From ac6a2b65fff59f5ce0816a80926772b39d7f0a9d Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Sun, 19 Apr 2026 20:47:14 +0200
Subject: [PATCH 01/12] Make service ips reachable from hypervisor (local)

The service ips (10.52.7.42, 10.52.7.43) are outside the libvirt subnet
(10.52.7.112/28). It is necessary to add static routes in order to make
them reachable from the libvirt host.
---
 configuration-files/tf-local/README.md    |  1 +
 configuration-files/tf-local/main.tf      |  8 ++++++++
 configuration-files/tf-local/variables.tf | 16 +++++++++++++++-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/configuration-files/tf-local/README.md b/configuration-files/tf-local/README.md
index c291fbb..76f35e3 100644
--- a/configuration-files/tf-local/README.md
+++ b/configuration-files/tf-local/README.md
@@ -33,6 +33,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_libvirt_connect_uri"></a> [libvirt\_connect\_uri](#input\_libvirt\_connect\_uri) | Connect string for libvirt. | `string` | `"qemu:///system"` | no |
 | <a name="input_libvirt_network_name"></a> [libvirt\_network\_name](#input\_libvirt\_network\_name) | Network to connect the libvirt node to. | `string` | `"localdns"` | no |
+| <a name="input_libvirt_network_routes"></a> [libvirt\_network\_routes](#input\_libvirt\_network\_routes) | n/a | `list(object({ cidr = string, gateway = string }))` | <pre>[<br/>  {<br/>    "cidr": "10.52.7.42/32",<br/>    "gateway": "10.52.7.113"<br/>  },<br/>  {<br/>    "cidr": "10.52.7.43/32",<br/>    "gateway": "10.52.7.113"<br/>  }<br/>]</pre> | no |
 | <a name="input_libvirt_network_subnets"></a> [libvirt\_network\_subnets](#input\_libvirt\_network\_subnets) | Subnets for of libvirt network. | `list(string)` | <pre>[<br/>  "10.52.7.112/28",<br/>  "fd42:56b6:246b:67bc::/64"<br/>]</pre> | no |
 | <a name="input_libvirt_pool_name"></a> [libvirt\_pool\_name](#input\_libvirt\_pool\_name) | Storage pool to use for libvirt images. | `string` | `"default"` | no |
 | <a name="input_nodes"></a> [nodes](#input\_nodes) | n/a | `list(string)` | <pre>[<br/>  "localdns1",<br/>  "localdns2"<br/>]</pre> | no |
diff --git a/configuration-files/tf-local/main.tf b/configuration-files/tf-local/main.tf
index 4232d8e..1678c3b 100644
--- a/configuration-files/tf-local/main.tf
+++ b/configuration-files/tf-local/main.tf
@@ -41,6 +41,14 @@ resource "libvirt_network" "local" {
   mode      = "nat"
   domain    = "${var.libvirt_network_name}.local"
   addresses = var.libvirt_network_subnets
+  dynamic "routes" {
+    for_each = var.libvirt_network_routes
+    iterator = route
+    content {
+      cidr    = route.value["cidr"]
+      gateway = route.value["gateway"]
+    }
+  }
   xml {
     xslt = file("${path.module}/libvirt-network.xsl")
   }
diff --git a/configuration-files/tf-local/variables.tf b/configuration-files/tf-local/variables.tf
index 542ea9a..5ce5f3f 100644
--- a/configuration-files/tf-local/variables.tf
+++ b/configuration-files/tf-local/variables.tf
@@ -4,7 +4,7 @@ variable "nodes" {
 }
 
 variable "nodes_addresses" {
-  type    = list(list(string))
+  type = list(list(string))
   default = [
     ["10.52.7.116/28", "fd42:56b6:246b:67bc::116/64"],
     ["10.52.7.117/28", "fd42:56b6:246b:67bc::117/64"]
@@ -51,6 +51,20 @@ variable "libvirt_network_subnets" {
   description = "Subnets for of libvirt network."
 }
 
+variable "libvirt_network_routes" {
+  type = list(object({ cidr = string, gateway = string }))
+  default = [
+    {
+      cidr    = "10.52.7.42/32"
+      gateway = "10.52.7.113"
+    },
+    {
+      cidr    = "10.52.7.43/32",
+      gateway = "10.52.7.113"
+    }
+  ]
+}
+
 variable "libvirt_pool_name" {
   type        = string
   default     = "default"

From bd36aaa29e915548b4711ff84347511cb609e2b1 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Sun, 19 Apr 2026 22:40:41 +0200
Subject: [PATCH 02/12] Use vrrp ips as gateway

---
 configuration-files/tf-local/README.md    |  2 +-
 configuration-files/tf-local/variables.tf | 12 ++++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/configuration-files/tf-local/README.md b/configuration-files/tf-local/README.md
index 76f35e3..2109ea2 100644
--- a/configuration-files/tf-local/README.md
+++ b/configuration-files/tf-local/README.md
@@ -33,7 +33,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_libvirt_connect_uri"></a> [libvirt\_connect\_uri](#input\_libvirt\_connect\_uri) | Connect string for libvirt. | `string` | `"qemu:///system"` | no |
 | <a name="input_libvirt_network_name"></a> [libvirt\_network\_name](#input\_libvirt\_network\_name) | Network to connect the libvirt node to. | `string` | `"localdns"` | no |
-| <a name="input_libvirt_network_routes"></a> [libvirt\_network\_routes](#input\_libvirt\_network\_routes) | n/a | `list(object({ cidr = string, gateway = string }))` | <pre>[<br/>  {<br/>    "cidr": "10.52.7.42/32",<br/>    "gateway": "10.52.7.113"<br/>  },<br/>  {<br/>    "cidr": "10.52.7.43/32",<br/>    "gateway": "10.52.7.113"<br/>  }<br/>]</pre> | no |
+| <a name="input_libvirt_network_routes"></a> [libvirt\_network\_routes](#input\_libvirt\_network\_routes) | n/a | `list(object({ cidr = string, gateway = string }))` | <pre>[<br/>  {<br/>    "cidr": "10.52.7.42/32",<br/>    "gateway": "10.52.7.125"<br/>  },<br/>  {<br/>    "cidr": "10.52.7.43/32",<br/>    "gateway": "10.52.7.126"<br/>  },<br/>  {<br/>    "cidr": "fd42:56b6:246b:67bc::42/128",<br/>    "gateway": "fd42:56b6:246b:67bc::125"<br/>  },<br/>  {<br/>    "cidr": "fd42:56b6:246b:67bc::43/128",<br/>    "gateway": "fd42:56b6:246b:67bc::126"<br/>  }<br/>]</pre> | no |
 | <a name="input_libvirt_network_subnets"></a> [libvirt\_network\_subnets](#input\_libvirt\_network\_subnets) | Subnets for of libvirt network. | `list(string)` | <pre>[<br/>  "10.52.7.112/28",<br/>  "fd42:56b6:246b:67bc::/64"<br/>]</pre> | no |
 | <a name="input_libvirt_pool_name"></a> [libvirt\_pool\_name](#input\_libvirt\_pool\_name) | Storage pool to use for libvirt images. | `string` | `"default"` | no |
 | <a name="input_nodes"></a> [nodes](#input\_nodes) | n/a | `list(string)` | <pre>[<br/>  "localdns1",<br/>  "localdns2"<br/>]</pre> | no |
diff --git a/configuration-files/tf-local/variables.tf b/configuration-files/tf-local/variables.tf
index 5ce5f3f..33615b5 100644
--- a/configuration-files/tf-local/variables.tf
+++ b/configuration-files/tf-local/variables.tf
@@ -56,11 +56,19 @@ variable "libvirt_network_routes" {
   default = [
     {
       cidr    = "10.52.7.42/32"
-      gateway = "10.52.7.113"
+      gateway = "10.52.7.125"
     },
     {
       cidr    = "10.52.7.43/32",
-      gateway = "10.52.7.113"
+      gateway = "10.52.7.126"
+    },
+    {
+      cidr    = "fd42:56b6:246b:67bc::42/128"
+      gateway = "fd42:56b6:246b:67bc::125"
+    },
+    {
+      cidr    = "fd42:56b6:246b:67bc::43/128",
+      gateway = "fd42:56b6:246b:67bc::126"
     }
   ]
 }

From f22057b5d7755782c7a69eab20067b1019b9ef80 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Mon, 20 Apr 2026 11:00:23 +0200
Subject: [PATCH 03/12] Run a smoketest in gh actions

---
 .github/workflows/run-integration-test.yml |  3 +++
 configuration-files/smoketest.yml          | 23 ++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 configuration-files/smoketest.yml

diff --git a/.github/workflows/run-integration-test.yml b/.github/workflows/run-integration-test.yml
index 4ef6076..0743e49 100644
--- a/.github/workflows/run-integration-test.yml
+++ b/.github/workflows/run-integration-test.yml
@@ -71,6 +71,9 @@ jobs:
           # Run playbook a second time to setup TLS services.
           ansible-playbook configuration-files/resolver.yml -i configuration-files/local.yml --ssh-common-args '-p 55022'
 
+      - name: Run smoketest
+          ansible-playbook configuration-files/smoketest.yml -i configuration-files/local.yml --ssh-common-args '-p 55022'
+
       - name: Dump system logs
         if: always()
         run: |
diff --git a/configuration-files/smoketest.yml b/configuration-files/smoketest.yml
new file mode 100644
index 0000000..6291139
--- /dev/null
+++ b/configuration-files/smoketest.yml
@@ -0,0 +1,23 @@
+---
+- hosts: all
+  become: false
+  gather_facts: no
+  tasks:
+    - loop:
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+      delegate_to: 127.0.0.1
+      changed_when: false
+      register: smoketest_dig
+      command:
+        argv: "{{ item }}"
+
+    - loop: "{{ smoketest_dig.results }}"
+      when: not item['stdout'].startswith('"hello world" from server')
+      fail:

From 83ac8962e1136027aa7e5f9c7918af4a1f00fe26 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Mon, 20 Apr 2026 12:06:28 +0200
Subject: [PATCH 04/12] Fix invalid yaml syntax

---
 .github/workflows/run-integration-test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/run-integration-test.yml b/.github/workflows/run-integration-test.yml
index 0743e49..7d96399 100644
--- a/.github/workflows/run-integration-test.yml
+++ b/.github/workflows/run-integration-test.yml
@@ -72,6 +72,7 @@ jobs:
           ansible-playbook configuration-files/resolver.yml -i configuration-files/local.yml --ssh-common-args '-p 55022'
 
       - name: Run smoketest
+        run: |
           ansible-playbook configuration-files/smoketest.yml -i configuration-files/local.yml --ssh-common-args '-p 55022'
 
       - name: Dump system logs

From a7a8c3cac52bd05b157a48589e12703ec4ecd2f7 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Mon, 20 Apr 2026 13:20:18 +0200
Subject: [PATCH 05/12] Temporary reverse order of smoketest lines

---
 configuration-files/smoketest.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/configuration-files/smoketest.yml b/configuration-files/smoketest.yml
index 6291139..83774a8 100644
--- a/configuration-files/smoketest.yml
+++ b/configuration-files/smoketest.yml
@@ -4,14 +4,14 @@
   gather_facts: no
   tasks:
     - loop:
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
         - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
       delegate_to: 127.0.0.1
       changed_when: false
       register: smoketest_dig

From 26385ad1f873f361723c3324059f880c90bd0653 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Mon, 20 Apr 2026 15:35:17 +0200
Subject: [PATCH 06/12] Revert "Temporary reverse order of smoketest lines"

This reverts commit a7a8c3cac52bd05b157a48589e12703ec4ecd2f7.
---
 configuration-files/smoketest.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/configuration-files/smoketest.yml b/configuration-files/smoketest.yml
index 83774a8..6291139 100644
--- a/configuration-files/smoketest.yml
+++ b/configuration-files/smoketest.yml
@@ -4,14 +4,14 @@
   gather_facts: no
   tasks:
     - loop:
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
         - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
       delegate_to: 127.0.0.1
       changed_when: false
       register: smoketest_dig

From 21cb06d2a2c68bb2d7b3e34ab780cdf8d93a3876 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Mon, 20 Apr 2026 15:40:18 +0200
Subject: [PATCH 07/12] Wait for dns ports to become available

---
 configuration-files/smoketest.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/configuration-files/smoketest.yml b/configuration-files/smoketest.yml
index 6291139..b9d166b 100644
--- a/configuration-files/smoketest.yml
+++ b/configuration-files/smoketest.yml
@@ -3,6 +3,17 @@
   become: false
   gather_facts: no
   tasks:
+    - loop:
+        - { host: "{{ ip6_vip_dns2 }}", port: 853 }
+        - { host: "{{ ip6_vip_dns1 }}", port: 853 }
+        - { host: "{{ ip4_vip_dns2 }}", port: 443 }
+        - { host: "{{ ip4_vip_dns1 }}", port: 443 }
+      delegate_to: 127.0.0.1
+      changed_when: false
+      wait_for:
+        host: "{{ item['host'] }}"
+        port: "{{ item['port'] }}"
+
     - loop:
         - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
         - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]

From d3e3c17da0e420f906e6d73cb4cb27e9469c9ba3 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Mon, 20 Apr 2026 16:03:14 +0200
Subject: [PATCH 08/12] Retry in ansible (not in dig)

---
 configuration-files/smoketest.yml | 29 ++++++++++-------------------
 1 file changed, 10 insertions(+), 19 deletions(-)

diff --git a/configuration-files/smoketest.yml b/configuration-files/smoketest.yml
index b9d166b..2ec4d05 100644
--- a/configuration-files/smoketest.yml
+++ b/configuration-files/smoketest.yml
@@ -4,28 +4,19 @@
   gather_facts: no
   tasks:
     - loop:
-        - { host: "{{ ip6_vip_dns2 }}", port: 853 }
-        - { host: "{{ ip6_vip_dns1 }}", port: 853 }
-        - { host: "{{ ip4_vip_dns2 }}", port: 443 }
-        - { host: "{{ ip4_vip_dns1 }}", port: 443 }
-      delegate_to: 127.0.0.1
-      changed_when: false
-      wait_for:
-        host: "{{ item['host'] }}"
-        port: "{{ item['port'] }}"
-
-    - loop:
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+https"]
-        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+tls"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+https"]
+        - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+tls"]
       delegate_to: 127.0.0.1
       changed_when: false
       register: smoketest_dig
+      retries: 3
+      delay: 3
       command:
         argv: "{{ item }}"
 

From e92f64ec46347df059c1391f08900e5768e65f88 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Mon, 20 Apr 2026 16:20:23 +0200
Subject: [PATCH 09/12] Get rid of fail task

---
 configuration-files/smoketest.yml | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/configuration-files/smoketest.yml b/configuration-files/smoketest.yml
index 2ec4d05..d8efb42 100644
--- a/configuration-files/smoketest.yml
+++ b/configuration-files/smoketest.yml
@@ -3,7 +3,8 @@
   become: false
   gather_facts: no
   tasks:
-    - loop:
+    - name: "Smoketest | dig"
+      loop:
         - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+https"]
         - ["/usr/bin/dig", "@{{ ip4_vip_dns1 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+tls"]
         - ["/usr/bin/dig", "@{{ ip4_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+https"]
@@ -13,13 +14,11 @@
         - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+https"]
         - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+tls"]
       delegate_to: 127.0.0.1
-      changed_when: false
-      register: smoketest_dig
-      retries: 3
+      when: ip4 == ip4_dns1
+      retries: 2
       delay: 3
+      register: smoketest_dig
+      until: smoketest_dig.rc == 0 and smoketest_dig['stdout'].startswith('"hello world" from server')
+      changed_when: false
       command:
         argv: "{{ item }}"
-
-    - loop: "{{ smoketest_dig.results }}"
-      when: not item['stdout'].startswith('"hello world" from server')
-      fail:

From ae22887cd718fd8f578eb776130872767d1bf6d2 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Mon, 20 Apr 2026 18:37:17 +0200
Subject: [PATCH 10/12] Increase timeout / retry count

---
 configuration-files/smoketest.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration-files/smoketest.yml b/configuration-files/smoketest.yml
index d8efb42..56a89c6 100644
--- a/configuration-files/smoketest.yml
+++ b/configuration-files/smoketest.yml
@@ -15,8 +15,8 @@
         - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+tls"]
       delegate_to: 127.0.0.1
       when: ip4 == ip4_dns1
-      retries: 2
-      delay: 3
+      retries: 3
+      delay: 5
       register: smoketest_dig
       until: smoketest_dig.rc == 0 and smoketest_dig['stdout'].startswith('"hello world" from server')
       changed_when: false

From 6b95d1c4f7edb4ba7440bf10e176d7e0ff1f7539 Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Mon, 20 Apr 2026 18:55:37 +0200
Subject: [PATCH 11/12] Slowdown more

---
 configuration-files/smoketest.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration-files/smoketest.yml b/configuration-files/smoketest.yml
index 56a89c6..5829966 100644
--- a/configuration-files/smoketest.yml
+++ b/configuration-files/smoketest.yml
@@ -15,8 +15,8 @@
         - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+tls"]
       delegate_to: 127.0.0.1
       when: ip4 == ip4_dns1
-      retries: 3
-      delay: 5
+      retries: 7
+      delay: 7
       register: smoketest_dig
       until: smoketest_dig.rc == 0 and smoketest_dig['stdout'].startswith('"hello world" from server')
       changed_when: false

From fbe0681e6e51dd080285cdc5a73f51b4891c2a5e Mon Sep 17 00:00:00 2001
From: znerol <lo+github@znerol.ch>
Date: Sun, 17 May 2026 23:02:55 +0200
Subject: [PATCH 12/12] Add testssl with fixtures to detect changes in tls
 behavior

---
 .../testssl-results/10.52.7.42_p443.csv       | 112 ++++++++++++++++++
 .../testssl-results/10.52.7.42_p853.csv       | 110 +++++++++++++++++
 .../testssl-results/10.52.7.43_p443.csv       | 112 ++++++++++++++++++
 .../testssl-results/10.52.7.43_p853.csv       | 110 +++++++++++++++++
 configuration-files/smoketest.yml             |  53 +++++++++
 5 files changed, 497 insertions(+)
 create mode 100644 .github/workflow-fixtures/testssl-results/10.52.7.42_p443.csv
 create mode 100644 .github/workflow-fixtures/testssl-results/10.52.7.42_p853.csv
 create mode 100644 .github/workflow-fixtures/testssl-results/10.52.7.43_p443.csv
 create mode 100644 .github/workflow-fixtures/testssl-results/10.52.7.43_p853.csv

diff --git a/.github/workflow-fixtures/testssl-results/10.52.7.42_p443.csv b/.github/workflow-fixtures/testssl-results/10.52.7.42_p443.csv
new file mode 100644
index 0000000..de84238
--- /dev/null
+++ b/.github/workflow-fixtures/testssl-results/10.52.7.42_p443.csv
@@ -0,0 +1,112 @@
+"id","fqdn/ip","port","severity","finding","cve","cwe"
+"service","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","HTTP","",""
+"pre_128cipher","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","No 128 cipher limit bug","",""
+"SSLv2","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not offered","",""
+"SSLv3","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not offered","",""
+"TLS1","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","not offered","",""
+"TLS1_1","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","not offered","",""
+"TLS1_2","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","offered","",""
+"TLS1_3","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","offered with final","",""
+"NPN","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","not offered","",""
+"ALPN_HTTP2","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","h2","",""
+"ALPN","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","http/1.1","",""
+"GREASE","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","No bugs found.","",""
+"cipherlist_NULL","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not offered","","CWE-327"
+"cipherlist_aNULL","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not offered","","CWE-327"
+"cipherlist_EXPORT","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not offered","","CWE-327"
+"cipherlist_LOW","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not offered","","CWE-327"
+"cipherlist_3DES_IDEA","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","not offered","","CWE-310"
+"cipherlist_OBSOLETED","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","offered","","CWE-310"
+"cipherlist_STRONG_NOFS","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","offered","",""
+"cipherlist_STRONG_FS","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","offered","",""
+"cipher_order-tls1_2","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","server -- server prioritizes ChaCha ciphers when preferred by clients","",""
+"cipher-tls1_2_xc02c","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.2   xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xc030","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.2   xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xcca9","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.2   xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_2_xcca8","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.2   xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_2_xc02b","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.2   xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc02f","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.2   xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc024","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc028","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc023","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_xc027","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_xc00a","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc014","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc009","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_xc013","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_x9d","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.2   x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_x9c","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.2   x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_x3d","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256","",""
+"cipher-tls1_2_x3c","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_x35","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_x2f","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","TLSv1.2   x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA","",""
+"cipherorder_TLSv1_2","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA","",""
+"prioritize_chacha_TLSv1_2","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","true","",""
+"cipher_order-tls1_3","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","server -- server prioritizes ChaCha ciphers when preferred by clients","",""
+"cipher-tls1_3_x1302","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
+"cipher-tls1_3_x1303","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.3   x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_3_x1301","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
+"cipherorder_TLSv1_3","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
+"prioritize_chacha_TLSv1_3","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","true","",""
+"cipher_order","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","server","",""
+"FS","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","offered","",""
+"FS_ciphers","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA","",""
+"FS_KEMs","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","No KEMs offered","",""
+"FS_ECDHE_curves","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""
+"DH_groups","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192","",""
+"FS_TLS12_sig_algs","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224 ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224","",""
+"FS_TLS13_sig_algs","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","ECDSA+SHA256 RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512","",""
+"heartbleed","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
+"CCS","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable","CVE-2014-0224","CWE-310"
+"ticketbleed","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable","CVE-2016-9244","CWE-200"
+"ROBOT","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
+"secure_renego","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","supported","","CWE-310"
+"secure_client_renego","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable, mitigated","CVE-2011-1473","CWE-310"
+"CRIME_TLS","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable","CVE-2012-4929","CWE-310"
+"BREACH","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable, no gzip/deflate/compress/br HTTP compression  - only supplied '/' tested","CVE-2013-3587","CWE-310"
+"POODLE_SSL","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
+"fallback_SCSV","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","no protocol below TLS 1.2 offered","",""
+"SWEET32","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
+"FREAK","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
+"DROWN","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"LOGJAM","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
+"LOGJAM-common_primes","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","no DH key with <= TLS 1.2","CVE-2015-4000","CWE-310"
+"BEAST","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable, no SSL3 or TLS1","CVE-2011-3389","CWE-20"
+"LUCKY13","dns.digitale-gesellschaft.ch/10.52.7.42","443","LOW","potentially vulnerable, uses obsolete TLS CBC ciphers","CVE-2013-0169","CWE-310"
+"winshock","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable","CVE-2014-6321","CWE-94"
+"RC4","dns.digitale-gesellschaft.ch/10.52.7.42","443","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
+"clientsimulation-android_70","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_81","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_90","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_X","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_11_12","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_13_14","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_15","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chrome_101_win10","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chromium_137_win11","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_100_win10","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_137_win11","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-ie_8_win7","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","No connection","",""
+"clientsimulation-ie_11_win7","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win81","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_winphone81","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win10","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_15_win10","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_101_win10_21h2","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-edge_133_win11_23h2","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_184_ios_184","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_154_osx_1231","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_184_osx_154","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_7u25","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","No connection","",""
+"clientsimulation-java_80442","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_1102","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_1703","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_2106","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-go_1178","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-libressl_336","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_CHACHA20_POLY1305_SHA256","",""
+"clientsimulation-openssl_102e","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_111d","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_315","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_350","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-apple_mail_16_0","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-thunderbird_91_9","dns.digitale-gesellschaft.ch/10.52.7.42","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
diff --git a/.github/workflow-fixtures/testssl-results/10.52.7.42_p853.csv b/.github/workflow-fixtures/testssl-results/10.52.7.42_p853.csv
new file mode 100644
index 0000000..4c20812
--- /dev/null
+++ b/.github/workflow-fixtures/testssl-results/10.52.7.42_p853.csv
@@ -0,0 +1,110 @@
+"id","fqdn/ip","port","severity","finding","cve","cwe"
+"service","dns.digitale-gesellschaft.ch/10.52.7.42","853","DEBUG","Couldn't determine service, skipping all HTTP checks","",""
+"pre_128cipher","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","No 128 cipher limit bug","",""
+"SSLv2","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not offered","",""
+"SSLv3","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not offered","",""
+"TLS1","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","not offered","",""
+"TLS1_1","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","not offered","",""
+"TLS1_2","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","offered","",""
+"TLS1_3","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","offered with final","",""
+"NPN","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","not offered","",""
+"ALPN","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","not offered","",""
+"GREASE","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","No bugs found.","",""
+"cipherlist_NULL","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not offered","","CWE-327"
+"cipherlist_aNULL","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not offered","","CWE-327"
+"cipherlist_EXPORT","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not offered","","CWE-327"
+"cipherlist_LOW","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not offered","","CWE-327"
+"cipherlist_3DES_IDEA","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","not offered","","CWE-310"
+"cipherlist_OBSOLETED","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","offered","","CWE-310"
+"cipherlist_STRONG_NOFS","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","offered","",""
+"cipherlist_STRONG_FS","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","offered","",""
+"cipher_order-tls1_2","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","server -- server prioritizes ChaCha ciphers when preferred by clients","",""
+"cipher-tls1_2_xc02c","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.2   xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xc030","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.2   xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xcca9","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.2   xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_2_xcca8","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.2   xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_2_xc02b","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.2   xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc02f","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.2   xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc024","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc028","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc023","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_xc027","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_xc00a","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc014","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc009","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_xc013","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_x9d","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.2   x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_x9c","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.2   x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_x3d","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256","",""
+"cipher-tls1_2_x3c","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_x35","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_x2f","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","TLSv1.2   x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA","",""
+"cipherorder_TLSv1_2","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA","",""
+"prioritize_chacha_TLSv1_2","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","true","",""
+"cipher_order-tls1_3","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","server -- server prioritizes ChaCha ciphers when preferred by clients","",""
+"cipher-tls1_3_x1302","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
+"cipher-tls1_3_x1303","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.3   x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_3_x1301","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
+"cipherorder_TLSv1_3","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
+"prioritize_chacha_TLSv1_3","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","true","",""
+"cipher_order","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","server","",""
+"FS","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","offered","",""
+"FS_ciphers","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA","",""
+"FS_KEMs","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","No KEMs offered","",""
+"FS_ECDHE_curves","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""
+"DH_groups","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192","",""
+"FS_TLS12_sig_algs","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224 ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224","",""
+"FS_TLS13_sig_algs","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","ECDSA+SHA256 RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512","",""
+"heartbleed","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
+"CCS","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable","CVE-2014-0224","CWE-310"
+"ticketbleed","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","not applicable, not HTTP","CVE-2016-9244","CWE-200"
+"ROBOT","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
+"secure_renego","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","supported","","CWE-310"
+"secure_client_renego","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable","CVE-2011-1473","CWE-310"
+"CRIME_TLS","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable (not using HTTP anyway)","CVE-2012-4929","CWE-310"
+"POODLE_SSL","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
+"fallback_SCSV","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","no protocol below TLS 1.2 offered","",""
+"SWEET32","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
+"FREAK","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable","CVE-2015-0204","CWE-310"
+"DROWN","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"LOGJAM","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
+"LOGJAM-common_primes","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","no DH key with <= TLS 1.2","CVE-2015-4000","CWE-310"
+"BEAST","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable, no SSL3 or TLS1","CVE-2011-3389","CWE-20"
+"LUCKY13","dns.digitale-gesellschaft.ch/10.52.7.42","853","LOW","potentially vulnerable, uses obsolete TLS CBC ciphers","CVE-2013-0169","CWE-310"
+"winshock","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable","CVE-2014-6321","CWE-94"
+"RC4","dns.digitale-gesellschaft.ch/10.52.7.42","853","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
+"clientsimulation-android_70","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_81","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_90","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_X","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_11_12","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_13_14","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_15","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chrome_101_win10","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chromium_137_win11","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_100_win10","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_137_win11","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-ie_8_win7","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","No connection","",""
+"clientsimulation-ie_11_win7","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win81","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_winphone81","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win10","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_15_win10","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_101_win10_21h2","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-edge_133_win11_23h2","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_184_ios_184","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_154_osx_1231","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_184_osx_154","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_7u25","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","No connection","",""
+"clientsimulation-java_80442","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_1102","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_1703","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_2106","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-go_1178","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-libressl_336","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_CHACHA20_POLY1305_SHA256","",""
+"clientsimulation-openssl_102e","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_111d","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_315","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_350","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-apple_mail_16_0","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-thunderbird_91_9","dns.digitale-gesellschaft.ch/10.52.7.42","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
diff --git a/.github/workflow-fixtures/testssl-results/10.52.7.43_p443.csv b/.github/workflow-fixtures/testssl-results/10.52.7.43_p443.csv
new file mode 100644
index 0000000..d168678
--- /dev/null
+++ b/.github/workflow-fixtures/testssl-results/10.52.7.43_p443.csv
@@ -0,0 +1,112 @@
+"id","fqdn/ip","port","severity","finding","cve","cwe"
+"service","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","HTTP","",""
+"pre_128cipher","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","No 128 cipher limit bug","",""
+"SSLv2","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not offered","",""
+"SSLv3","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not offered","",""
+"TLS1","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","not offered","",""
+"TLS1_1","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","not offered","",""
+"TLS1_2","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","offered","",""
+"TLS1_3","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","offered with final","",""
+"NPN","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","not offered","",""
+"ALPN_HTTP2","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","h2","",""
+"ALPN","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","http/1.1","",""
+"GREASE","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","No bugs found.","",""
+"cipherlist_NULL","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not offered","","CWE-327"
+"cipherlist_aNULL","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not offered","","CWE-327"
+"cipherlist_EXPORT","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not offered","","CWE-327"
+"cipherlist_LOW","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not offered","","CWE-327"
+"cipherlist_3DES_IDEA","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","not offered","","CWE-310"
+"cipherlist_OBSOLETED","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","offered","","CWE-310"
+"cipherlist_STRONG_NOFS","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","offered","",""
+"cipherlist_STRONG_FS","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","offered","",""
+"cipher_order-tls1_2","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","server -- server prioritizes ChaCha ciphers when preferred by clients","",""
+"cipher-tls1_2_xc02c","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.2   xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xc030","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.2   xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xcca9","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.2   xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_2_xcca8","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.2   xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_2_xc02b","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.2   xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc02f","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.2   xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc024","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc028","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc023","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_xc027","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_xc00a","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc014","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc009","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_xc013","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_x9d","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.2   x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_x9c","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.2   x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_x3d","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256","",""
+"cipher-tls1_2_x3c","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_x35","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_x2f","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","TLSv1.2   x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA","",""
+"cipherorder_TLSv1_2","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA","",""
+"prioritize_chacha_TLSv1_2","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","true","",""
+"cipher_order-tls1_3","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","server -- server prioritizes ChaCha ciphers when preferred by clients","",""
+"cipher-tls1_3_x1302","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
+"cipher-tls1_3_x1303","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.3   x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_3_x1301","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
+"cipherorder_TLSv1_3","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
+"prioritize_chacha_TLSv1_3","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","true","",""
+"cipher_order","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","server","",""
+"FS","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","offered","",""
+"FS_ciphers","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA","",""
+"FS_KEMs","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","No KEMs offered","",""
+"FS_ECDHE_curves","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""
+"DH_groups","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192","",""
+"FS_TLS12_sig_algs","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224 ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224","",""
+"FS_TLS13_sig_algs","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","ECDSA+SHA256 RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512","",""
+"heartbleed","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
+"CCS","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable","CVE-2014-0224","CWE-310"
+"ticketbleed","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable","CVE-2016-9244","CWE-200"
+"ROBOT","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
+"secure_renego","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","supported","","CWE-310"
+"secure_client_renego","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable, mitigated","CVE-2011-1473","CWE-310"
+"CRIME_TLS","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable","CVE-2012-4929","CWE-310"
+"BREACH","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable, no gzip/deflate/compress/br HTTP compression  - only supplied '/' tested","CVE-2013-3587","CWE-310"
+"POODLE_SSL","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
+"fallback_SCSV","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","no protocol below TLS 1.2 offered","",""
+"SWEET32","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
+"FREAK","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
+"DROWN","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"LOGJAM","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
+"LOGJAM-common_primes","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","no DH key with <= TLS 1.2","CVE-2015-4000","CWE-310"
+"BEAST","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable, no SSL3 or TLS1","CVE-2011-3389","CWE-20"
+"LUCKY13","dns.digitale-gesellschaft.ch/10.52.7.43","443","LOW","potentially vulnerable, uses obsolete TLS CBC ciphers","CVE-2013-0169","CWE-310"
+"winshock","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable","CVE-2014-6321","CWE-94"
+"RC4","dns.digitale-gesellschaft.ch/10.52.7.43","443","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
+"clientsimulation-android_70","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_81","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_90","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_X","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_11_12","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_13_14","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_15","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chrome_101_win10","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chromium_137_win11","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_100_win10","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_137_win11","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-ie_8_win7","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","No connection","",""
+"clientsimulation-ie_11_win7","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win81","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_winphone81","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win10","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_15_win10","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_101_win10_21h2","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-edge_133_win11_23h2","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_184_ios_184","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_154_osx_1231","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_184_osx_154","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_7u25","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","No connection","",""
+"clientsimulation-java_80442","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_1102","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_1703","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_2106","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-go_1178","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-libressl_336","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_CHACHA20_POLY1305_SHA256","",""
+"clientsimulation-openssl_102e","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_111d","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_315","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_350","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-apple_mail_16_0","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-thunderbird_91_9","dns.digitale-gesellschaft.ch/10.52.7.43","443","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
diff --git a/.github/workflow-fixtures/testssl-results/10.52.7.43_p853.csv b/.github/workflow-fixtures/testssl-results/10.52.7.43_p853.csv
new file mode 100644
index 0000000..15df990
--- /dev/null
+++ b/.github/workflow-fixtures/testssl-results/10.52.7.43_p853.csv
@@ -0,0 +1,110 @@
+"id","fqdn/ip","port","severity","finding","cve","cwe"
+"service","dns.digitale-gesellschaft.ch/10.52.7.43","853","DEBUG","Couldn't determine service, skipping all HTTP checks","",""
+"pre_128cipher","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","No 128 cipher limit bug","",""
+"SSLv2","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not offered","",""
+"SSLv3","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not offered","",""
+"TLS1","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","not offered","",""
+"TLS1_1","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","not offered","",""
+"TLS1_2","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","offered","",""
+"TLS1_3","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","offered with final","",""
+"NPN","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","not offered","",""
+"ALPN","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","not offered","",""
+"GREASE","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","No bugs found.","",""
+"cipherlist_NULL","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not offered","","CWE-327"
+"cipherlist_aNULL","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not offered","","CWE-327"
+"cipherlist_EXPORT","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not offered","","CWE-327"
+"cipherlist_LOW","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not offered","","CWE-327"
+"cipherlist_3DES_IDEA","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","not offered","","CWE-310"
+"cipherlist_OBSOLETED","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","offered","","CWE-310"
+"cipherlist_STRONG_NOFS","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","offered","",""
+"cipherlist_STRONG_FS","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","offered","",""
+"cipher_order-tls1_2","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","server -- server prioritizes ChaCha ciphers when preferred by clients","",""
+"cipher-tls1_2_xc02c","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.2   xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xc030","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.2   xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_xcca9","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.2   xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_2_xcca8","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.2   xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_2_xc02b","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.2   xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc02f","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.2   xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_xc024","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc028","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc023","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_xc027","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_xc00a","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc014","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc009","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_xc013","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_x9d","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.2   x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_x9c","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.2   x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_x3d","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256","",""
+"cipher-tls1_2_x3c","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_x35","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_x2f","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","TLSv1.2   x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA","",""
+"cipherorder_TLSv1_2","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA","",""
+"prioritize_chacha_TLSv1_2","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","true","",""
+"cipher_order-tls1_3","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","server -- server prioritizes ChaCha ciphers when preferred by clients","",""
+"cipher-tls1_3_x1302","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384","",""
+"cipher-tls1_3_x1303","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.3   x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256","",""
+"cipher-tls1_3_x1301","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","TLSv1.3   x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256","",""
+"cipherorder_TLSv1_3","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256","",""
+"prioritize_chacha_TLSv1_3","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","true","",""
+"cipher_order","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","server","",""
+"FS","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","offered","",""
+"FS_ciphers","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA","",""
+"FS_KEMs","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","No KEMs offered","",""
+"FS_ECDHE_curves","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","prime256v1 secp384r1 secp521r1 X25519 X448","",""
+"DH_groups","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192","",""
+"FS_TLS12_sig_algs","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224 ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224","",""
+"FS_TLS13_sig_algs","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","ECDSA+SHA256 RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512","",""
+"heartbleed","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
+"CCS","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable","CVE-2014-0224","CWE-310"
+"ticketbleed","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","not applicable, not HTTP","CVE-2016-9244","CWE-200"
+"ROBOT","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable","CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081 CVE-2017-6168","CWE-203"
+"secure_renego","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","supported","","CWE-310"
+"secure_client_renego","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable","CVE-2011-1473","CWE-310"
+"CRIME_TLS","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable (not using HTTP anyway)","CVE-2012-4929","CWE-310"
+"POODLE_SSL","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable, no SSLv3","CVE-2014-3566","CWE-310"
+"fallback_SCSV","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","no protocol below TLS 1.2 offered","",""
+"SWEET32","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
+"FREAK","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable","CVE-2015-0204","CWE-310"
+"DROWN","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"LOGJAM","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
+"LOGJAM-common_primes","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","no DH key with <= TLS 1.2","CVE-2015-4000","CWE-310"
+"BEAST","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable, no SSL3 or TLS1","CVE-2011-3389","CWE-20"
+"LUCKY13","dns.digitale-gesellschaft.ch/10.52.7.43","853","LOW","potentially vulnerable, uses obsolete TLS CBC ciphers","CVE-2013-0169","CWE-310"
+"winshock","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable","CVE-2014-6321","CWE-94"
+"RC4","dns.digitale-gesellschaft.ch/10.52.7.43","853","OK","not vulnerable","CVE-2013-2566 CVE-2015-2808","CWE-310"
+"clientsimulation-android_70","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_81","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-android_90","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_X","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_11_12","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_13_14","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-android_15","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chrome_101_win10","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-chromium_137_win11","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_100_win10","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-firefox_137_win11","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-ie_8_win7","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","No connection","",""
+"clientsimulation-ie_11_win7","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win81","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_winphone81","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-ie_11_win10","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_15_win10","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-edge_101_win10_21h2","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-edge_133_win11_23h2","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_184_ios_184","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_154_osx_1231","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-safari_184_osx_154","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_7u25","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","No connection","",""
+"clientsimulation-java_80442","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_1102","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_1703","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-java_2106","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-go_1178","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-libressl_336","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_CHACHA20_POLY1305_SHA256","",""
+"clientsimulation-openssl_102e","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-openssl_111d","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_315","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-openssl_350","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
+"clientsimulation-apple_mail_16_0","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384","",""
+"clientsimulation-thunderbird_91_9","dns.digitale-gesellschaft.ch/10.52.7.43","853","INFO","TLSv1.3 TLS_AES_256_GCM_SHA384","",""
diff --git a/configuration-files/smoketest.yml b/configuration-files/smoketest.yml
index 5829966..f4e81e2 100644
--- a/configuration-files/smoketest.yml
+++ b/configuration-files/smoketest.yml
@@ -15,10 +15,63 @@
         - ["/usr/bin/dig", "@{{ ip6_vip_dns2 }}", "-tTXT", "txt.dns-probe.znerol.ch", "+retry=0", "+short", "+identify", "+tls"]
       delegate_to: 127.0.0.1
       when: ip4 == ip4_dns1
+      changed_when: false
       retries: 7
       delay: 7
       register: smoketest_dig
       until: smoketest_dig.rc == 0 and smoketest_dig['stdout'].startswith('"hello world" from server')
+      command:
+        argv: "{{ item }}"
+
+    - name: "Smoketest | testssl | async"
+      loop:
+        - ["/usr/bin/podman", "run", "--rm", "--userns=keep-id", "--volume=./../.github/workflow-fixtures/testssl-results:/testssl-results", "docker.io/drwetter/testssl.sh", "--categories", "--forward-secrecy", "--protocols", "--server-preference", "--client-simulation", "--grease", "--vulnerabilities", "--overwrite", "--csvfile", "/testssl-results/{{ ip4_vip_dns1 }}_p443.csv", "--ip", "{{ ip4_vip_dns1 }}", "dns.digitale-gesellschaft.ch:443" ]
+        - ["/usr/bin/podman", "run", "--rm", "--userns=keep-id", "--volume=./../.github/workflow-fixtures/testssl-results:/testssl-results", "docker.io/drwetter/testssl.sh", "--categories", "--forward-secrecy", "--protocols", "--server-preference", "--client-simulation", "--grease", "--vulnerabilities", "--overwrite", "--csvfile", "/testssl-results/{{ ip4_vip_dns1 }}_p853.csv", "--ip", "{{ ip4_vip_dns1 }}", "dns.digitale-gesellschaft.ch:853" ]
+        - ["/usr/bin/podman", "run", "--rm", "--userns=keep-id", "--volume=./../.github/workflow-fixtures/testssl-results:/testssl-results", "docker.io/drwetter/testssl.sh", "--categories", "--forward-secrecy", "--protocols", "--server-preference", "--client-simulation", "--grease", "--vulnerabilities", "--overwrite", "--csvfile", "/testssl-results/{{ ip4_vip_dns2 }}_p443.csv", "--ip", "{{ ip4_vip_dns2 }}", "dns.digitale-gesellschaft.ch:443" ]
+        - ["/usr/bin/podman", "run", "--rm", "--userns=keep-id", "--volume=./../.github/workflow-fixtures/testssl-results:/testssl-results", "docker.io/drwetter/testssl.sh", "--categories", "--forward-secrecy", "--protocols", "--server-preference", "--client-simulation", "--grease", "--vulnerabilities", "--overwrite", "--csvfile", "/testssl-results/{{ ip4_vip_dns2 }}_p853.csv", "--ip", "{{ ip4_vip_dns2 }}", "dns.digitale-gesellschaft.ch:853" ]
+      delegate_to: 127.0.0.1
+      when: ip4 == ip4_dns1
+      changed_when: false
+      async: 300
+      poll: 0
+      register: smoketest_testssl
+      command:
+        argv: "{{ item }}"
+
+    - name: "Smoketest | testssl | poll"
+      loop: "{{ smoketest_testssl.results }}"
+      loop_control:
+        loop_var: "async_result_item"
+      delegate_to: 127.0.0.1
+      when: ip4 == ip4_dns1
+      changed_when: false
+      register: async_poll_results
+      until: async_poll_results is finished
+      failed_when: "async_poll_results.rc > 200"
+      retries: 300
+      async_status:
+        jid: "{{ async_result_item.ansible_job_id }}"
+
+    - name: "Smoketest | testssl | cleanup"
+      loop:
+        - ["/usr/bin/sed", "-i", "/DROWN_hint/d", "./../.github/workflow-fixtures/testssl-results/{{ ip4_vip_dns1 }}_p443.csv" ]
+        - ["/usr/bin/sed", "-i", "/DROWN_hint/d", "./../.github/workflow-fixtures/testssl-results/{{ ip4_vip_dns1 }}_p853.csv" ]
+        - ["/usr/bin/sed", "-i", "/DROWN_hint/d", "./../.github/workflow-fixtures/testssl-results/{{ ip4_vip_dns2 }}_p443.csv" ]
+        - ["/usr/bin/sed", "-i", "/DROWN_hint/d", "./../.github/workflow-fixtures/testssl-results/{{ ip4_vip_dns2 }}_p853.csv" ]
+      delegate_to: 127.0.0.1
+      when: ip4 == ip4_dns1
+      changed_when: false
+      command:
+        argv: "{{ item }}"
+
+    - name: "Smoketest | testssl | results up-to-date"
+      loop:
+        - ["/usr/bin/git", "diff", "--quiet", "./../.github/workflow-fixtures/testssl-results/{{ ip4_vip_dns1 }}_p443.csv" ]
+        - ["/usr/bin/git", "diff", "--quiet", "./../.github/workflow-fixtures/testssl-results/{{ ip4_vip_dns1 }}_p853.csv" ]
+        - ["/usr/bin/git", "diff", "--quiet", "./../.github/workflow-fixtures/testssl-results/{{ ip4_vip_dns2 }}_p443.csv" ]
+        - ["/usr/bin/git", "diff", "--quiet", "./../.github/workflow-fixtures/testssl-results/{{ ip4_vip_dns2 }}_p853.csv" ]
+      delegate_to: 127.0.0.1
+      when: ip4 == ip4_dns1
       changed_when: false
       command:
         argv: "{{ item }}"