[wbond]

If you are looking for some other bad TLS configs, I run a site that augments this at https://badtls.io/.

[cmeacham98]

Your certs are all self-signed, so testing against them doesn't really help somebody unless they go out of their way to trust your root.

[duskwuff]

BadTLS covers some scenarios that public CAs cannot sign certificates for, e.g. a certificate that expired in the 1960s.

[wbond]

Your statement is correct.

BadTLS explicitly exists to test certs that you generally should not, but often do, run into in the wild. As a result, most software handles these in poor ways, with error messages that are unhelpful at best.

Writing tests that utilize a custom root doesn’t seem all that much work for a library supporting TLS.