[BUG] Incorrect id for cert_trust_wildcard

[TheraNinjaCat]

General remark

The JSON and CSV output lines for the cert_trust_wildcard field are incorrect when multiple hostCerts are present. They output as cert_trust <hostCert#1>_wildcard rather than cert_trust_wildcard <hostCert#1>

Before you open an issue please check which version you are running and whether it is the latest in stable / dev branch

• I am running version (git log | head -1 ) from the git repo
• I am running testssl.sh version 3.2.3 from https://testssl.sh/

Before you open an issue please consult the FAQ and check whether this is a known problem by searching the issues

• Is related to ...
• couldn't find anything

Command line to reproduce (or docker command)

testssl.sh -oA output google.com
grep '_wildcard' output.json

                                "id"           : "cert_trust <hostCert#1>_wildcard",
                                "id"           : "cert_trust <hostCert#2>_wildcard",

grep '_wildcard' testssl_1780882190.csv

"cert_trust <hostCert#1>_wildcard","google.com/142.251.222.14","443","LOW","trust is via wildcard","",""
"cert_trust <hostCert#2>_wildcard","google.com/142.251.222.14","443","LOW","trust is via wildcard","",""

Expected behavior

testssl.sh -oA output google.com
grep '_wildcard' output.json

                                "id"           : "cert_trust_wildcard <hostCert#1>",
                                "id"           : "cert_trust_wildcard <hostCert#2>",

grep '_wildcard' testssl_1780882190.csv

"cert_trust_wildcard <hostCert#1>","google.com/142.251.222.14","443","LOW","trust is via wildcard","",""
"cert_trust_wildcard <hostCert#2>","google.com/142.251.222.14","443","LOW","trust is via wildcard","",""

Your system (please complete the following information):

• OS: Docker for Windows
• Platform: Linux 6.6.114.1-microsoft-standard-WSL2 x86_64
• OpenSSL + bash:

Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~183 ciphers]
Using bash 4.4.23

Additional context

The issue appears to be caused by line https://github.com/testssl/testssl.sh/blob/7f63e73ec3d3fbecd05958460733695e2a64fe2a/testssl.sh#L9998

[drwetter]

Thanks! I believe this is disputable, the primary identifier - the first value should not change as it makes parsing more difficult.

Thus closing

[TheraNinjaCat]

I would like you to reconsider this, and I suspect I may not have conveyed the issue properly, as I find the current output to be more difficult to parse, as it's both inconsistent and has resulted in a duplicate primary identifier, here is some more output from the same scan that should hopefully make that clear (test result info removed to minimise excessive text):

"id","fqdn/ip","port","severity","finding","cve","cwe"
"cert_signatureAlgorithm <hostCert#1>","...","443","OK","...","",""
"cert_keySize <hostCert#1>","...","443","INFO","...","",""
"cert_keyUsage <hostCert#1>","...","443","INFO","...","",""
"cert_extKeyUsage <hostCert#1>","...","443","INFO","...","",""
"cert_serialNumber <hostCert#1>","...","443","INFO","...","",""
"cert_serialNumberLen <hostCert#1>","...","443","INFO","...","",""
"cert_fingerprintSHA1 <hostCert#1>","...","443","INFO","...","",""
"cert_fingerprintSHA256 <hostCert#1>","...","443","INFO","...","",""
"cert <hostCert#1>","...","443","INFO","...","",""
"cert_commonName <hostCert#1>","...","443","OK","...","",""
"cert_commonName_wo_SNI <hostCert#1>","...","443","INFO","...","",""
"cert_subjectAltName <hostCert#1>","...","443","INFO","...","",""
"cert_trust <hostCert#1>","...","443","OK","Ok via SAN (same w/o SNI)","",""
"cert_trust <hostCert#1>_wildcard","...","443","LOW","trust is via wildcard","",""
"cert_chain_of_trust <hostCert#1>","...","443","OK","...","",""
"cert_certificatePolicies_EV <hostCert#1>","...","443","INFO","...","",""
"cert_expirationStatus <hostCert#1>","...","443","OK","...","",""
"cert_notBefore <hostCert#1>","...","443","INFO","...","",""
"cert_notAfter <hostCert#1>","...","443","OK","...","",""
"cert_extlifeSpan <hostCert#1>","...","443","OK","...","",""
"cert_eTLS <hostCert#1>","...","443","INFO","...","",""
"cert_crlDistributionPoints <hostCert#1>","...","443","INFO","...","",""

In the above code, every single primary identifier is before the <hostCert#1> key, however only on the cert_trust <hostCert#1>_wildcard identifier does it seem to be split with the _wildcard being after <hostCert#1>. Additionally, if we assume that the primary key is supposed to be cert_trust, then it is a duplicate of the line immediately above it which has different result text (kept to keep that clear). Further, if I look at output that does not have multiple host certs, then there is no problem as the primary keys are all unique, as the two relevant primary ids are cert_trust and cert_trust_wildcard.

"id","fqdn/ip","port","severity","finding","cve","cwe"
"cert_subjectAltName","...","443","INFO","...","",""
"cert_trust","...","443","OK","...","",""
"cert_trust_wildcard","...","443","LOW","...","",""
"cert_chain_of_trust","...","443","OK","...","",""
"cert_certificatePolicies_EV","...","443","INFO","...","",""
"cert_expirationStatus","...","443","OK","...","",""