AnsweredAssumed Answered

Calomel SSL vs. validation tests

Question asked by j-mailor on Nov 22, 2014
Latest reply on Nov 23, 2014 by Adm Selec


in one of the threads in this forum I saw Calomel SSL validation tool from It is a Firefox plug-in that can be installed from


I tested one of my web page and I get A- on Ssllabs test and get "Very week" on Calomel test (no perfect secrecy, SHA1 for signing).


I also tried and it gets B on Sslabs (because having RC4 cipher enabled) and gets "Very strong" on Calomel test.


So this two tests returning completely different results...


It looks like this two tests are actually testing two different things (like apples and oranges):

- Calomel: security of current browser session,

- SSLlabs: security of overal web server's SSL implementation.


Calomel tests current cipher suite that is used by the current browser session, checks the certificate and similar. So it tries to figure it out how secure is current browser session. In Firefox about:config I have set security.tls.version.min=0 and security.tls.version.max=0 and in URL typed in and I am getting red Broken or Untrusted. Changing security.tls.version.max=1 and getting blue Strong. Set to browser default security.tls.version.max=3 getting Very strong.


In the other hand tries to find out the weakest link (like RC4 cipher enabled, SSLv3 enabled) on web server's SSL implementation. The attacker on web server would probably tried to brake using the weakest web server problem.


Am I missing something?