chromium · davidben · Oct 19, 2022 · Oct 24, 2022
diff --git a/domains/misc/badssl.com/dashboard/sets.js b/domains/misc/badssl.com/dashboard/sets.js
@@ -37,6 +37,7 @@ var sets = [
       {subdomain: "dh512"},
       {subdomain: "dh1024"},
       {subdomain: "null"}
+      {subdomain: "md5-server-signature"},
     ]
   },
   {
@@ -50,6 +51,7 @@ var sets = [
       {subdomain: "cbc"},
       {subdomain: "3des"},
       {subdomain: "dh2048"}
+      {subdomain: "sha1-server-signature"},
     ]
   },
   {

diff --git a/domains/misc/badssl.com/index.html b/domains/misc/badssl.com/index.html
@@ -110,6 +110,11 @@ <h2 id="key-exchange"><span class="emoji">🔑</span>Key Exchange</h2>
     <hr>
     <a href="https://static-rsa.{{ site.domain }}/" class="dubious"><span class="icon"></span>static-rsa</a>
   </div>
+  <div class="group">
+    <h2 id="server-signature"><span class="emoji">✒️</span>Server Signature</h2>
+    <a href="https://md5-server-signature.{{ site.domain }}/" class="bad"><span class="icon"></span>md5-server-signature</a>
+    <a href="https://sha1-server-signature.{{ site.domain }}/" class="dubious"><span class="icon"></span>sha1-server-signature</a>
+  </div>
   <div class="group">
     <h2 id="protocol"><span class="emoji">↔️</span>Protocol</h2>
     <a href="https://tls-v1-0.{{ site.domain }}:1010/" class="dubious"><span class="icon"></span>tls-v1-0</a>

diff --git a/domains/server-signature/md5.conf b/domains/server-signature/md5.conf
@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name md5-server-signature.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name md5-server-signature.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/wildcard-normal.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-md5-signature.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/server-signature/md5;
+}
diff --git a/domains/server-signature/md5/index.html b/domains/server-signature/md5/index.html
@@ -0,0 +1,12 @@
+---
+subdomain: md5-server-signature
+layout: page
+favicon: red
+background: red
+---
+
+<div id="content">
+  <h1 style="font-size: 10vw;">
+    {{ page.subdomain }}.{{ site.domain }}
+  </h1>
+</div>
diff --git a/domains/server-signature/sha1.conf b/domains/server-signature/sha1.conf
@@ -0,0 +1,19 @@
+---
+---
+server {
+  listen 80;
+  server_name sha1-server-signature.{{ site.domain }};
+
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443;
+  server_name sha1-server-signature.{{ site.domain }};
+
+  include {{ site.serving-path }}/nginx-includes/wildcard-normal.conf;
+  include {{ site.serving-path }}/nginx-includes/tls-sha1-signature.conf;
+  include {{ site.serving-path }}/common/common.conf;
+
+  root {{ site.serving-path }}/domains/server-signature/sha1;
+}
diff --git a/domains/server-signature/sha1/index.html b/domains/server-signature/sha1/index.html
@@ -0,0 +1,12 @@
+---
+subdomain: sha1-server-signature
+layout: page
+favicon: red
+background: red
+---
+
+<div id="content">
+  <h1 style="font-size: 10vw;">
+    {{ page.subdomain }}.{{ site.domain }}
+  </h1>
+</div>
diff --git a/nginx-includes/tls-md5-signature.conf b/nginx-includes/tls-md5-signature.conf
@@ -0,0 +1,10 @@
+---
+---
+
+ssl_session_timeout 5m;
+
+# Limit to TLS 1.2 and ECDHE-based cipher suites, where MD5 server signatures may apply.
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDSA+AESGCM:ECDHE:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
+ssl_prefer_server_ciphers on;
+ssl_conf_command SignatureAlgorithms RSA+MD5
diff --git a/nginx-includes/tls-sha1-signature.conf b/nginx-includes/tls-sha1-signature.conf
@@ -0,0 +1,10 @@
+---
+---
+
+ssl_session_timeout 5m;
+
+# Limit to TLS 1.2 and ECDHE-based cipher suites, where SHA-1 server signatures may apply.
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDSA+AESGCM:ECDHE:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
+ssl_prefer_server_ciphers on;
+ssl_conf_command SignatureAlgorithms RSA+SHA1