While adapting my home-developed TLS server analysis tool to TLS1.3, and comparing it to ssllabs Free SSL Server Test, I found differences in the reporting of the EC and DHE supported groups/curves.
My tool uses the same technique for groups as in ciphersuites discovery: for each ciphersuite, it proposes different combinations of groups and, analyzing the result (supported_groups extension or server_key_exchange), it inferes the supported groups and their priority in the server.
Where my tool reports 5 supported groups in preferred order (for instance x25519, secp256r1, x448, secp521r1 and secp384r1), ssllabs only reports secp256r1.
The question is: is the reported group following the ciphersuite code the list of supported groups? Or is it just an indication of the group that ssllabs used for the test?
Note: I am a fan of ssllabs tool; we use it in the company as the oracle of truth when measuring the quality of our servers. But we need an inside tool for recurrent compliance verification and to measure automatically the capacity and compatibility of the browsers of our customers , using client_hello captures and comparing them to our current or future configuration.
Examples for www.digicert.com: