sslyze branch to NCSC 2025

[mxsasha]

• Various min key length constants, do they still apply?
• RSA length requirements (3.3.2.1)
• RSA padding requirements (3.3.2.1)
• Updated FFDHE requirements (3.3.3.1)
• Verify we see TLS compression (3.4.1)
• Add new checks to check setup (currently only implemented up to return dict)
• Extended master secret - check for support (we can not check for enforcement)
• - Add test for resumption (3.4.3) no new test, this is covered by TLS version check
• kex_hash update "you must at least have SHA2" -> "you must not have SHA1/MD5"
• Update renegotiation settings: we only have good/bad for on/off, should we add sufficient for limited secure? Also ensure unlimited secure reneg is phase out, insecure is insufficient (3.4.2) -> Fix this inside nassl to return the number of attempts. Gelimiteerd=maximum 10 permitted.
• Ensure cipher order is up to date
• Check for any references to old standards in code
• Fix formatting for bad curves
• Clarify all new/changed labels
• Extend openapi.yaml if needed
• Document API changes for release notes
• Fix batch test
• EdDSA auth detected as sufficient? (3.3.2) -> EdDSA can only be done with supported curves, so this test can not fail. We do implement it -> add a comment in the code about this

Interesting data point: the old SHA2 key exchange check had a bug in the sslyze branch, which we did not notice in comparisons probably because it never fails.

Weird results

• Debug issue where we may be falsely saying 80% when there is no mailserver, possibly because there is no TLS
• Testssl claims intermediair.nl offers RSA+SHA224 (implied PKCS) and RSA+SHA1 on TLS 1.2. But our test shows OK, so we are not detecting these or not interpreting correctly.
• Review our stance on EMS

Discuss:

• Which certs do we check for signature hash algorithm, and key size/curve. Current: hash checked for all non-root certificates sent, key size/curve checked for all certificates sent. Discussion 9-9: check all certificates sent by the server, except those that exist in the trust store.

To consider

• display 'banner' for old tests at TLS test (category, or preferably at each sub test detail level): an explanation that the test verdict (text) and content are no longer in sync / even correct? The new explanation for the new rules are shown: advise retest.
• Run comparison on some HoF subset, to get an idea how many people lose their 100%

Content

See content PR

[mxsasha]

Regarding SHA2 key exchange: TLS 1.2 still supports signature algorithms here that do not meet the new requirements. So, we need to keep the check, but modify it from "you must support SHA2" to "you must not support any SHA1 or MD5". In TLS 1.3, only SHA2 is supported for this purpose.

[mxsasha]

I've been running extensive comparisons to #1218 on websiteregister and a few hundred other names. Based on this, we need to do some more thinking on how we apply the new requirements and checks.

We don't have great tools to analyse in bulk, but regular issues seem to be cipher selection and cipher order. This adds up, as we bumped a lot more ciphers to phase out, so that makes cipher order stricter. Some failures of key parameters, for DH-2048. Warnings for RSA-2048 are pretty common too. Unacceptable TLS versions seem rare in our set.

These are all reasonable: we expect new failures, and they are fixed by correcting cipher settings in the TLS config. Certificate replacement is more work, especially as we count intermediates too, but RSA-2048 has no score impact.

The tricky areas are properties of the TLS stack. They can not just be ticked on and off, it requires software updates/replacements update: it may be possible to fix some of this with OpenSSL security levels. There are three that are pretty common failures: EMS, RSA-PKCS and SHA1. These tests are all ❌ if not met and therefore have score impact. And, perhaps there are bugs in the test - this is not a widely covered area by other testing tools.

They are in part common because many Dutch government websites use Akamai, which appears to allow SHA1 and not support EMS For example: ondernemersplein.kvk.nl, papiamentu.rijksdienstcn.com, intermediair.nl, rijkswaterstaat.nl, adviescollegeregeldruk.nl, www.nza.nl, healthcouncil.nl, sodm.nl, www.open-overheid.nl. Note that in a fair number of cases, only the www/no-www version is Akamai, and the other direct to webserver.

However, this isn't unique to Akamai - @bwbroersma's b6a.nl supports RSA-PKCS for example.

Extended Master Secret

The origin of our requirement for EMS (an extension in TLS 1.2, irrelevant for 1.3) comes from RFC9325 3.5 which makes it a MUST, and the NCSC 2025 guidelines where it's a soft mention in a sentence.

It seems that at least a significant part of Akamai's CDN does not support EMS. I have good confidence in our test, it's just checking for the presence of the EMS extension in ServerHello if the target supports TLS 1.2. So far, testssl.sh has been entirely consistent with us. SSLLabs does not test this.

Key exchange

TLS key exchange uses a signature/hash algorithm. Note that this is not the ciper suite, and not a property of the certificate. Defined in RFC5246 7.4.1.4.1 for 1.2, RFC8446 4.2.3 for 1.3.

Common for both is that we use set1_sigalgs to limit the connection to a set of "bad" sigalgs, then try to make a TLS 1.2 connection (irrelevant on 1.3, and <1.2 is bad anyways). From tcpdumps, I am certain we are sending the extension correctly.

SSLlabs does not test this, testssl so far has been consistent with us.

SHA1 in key exchange

NCSC 2025 guidelines 3.3.5 class SHA1 as "onvoldoende". We test for SHA1 by setting the signature_algorithms extension in our ClientHello to only SHA1 options with EC/RSA/DSA.

If a connection is established, we might assume the server allows SHA1, therefore, bad result. However, apparently we have found servers in the past (no specific source available) that would ignore our signature_algorithms, use a good SHA2, and our OpenSSL would accept it, as it does actually know about SHA2. Therefore, we also check get_peer_signature_nid to make sure it's in the bad list. If so, we presume SHA1 is enabled.

I think testssl does the same thing, but possibly without the extra check.

RSA padding

There are two padding methods for RSA: PKCS#1 v1.5 and PSS. Originally TLS 1.2 only supported PKCS. RFC8446 (for 1.3) extends RSA-PSS support to TLS 1.2. NCSC 2025 guidelines class PKCS as "onvoldoende"

Essentially, we use the same method as for SHA1. In the current implementation, the cross-check of "if the connection was established, also check what was actually negotiated" is missing, because I overlooked the SSL_get_signature_type_nid call in OpenSSL that will probably allow this (will have to get added to nassl). Though we do not currently have any false positives, so this may be superfluous.

Conclusions

We should consider carefully, in the context of this data:

• are our tests correct?
• are we right in marking each of these three ❌ with score impact, knowing that it will be much harder for users to fix than say, ciper suites?
• probably try to contact Akamai about their lack of EMS and their SHA1 sigalg support?

Likely confirmation of Akamai's settings:

/opt/homebrew/opt/[email protected]/bin/openssl s_client -connect www.nationalebijenstrategie.nl:443 -tls1_2 -sigalgs ECDSA+SHA1 -msg
CONNECTED(00000005)
>>> ??? [length 0005]
    16 03 01 00 90
>>> TLS 1.2, Handshake [length 0090], ClientHello
    01 00 00 8c 03 03 91 d1 b5 4e b3 32 49 9e 74 58
    cf 34 23 f8 6b e4 48 9c f8 0d 77 34 15 59 6d 8b
    bc ee cf f9 7f bd 00 00 10 c0 2c cc a9 c0 2b c0
    24 c0 23 c0 0a c0 09 00 ff 01 00 00 53 00 00 00
    23 00 21 00 00 1e 77 77 77 2e 6e 61 74 69 6f 6e
    61 6c 65 62 69 6a 65 6e 73 74 72 61 74 65 67 69
    65 2e 6e 6c 00 0b 00 04 03 00 01 02 00 0a 00 0c
    00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00 00
    00 16 00 00 00 17 00 00 00 0d 00 04 00 02 02 03
<<< ??? [length 0005]
    16 03 03 00 41
<<< TLS 1.2, Handshake [length 0041], ServerHello
    02 00 00 3d 03 03 01 c9 10 82 1c a4 37 c9 67 50
    3a ee 61 78 86 35 15 b0 7a 0f 3c e9 c5 6f 44 4f
    57 4e 47 52 44 01 00 c0 2c 00 00 15 ff 01 00 01
    00 00 00 00 00 00 0b 00 04 03 00 01 02 00 23 00
    00
<<< ??? [length 0005]
    16 03 03 0c c3
<<< TLS 1.2, Handshake [length 0cc3], Certificate
    0b 00 0c bf 00 0c bc 00 06 de 30 82 06 da 30 82
    04 c2 a0 03 02 01 02 02 10 0c 31 47 b0 30 ae ba
    ab 7c 87 a4 a7 04 80 f0 cb 30 0d 06 09 2a 86 48
    86 f7 0d 01 01 0b 05 00 30 65 31 0b 30 09 06 03
    55 04 06 13 02 49 45 31 21 30 1f 06 03 55 04 0a
    13 18 44 69 67 69 43 65 72 74 20 49 72 65 6c 61
    6e 64 20 4c 69 6d 69 74 65 64 31 33 30 31 06 03
    55 04 03 13 2a 44 69 67 69 43 65 72 74 20 47 32
    20 54 4c 53 20 45 55 20 52 53 41 34 30 39 36 20
    53 48 41 33 38 34 20 32 30 32 32 20 43 41 31 30
    1e 17 0d 32 35 31 30 31 33 30 30 30 30 30 30 5a
    17 0d 32 36 31 30 31 33 32 33 35 39 35 39 5a 30
    78 31 0b 30 09 06 03 55 04 06 13 02 4e 4c 31 15
    30 13 06 03 55 04 08 13 0c 5a 75 69 64 2d 48 6f
    6c 6c 61 6e 64 31 11 30 0f 06 03 55 04 07 13 08
    44 65 6e 20 48 61 61 67 31 16 30 14 06 03 55 04
    0a 13 0d 52 69 6a 6b 73 6f 76 65 72 68 65 69 64
    31 27 30 25 06 03 55 04 03 13 1e 77 77 77 2e 6e
    61 74 69 6f 6e 61 6c 65 62 69 6a 65 6e 73 74 72
    61 74 65 67 69 65 2e 6e 6c 30 59 30 13 06 07 2a
    86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07
    03 42 00 04 79 28 e9 9a 34 97 a4 ad 7e d6 f4 ff
    b1 72 43 06 75 ed 7a c1 57 e2 a2 61 48 1d 2c a4
    fd 3a 10 16 a5 0e 1a fb 74 bd d8 b1 01 0c 6b 2e
    bb 26 88 c1 a7 15 fd 96 cf 06 b0 f0 3b 77 fa 3f
    7b 0b fb c6 a3 82 03 3c 30 82 03 38 30 1f 06 03
    55 1d 23 04 18 30 16 80 14 18 89 e7 af f0 28 f6
    7c ca 68 05 52 e1 62 d8 91 d6 16 65 60 30 1d 06
    03 55 1d 0e 04 16 04 14 64 40 bb ff cc 61 fd 1c
    5e b6 86 70 3f b6 37 c1 64 ad a7 42 30 29 06 03
    55 1d 11 04 22 30 20 82 1e 77 77 77 2e 6e 61 74
    69 6f 6e 61 6c 65 62 69 6a 65 6e 73 74 72 61 74
    65 67 69 65 2e 6e 6c 30 3e 06 03 55 1d 20 04 37
    30 35 30 33 06 06 67 81 0c 01 02 02 30 29 30 27
    06 08 2b 06 01 05 05 07 02 01 16 1b 68 74 74 70
    3a 2f 2f 77 77 77 2e 64 69 67 69 63 65 72 74 2e
    63 6f 6d 2f 43 50 53 30 0e 06 03 55 1d 0f 01 01
    ff 04 04 03 02 03 88 30 13 06 03 55 1d 25 04 0c
    30 0a 06 08 2b 06 01 05 05 07 03 01 30 4f 06 03
    55 1d 1f 04 48 30 46 30 44 a0 42 a0 40 86 3e 68
    74 74 70 3a 2f 2f 63 72 6c 2e 64 69 67 69 63 65
    72 74 2e 65 75 2f 44 69 67 69 43 65 72 74 47 32
    54 4c 53 45 55 52 53 41 34 30 39 36 53 48 41 33
    38 34 32 30 32 32 43 41 31 2e 63 72 6c 30 81 83
    06 08 2b 06 01 05 05 07 01 01 04 77 30 75 30 23
    06 08 2b 06 01 05 05 07 30 01 86 17 68 74 74 70
    3a 2f 2f 6f 63 73 70 2e 64 69 67 69 63 65 72 74
    2e 65 75 30 4e 06 08 2b 06 01 05 05 07 30 02 86
    42 68 74 74 70 3a 2f 2f 63 61 63 65 72 74 73 2e
    64 69 67 69 63 65 72 74 2e 65 75 2f 44 69 67 69
    43 65 72 74 47 32 54 4c 53 45 55 52 53 41 34 30
    39 36 53 48 41 33 38 34 32 30 32 32 43 41 31 2e
    63 72 74 30 0c 06 03 55 1d 13 01 01 ff 04 02 30
    00 30 82 01 7f 06 0a 2b 06 01 04 01 d6 79 02 04
    02 04 82 01 6f 04 82 01 6b 01 69 00 77 00 d7 6d
    7d 10 d1 a7 f5 77 c2 c7 e9 5f d7 00 bf f9 82 c9
    33 5a 65 e1 d0 b3 01 73 17 c0 c8 c5 69 77 00 00
    01 99 dd cf 6e ee 00 00 04 03 00 48 30 46 02 21
    00 ed 63 b9 13 8b 9f 91 c6 0f a2 34 7d ec e7 4d
    20 f2 6c 2c 66 36 c4 5c a7 65 a6 80 d4 12 aa 03
    cc 02 21 00 fe a3 87 6b c2 1d 9f bd d4 60 d5 48
    e8 de ea 1d 35 0a ae 96 a9 e5 a8 28 f8 af 34 39
    4c d3 41 1b 00 76 00 cb 38 f7 15 89 7c 84 a1 44
    5f 5b c1 dd fb c9 6e f2 9a 59 cd 47 0a 69 05 85
    b0 cb 14 c3 14 58 e7 00 00 01 99 dd cf 6f 37 00
    00 04 03 00 47 30 45 02 20 14 2d c1 7e 20 a0 f0
    e5 71 90 00 96 ed 90 bd 27 2f b2 dd 4e e4 a9 47
    94 6e 7c 60 42 5b db 9f b5 02 21 00 fe 3c e5 f4
    8e 0d ff 49 88 db f0 d0 e2 22 fa 2c 6b 9f 5a cc
    46 1d 3c 2f cb 55 44 24 64 91 92 bd 00 76 00 d8
    09 55 3b 94 4f 7a ff c8 16 19 6f 94 4f 85 ab b0
    f8 fc 5e 87 55 26 0f 15 d1 2e 72 bb 45 4b 14 00
    00 01 99 dd cf 6e b9 00 00 04 03 00 47 30 45 02
    21 00 d0 77 05 72 23 e4 b3 ba b5 93 fc 77 35 43
    9f 59 6f b2 df 49 55 60 98 59 d3 1d 61 f4 10 79
    34 40 02 20 25 4b 2c 95 00 39 e9 fe d1 0c 81 55
    57 df c8 bc 10 4c b8 e2 f3 24 f3 76 1f 8f f0 b2
    29 57 9f a5 30 0d 06 09 2a 86 48 86 f7 0d 01 01
    0b 05 00 03 82 02 01 00 26 16 d2 49 2f 65 fa 0b
    4b 67 81 99 5a b0 26 51 64 e8 62 5a 2f 04 6b b6
    7f 12 19 7e a9 f3 85 8e 44 52 b3 f4 99 84 d7 3f
    c1 3a 12 21 ae 51 51 24 62 db ec 3f 45 d9 55 fc
    47 df 5d 8a e4 7c 8d bc b6 38 7e 47 8b 27 32 38
    2d 4c f5 66 6c e5 df 36 38 12 e1 eb fd 18 d8 90
    15 85 45 70 11 cf 66 5d 14 86 23 da 27 1a d6 bf
    cf 81 23 a8 2f b4 5b 8b 77 09 e1 89 ea a3 37 8d
    59 49 5d f1 73 72 f4 e9 ed 2e 86 08 53 1b a9 2f
    07 bf fd 69 b6 35 68 dc ef 06 52 a6 5a 93 3f 38
    40 5c 5e 1d 22 9b 06 1c 4d 07 ad 93 d9 17 37 f9
    18 7b 88 b6 26 5b ed 34 0a a6 03 a6 ca f3 48 5e
    e7 0b 9b 40 0a 33 2a 5d db b4 63 0d 86 f0 fa d0
    f2 d1 4a 8d 14 a8 47 16 c1 90 a2 3a 99 cd f5 21
    58 30 a2 60 2e 06 2d 78 10 df 62 d1 c3 ab 74 ac
    32 50 d2 d4 58 5b 9e 20 d3 9d 63 a4 d9 f0 45 d6
    42 28 11 18 fd aa c4 4a 6d f8 de 20 85 bd e9 02
    34 57 ea a8 bc 8c eb 95 29 9e 87 0e 08 3d 8a 24
    e3 8c 38 0e 8c 2c fd 35 ee f2 10 40 fc fb ec cc
    9e 75 0c 45 5f f2 83 0e aa 5b ef 6c 8a f0 34 bf
    57 58 7c 05 37 4d 46 74 d0 92 ea 1f b5 43 ba 75
    87 69 96 75 f6 6c 71 21 e4 5c 00 1d e2 66 e9 b4
    86 8b d6 64 9a 6e 88 49 7e 36 ee d4 46 5a 80 56
    df 04 39 7a 25 7d 1c 99 0c 8a 1d 6a 19 d0 1d 82
    34 86 61 c9 7b 4b 22 ee 35 f3 93 77 22 e7 2d c6
    20 b0 87 de 1a 49 1a ed 4c 9a d9 89 63 d5 10 fa
    ec 75 87 7c 89 67 f3 53 f6 61 d0 08 dc f8 db 4b
    db 78 9e 48 bb 48 31 a1 3d 43 9c e7 9a bf 8f 4c
    57 c6 54 1b 6a fa b5 9b e9 c0 d3 ed 45 31 f0 42
    2b c0 8d 4d 87 6a 92 69 ea ce de 59 f8 e1 38 2c
    3b 8e 5d 51 0d 3e 01 07 c6 21 1f 5f 9d 4f 8a fe
    e6 65 81 e6 a2 c4 2b 91 43 25 f2 5a 10 24 49 81
    a0 f1 eb ee 6d 52 da b0 00 05 d8 30 82 05 d4 30
    82 04 bc a0 03 02 01 02 02 10 06 4f 84 ff 79 1f
    a6 76 f2 9c f3 65 37 a2 74 9e 30 0d 06 09 2a 86
    48 86 f7 0d 01 01 0c 05 00 30 61 31 0b 30 09 06
    03 55 04 06 13 02 55 53 31 15 30 13 06 03 55 04
    0a 13 0c 44 69 67 69 43 65 72 74 20 49 6e 63 31
    19 30 17 06 03 55 04 0b 13 10 77 77 77 2e 64 69
    67 69 63 65 72 74 2e 63 6f 6d 31 20 30 1e 06 03
    55 04 03 13 17 44 69 67 69 43 65 72 74 20 47 6c
    6f 62 61 6c 20 52 6f 6f 74 20 47 32 30 1e 17 0d
    32 32 30 39 31 39 30 30 30 30 30 30 5a 17 0d 33
    32 30 39 31 38 32 33 35 39 35 39 5a 30 65 31 0b
    30 09 06 03 55 04 06 13 02 49 45 31 21 30 1f 06
    03 55 04 0a 13 18 44 69 67 69 43 65 72 74 20 49
    72 65 6c 61 6e 64 20 4c 69 6d 69 74 65 64 31 33
    30 31 06 03 55 04 03 13 2a 44 69 67 69 43 65 72
    74 20 47 32 20 54 4c 53 20 45 55 20 52 53 41 34
    30 39 36 20 53 48 41 33 38 34 20 32 30 32 32 20
    43 41 31 30 82 02 22 30 0d 06 09 2a 86 48 86 f7
    0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02
    82 02 01 00 de 22 89 4c 05 45 4d cc e1 86 f0 f3
    73 03 4c da 55 e3 d9 2c e2 01 d9 78 52 9b 03 0d
    c2 14 01 b9 38 bb d5 11 95 da 3b 65 05 96 29 0d
    2b aa 72 1c 01 fd 73 bb ce d7 db 7b 54 5d e5 03
    67 34 63 43 0d 84 77 0a 46 46 1c 7c 62 8f 7d f8
    5c 0d a5 79 94 ab 44 fd ac eb 6d ab 65 f4 ca 5c
    fd 7f ac 1b fd 04 8c e2 d4 0d 11 a5 74 6e 04 00
    d4 8d 14 a9 4f 37 49 e1 1a da 76 ac 40 de db 8b
    fd 20 51 3b c0 09 6e f5 c3 e4 80 4f 82 0c d4 f7
    bd ab 92 1a 14 e1 6c fd f8 b7 00 11 3f 9b 35 d3
    39 94 aa a8 ba dd 90 12 de 38 49 29 5e 35 68 8f
    38 31 cf e3 ae 0d a8 e1 a6 0a 1a 15 01 ad 23 2e
    d1 74 f8 43 b0 f7 68 c2 2f d6 ce 38 06 b8 5b 36
    94 6b 17 08 f0 f9 fa f3 bb 70 73 4b f9 29 db 29
    9d 99 e0 97 ec 48 19 af 63 8a 4c 2c 5d 63 4c e4
    c6 c8 2d e5 3c 50 20 0b 96 24 80 d2 58 2e 92 62
    d7 fe 0d 83 fb 33 88 f9 91 54 4c 33 86 84 56 e0
    dc 2b 12 e5 47 da fe 94 95 81 6d 0d 36 e4 f0 2d
    a6 1f b0 b1 6d 94 aa c9 e5 da 08 ef e5 d6 b7 b7
    e1 f6 7c 00 59 de 4e c7 c9 84 49 b3 a0 80 76 ac
    a0 41 3d 5c b9 32 2e 24 04 02 86 52 d6 fb d7 b0
    6b 44 be 37 2e 33 57 d5 3b 2b 6c 47 e4 35 9e df
    1b 16 ce eb 07 58 10 03 98 1f 89 8f 03 d2 84 ad
    6c 41 e3 9f 32 dc f6 54 c2 c8 5d b6 e4 e6 4b 56
    e2 a8 c9 73 b4 d4 ab 1e a8 aa 2c a6 46 c7 35 7e
    d0 26 af dd a7 fa 96 58 d3 55 b0 ab 1f 40 8a 09
    af 69 2c 29 b0 1a 0c c4 92 56 3f 3e 31 fc bd 41
    63 b4 d0 ed bc 58 0b fd 50 50 41 69 dc b2 fa 07
    e3 b5 c2 27 a7 39 55 f9 ef 4b fe 82 1f f4 1d c1
    4b 49 be dc f9 20 13 84 2b bd 65 a9 ab 3e c7 ea
    52 12 62 5f 49 97 db 12 ca 5d 70 18 13 5d 3d d2
    2c 1e a8 f2 4b 49 2e 30 df d6 12 47 0f d7 2d 63
    06 c2 16 ef 02 03 01 00 01 a3 82 01 82 30 82 01
    7e 30 12 06 03 55 1d 13 01 01 ff 04 08 30 06 01
    01 ff 02 01 00 30 1d 06 03 55 1d 0e 04 16 04 14
    18 89 e7 af f0 28 f6 7c ca 68 05 52 e1 62 d8 91
    d6 16 65 60 30 1f 06 03 55 1d 23 04 18 30 16 80
    14 4e 22 54 20 18 95 e6 e3 6e e6 0f fa fa b9 12
    ed 06 17 8f 39 30 0e 06 03 55 1d 0f 01 01 ff 04
    04 03 02 01 86 30 1d 06 03 55 1d 25 04 16 30 14
    06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05
    05 07 03 02 30 76 06 08 2b 06 01 05 05 07 01 01
    04 6a 30 68 30 24 06 08 2b 06 01 05 05 07 30 01
    86 18 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 64 69
    67 69 63 65 72 74 2e 63 6f 6d 30 40 06 08 2b 06
    01 05 05 07 30 02 86 34 68 74 74 70 3a 2f 2f 63
    61 63 65 72 74 73 2e 64 69 67 69 63 65 72 74 2e
    63 6f 6d 2f 44 69 67 69 43 65 72 74 47 6c 6f 62
    61 6c 52 6f 6f 74 47 32 2e 63 72 74 30 42 06 03
    55 1d 1f 04 3b 30 39 30 37 a0 35 a0 33 86 31 68
    74 74 70 3a 2f 2f 63 72 6c 33 2e 64 69 67 69 63
    65 72 74 2e 63 6f 6d 2f 44 69 67 69 43 65 72 74
    47 6c 6f 62 61 6c 52 6f 6f 74 47 32 2e 63 72 6c
    30 3d 06 03 55 1d 20 04 36 30 34 30 0b 06 09 60
    86 48 01 86 fd 6c 02 01 30 07 06 05 67 81 0c 01
    01 30 08 06 06 67 81 0c 01 02 01 30 08 06 06 67
    81 0c 01 02 02 30 08 06 06 67 81 0c 01 02 03 30
    0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 03 82
    01 01 00 44 0e 8e 4f 43 d6 07 fc 8c 97 ce a9 28
    db ba e6 02 cb 78 5d 68 56 70 7e 2d e4 7e 11 9a
    16 84 f9 57 99 e1 bb 67 27 ae e0 70 d4 a4 44 81
    ac 1f c6 2e f1 70 bc 01 69 06 ea 44 11 9c 86 fa
    8f 49 f4 5b a0 65 35 a9 89 a1 53 2a 36 7a 5d b0
    08 b5 97 81 52 71 bb 2d 4f 49 6d 9c 3c 83 77 31
    8a 34 cb c5 c3 a3 bf 1c 56 5c 34 79 9b 36 cf c1
    7c 5b c0 24 1a a8 63 85 50 ab 3a 82 f5 fa 03 eb
    cc ed db d1 a9 23 cd e1 86 b6 28 5b c0 3a 47 ef
    f1 07 d2 8d 59 91 c7 59 62 15 32 1e e6 e7 5a af
    cb 62 ea 73 db a9 19 55 03 07 b9 a4 a0 60 f8 67
    23 a8 2c 06 4e 00 d0 cc fe 26 73 04 7f e9 c0 5e
    ef 68 79 76 62 14 f1 55 e6 89 b3 41 43 1e a3 99
    b3 f8 ad c4 44 8e 39 0a d0 77 f1 aa 02 c4 cb af
    80 8a 70 d4 36 fb bf 31 56 57 ff 1e fd 3f e1 84
    90 a7 9c 0a 62 ad ba 89 53 8d 81 27 eb 0e 67 d1
    68 58 ba
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = IE, O = DigiCert Ireland Limited, CN = DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1
verify return:1
depth=0 C = NL, ST = Zuid-Holland, L = Den Haag, O = Rijksoverheid, CN = www.nationalebijenstrategie.nl
verify return:1
<<< ??? [length 0005]
    16 03 03 00 94
<<< TLS 1.2, Handshake [length 0094], ServerKeyExchange
    0c 00 00 90 03 00 17 41 04 b9 bc cc 5a 93 67 59
    91 d8 05 9c 97 f7 57 f3 00 1e 53 70 6c f3 c9 16
    7c 59 3a a5 3f fa eb d4 30 31 e6 25 38 07 ca b8
    4c 7c 36 80 e7 bc c4 2a d6 80 85 92 3f 97 52 38
    66 75 d4 8f 16 1e 18 f5 7f 02 03 00 47 30 45 02
    20 34 81 29 34 9c d6 ff 4d df 05 8b 71 dc 73 dc
    76 43 bb 2d f1 9a 69 7c 8f 0d 57 32 12 da 25 5d
    b7 02 21 00 ea bd 14 09 9a b2 20 62 ba 92 51 57
    ca af 88 7a 23 62 fc 32 3c 78 d1 e5 94 14 43 98
    3c bd ff f9
<<< ??? [length 0005]
    16 03 03 00 04
<<< TLS 1.2, Handshake [length 0004], ServerHelloDone
    0e 00 00 00
>>> ??? [length 0005]
    16 03 03 00 46
>>> TLS 1.2, Handshake [length 0046], ClientKeyExchange
    10 00 00 42 41 04 83 85 c6 71 21 21 95 14 fd 8b
    dc 44 09 9a 79 39 34 e1 fd c6 c7 3f cc f8 79 54
    27 6d ee 0b 45 e9 0c a1 a5 04 73 8e b1 d8 92 1b
    19 15 a7 d1 c2 04 8e 25 0c d9 14 ba 21 89 fa 6e
    d5 8c bb c1 5d 41
>>> ??? [length 0005]
    14 03 03 00 01
>>> TLS 1.2, ChangeCipherSpec [length 0001]
    01
>>> ??? [length 0005]
    16 03 03 00 28
>>> TLS 1.2, Handshake [length 0010], Finished
    14 00 00 0c a2 db de a8 5a 0b c0 2e 18 df 5f fb
<<< ??? [length 0005]
    16 03 03 00 ea
<<< TLS 1.2, Handshake [length 00ea], NewSessionTicket
    04 00 00 e6 00 01 44 9c 00 e0 00 03 ca 0b b1 d7
    0f d2 63 c9 6c e4 d1 6e 6e 98 19 40 ae 58 8e 4b
    0d 57 fe 52 fe 3d a1 77 a9 48 97 bd 17 ef 13 dd
    bb f6 10 f6 c8 22 9f 4d 32 f8 99 1f 3d c6 a8 12
    cf 76 20 43 3c f2 cf 71 3b e8 96 e6 ca 68 aa 14
    73 7d dc a0 eb 5f 57 80 8f de 92 e7 dc fb 5a 79
    be c5 bf 22 f1 bd e6 40 b0 fd 8b 3a f5 45 7f e4
    61 83 19 0d 13 be 4d 57 d6 bb 96 26 ed b5 50 db
    1e de 2f 59 cf d5 b6 59 1a 16 e9 63 81 7b 84 c9
    a4 87 3a 57 10 0c 16 da 07 c2 6f ae 74 c0 f1 a8
    68 e6 a8 dd 4b 13 f5 35 e0 b8 a2 69 06 ac fd b1
    ca b9 89 b6 ed 7f ad 4e 41 4c 2a f4 e1 4c 0a 41
    a8 6a b1 e9 56 20 b8 24 8e 47 cd 9b fd a7 09 6f
    04 54 92 33 fa e7 ca ac b8 8e f3 f4 d3 32 5b 62
    d6 54 fb c9 9b 3b 29 26 c5 39
<<< ??? [length 0005]
    14 03 03 00 01
<<< ??? [length 0005]
    16 03 03 00 28
<<< TLS 1.2, Handshake [length 0010], Finished
    14 00 00 0c 91 52 57 32 6e b8 93 fb c6 bb 81 e0
---
Certificate chain
 0 s:C = NL, ST = Zuid-Holland, L = Den Haag, O = Rijksoverheid, CN = www.nationalebijenstrategie.nl
   i:C = IE, O = DigiCert Ireland Limited, CN = DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1
 1 s:C = IE, O = DigiCert Ireland Limited, CN = DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG2jCCBMKgAwIBAgIQDDFHsDCuuqt8h6SnBIDwyzANBgkqhkiG9w0BAQsFADBl
MQswCQYDVQQGEwJJRTEhMB8GA1UEChMYRGlnaUNlcnQgSXJlbGFuZCBMaW1pdGVk
MTMwMQYDVQQDEypEaWdpQ2VydCBHMiBUTFMgRVUgUlNBNDA5NiBTSEEzODQgMjAy
MiBDQTEwHhcNMjUxMDEzMDAwMDAwWhcNMjYxMDEzMjM1OTU5WjB4MQswCQYDVQQG
EwJOTDEVMBMGA1UECBMMWnVpZC1Ib2xsYW5kMREwDwYDVQQHEwhEZW4gSGFhZzEW
MBQGA1UEChMNUmlqa3NvdmVyaGVpZDEnMCUGA1UEAxMed3d3Lm5hdGlvbmFsZWJp
amVuc3RyYXRlZ2llLm5sMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeSjpmjSX
pK1+1vT/sXJDBnXtesFX4qJhSB0spP06EBalDhr7dL3YsQEMay67JojBpxX9ls8G
sPA7d/o/ewv7xqOCAzwwggM4MB8GA1UdIwQYMBaAFBiJ56/wKPZ8ymgFUuFi2JHW
FmVgMB0GA1UdDgQWBBRkQLv/zGH9HF62hnA/tjfBZK2nQjApBgNVHREEIjAggh53
d3cubmF0aW9uYWxlYmlqZW5zdHJhdGVnaWUubmwwPgYDVR0gBDcwNTAzBgZngQwB
AgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4G
A1UdDwEB/wQEAwIDiDATBgNVHSUEDDAKBggrBgEFBQcDATBPBgNVHR8ESDBGMESg
QqBAhj5odHRwOi8vY3JsLmRpZ2ljZXJ0LmV1L0RpZ2lDZXJ0RzJUTFNFVVJTQTQw
OTZTSEEzODQyMDIyQ0ExLmNybDCBgwYIKwYBBQUHAQEEdzB1MCMGCCsGAQUFBzAB
hhdodHRwOi8vb2NzcC5kaWdpY2VydC5ldTBOBggrBgEFBQcwAoZCaHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuZXUvRGlnaUNlcnRHMlRMU0VVUlNBNDA5NlNIQTM4NDIw
MjJDQTEuY3J0MAwGA1UdEwEB/wQCMAAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsB
aQB3ANdtfRDRp/V3wsfpX9cAv/mCyTNaZeHQswFzF8DIxWl3AAABmd3Pbu4AAAQD
AEgwRgIhAO1juROLn5HGD6I0feznTSDybCxmNsRcp2WmgNQSqgPMAiEA/qOHa8Id
n73UYNVI6N7qHTUKrpap5ago+K80OUzTQRsAdgDLOPcViXyEoURfW8Hd+8lu8ppZ
zUcKaQWFsMsUwxRY5wAAAZndz283AAAEAwBHMEUCIBQtwX4goPDlcZAAlu2QvScv
st1O5KlHlG58YEJb25+1AiEA/jzl9I4N/0mI2/DQ4iL6LGufWsxGHTwvy1VEJGSR
kr0AdgDYCVU7lE96/8gWGW+UT4WrsPj8XodVJg8V0S5yu0VLFAAAAZndz265AAAE
AwBHMEUCIQDQdwVyI+SzurWT/Hc1Q59Zb7LfSVVgmFnTHWH0EHk0QAIgJUsslQA5
6f7RDIFVV9/IvBBMuOLzJPN2H4/wsilXn6UwDQYJKoZIhvcNAQELBQADggIBACYW
0kkvZfoLS2eBmVqwJlFk6GJaLwRrtn8SGX6p84WORFKz9JmE1z/BOhIhrlFRJGLb
7D9F2VX8R99diuR8jby2OH5HiycyOC1M9WZs5d82OBLh6/0Y2JAVhUVwEc9mXRSG
I9onGta/z4EjqC+0W4t3CeGJ6qM3jVlJXfFzcvTp7S6GCFMbqS8Hv/1ptjVo3O8G
UqZakz84QFxeHSKbBhxNB62T2Rc3+Rh7iLYmW+00CqYDpsrzSF7nC5tACjMqXdu0
Yw2G8PrQ8tFKjRSoRxbBkKI6mc31IVgwomAuBi14EN9i0cOrdKwyUNLUWFueINOd
Y6TZ8EXWQigRGP2qxEpt+N4ghb3pAjRX6qi8jOuVKZ6HDgg9iiTjjDgOjCz9Ne7y
EED8++zMnnUMRV/ygw6qW+9sivA0v1dYfAU3TUZ00JLqH7VDunWHaZZ19mxxIeRc
AB3iZum0hovWZJpuiEl+Nu7URlqAVt8EOXolfRyZDIodahnQHYI0hmHJe0si7jXz
k3ci5y3GILCH3hpJGu1MmtmJY9UQ+ux1h3yJZ/NT9mHQCNz420vbeJ5Iu0gxoT1D
nOeav49MV8ZUG2r6tZvpwNPtRTHwQivAjU2HapJp6s7eWfjhOCw7jl1RDT4BB8Yh
H1+dT4r+5mWB5qLEK5FDJfJaECRJgaDx6+5tUtqw
-----END CERTIFICATE-----
subject=C = NL, ST = Zuid-Holland, L = Den Haag, O = Rijksoverheid, CN = www.nationalebijenstrategie.nl

issuer=C = IE, O = DigiCert Ireland Limited, CN = DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1

---
No client certificate CA names sent
Peer signing digest: SHA1
Peer signature type: ECDSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3794 bytes and written 275 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 0B0B8E839BB1250B45ECD10A6FC87242FA100698CE50DFA92B056C9709877FC7
    Session-ID-ctx:
    Master-Key: 71090874C49E51913D204CBF528D527B1B51247137244513EE9F99A97E56CB6311ECDE3D94B6585094134F92A854963F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 83100 (seconds)
    TLS session ticket:
    0000 - 00 03 ca 0b b1 d7 0f d2-63 c9 6c e4 d1 6e 6e 98   ........c.l..nn.
    0010 - 19 40 ae 58 8e 4b 0d 57-fe 52 fe 3d a1 77 a9 48   [email protected].=.w.H
    0020 - 97 bd 17 ef 13 dd bb f6-10 f6 c8 22 9f 4d 32 f8   ...........".M2.
    0030 - 99 1f 3d c6 a8 12 cf 76-20 43 3c f2 cf 71 3b e8   ..=....v C<..q;.
    0040 - 96 e6 ca 68 aa 14 73 7d-dc a0 eb 5f 57 80 8f de   ...h..s}..._W...
    0050 - 92 e7 dc fb 5a 79 be c5-bf 22 f1 bd e6 40 b0 fd   ....Zy..."...@..
    0060 - 8b 3a f5 45 7f e4 61 83-19 0d 13 be 4d 57 d6 bb   .:.E..a.....MW..
    0070 - 96 26 ed b5 50 db 1e de-2f 59 cf d5 b6 59 1a 16   .&..P.../Y...Y..
    0080 - e9 63 81 7b 84 c9 a4 87-3a 57 10 0c 16 da 07 c2   .c.{....:W......
    0090 - 6f ae 74 c0 f1 a8 68 e6-a8 dd 4b 13 f5 35 e0 b8   o.t...h...K..5..
    00a0 - a2 69 06 ac fd b1 ca b9-89 b6 ed 7f ad 4e 41 4c   .i...........NAL
    00b0 - 2a f4 e1 4c 0a 41 a8 6a-b1 e9 56 20 b8 24 8e 47   *..L.A.j..V .$.G
    00c0 - cd 9b fd a7 09 6f 04 54-92 33 fa e7 ca ac b8 8e   .....o.T.3......
    00d0 - f3 f4 d3 32 5b 62 d6 54-fb c9 9b 3b 29 26 c5 39   ...2[b.T...;)&.9

    Start Time: 1762946910
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

For RSA-PKCS, it would be good to have/quote sources beyond NCSC.