Improvements on client simulations #1
Conversation
parse_client_ciphers now gets the results from the SSL labs API Wrote a parse to conver wireshark SSL Handshake ciphers lists to openssl cipher lists
|
Hi @seccubus, Thanks for this PR. I've been testing out your version of testssl.sh with client-simulation-data.sh and for the most part am getting the same results with either OpenSSL or sockets (except in the expected cases in which the OpenSSL version is connecting using an ephemeral ECDH key with a curve not supported by the client). However, the results differ in a few cases. One example is www.openssl.org. I believe the problem is with the following line: For www.openssl.org and Android 5.0.0 this results in: The problem is the protocol information: According OpenSSL describes these options as follows: I looked at the OpenSSL source code, and while I couldn't figure out what it does in response to the "no_*" options, I could see that if the command line has something like Similarly, in the |
|
Hi @seccubus, Would it be possible for parse_client_ciphers.pl to also extract minDhBits, maxDhBits, minRsaBits, and maxRsaBits from https://api.dev.ssllabs.com/api/v3/getClients. I don't think the information would affect the results very much, but I noticed that for Java 6u45 maxDhBits is 1024. So, in my tests I got some incorrect results. For example, connecting to en.wikipedia.org the client simulation indicates that Java 6u45 would connect with "TLSv1.0 DHE-RSA-AES128-SHA" with a 2048-bit ephemeral DH key, but that is contrary to the maxDhBits value in https://api.dev.ssllabs.com/api/v3/getClients. At the moment, however, I don't know what to do with the data. In the case of ECDHE cipher suites it is easy - the client indicates which curves it supports and the server limits itself to those curves. In the case of DHE cipher suites, the client can't say what DH key sizes it will accept. So, if a real Java 6u45 client tried to connect to en.wikipedia.org and the server responded with "TLSv1.0 DHE-RSA-AES128-SHA" with a 2048-bit ephemeral DH key would the connection just fail or would the client try a different ClientHello? I don't know, so I don't know how to accurately simulate the client in this case. Thanks, Dave |
|
Dave, If we got sockets working with startssl (wich it should if I'm not mistaken), I think we can abandon using openssl altogether. It would be relatively easy for me to extract more info from the SSLlabs API. I'm looking into maintaining a separate set of clients independantly from SSLlabs (mainly mail related). Do you know if there is a way to extract the inProto and maxProto from the handshake? I want to test certain clients if certain services have been detected. |
|
Dave, The information you requested is now in the configuration file. |
|
BTW, is it possible from the handshake to see what TLS/SSL protocol is min/maxProto? I want to use this for the clients we maintain ourselves. |
|
Thanks for adding the extra information. I realized that I can check whether DH bits is between minDhBits and maxDhBits in the current version, but I was able to add that check to https://github.com/dcooper16/testssl.sh/tree/extended_tls_sockets, where parse_tls_serverhello() has been extended to extract information about ephemeral keys. I won't be able to do any more work on this until later next week, at the earliest. I would think that maxProto would be the value of the client_version field from the ClientHello (but not the version field from the record layer). Unfortunately, though, the client only sends the maximum version that it supports, so there is nothing in the handshake to indicate minProto. I think the client just indicates the highest version it supports in its ClientHello, the server specifies the highest version it supports (that is no higher than the one specified in the ClientHello) in the server_version field of the ServerHello, and the client simply reject the connection if server_hello is less than minProto. |
…tssl.sh into client_sim_sockets
…nts added. In this commit clients are also tested when non-HTTP protocols are used. Each client now has a line that indicates what services the client can handle. Clients that match the current SERVICE tested or have service ANY (OpenSSL/Java) will be simulated, others will be ignored. I have removed the STARTTLS restriction from using sockets because sockets seem to handle starttls just fine. Update client SIM data has been updated to add two client we maintain ourselves: * Mail on iOS * Mail on OSX * Thunderbird on OSX
MrSeccubus
changed the title
|
Apparently we need the -ssl2 -ssl3 together with the -no_tls1 switches: This is also incorrectly printed when using sockets. OpenSSL handles its options in a funning way. And it is not even consistently wrong... I now resorted to trying each protocol individually from high to low and stop as soon as one works. |
New approach: try every protocol individually from high to low and stop as soon as one works
…iving me issues it's too late now to do something about it
…client_sim_sockets
…nto client_sim_sockets
The server default run had several JSON objects which weren't, looking at just
the ID, either clear or contained a redundant explanation in "finding". Purely
certificate related JSON objects are now having the id "cert_<object>" like
cert_CN or cert_SAN.
This commit changes all this, also it avoids another colon in finding (see testssl#830).
Also the implicit strategy "output for the screen s followed by only one output with
fileout" has been relaxed -- which results on more, better parsable JSON objects.
Some example of the changes:
Old:
----
{
"id" : "Server Certificate #1 fingerprint",
"severity" : "INFO",
"finding" : "Fingerprints / Serial: SHA1 2940BC13ECF7DAF30B9084CC734C3B971D73B3BB / 01BFD1DC15006E0ABBA7C670FF5E1101, SHA256 30BA61012FFE7CEAAF9A148A0CB0C5C852A9C04F4B1C27DB6
EFA9919C7F49CCF"
}
[..]
{
"id" : "Server Certificate #2 ocsp_stapling",
"severity" : "OK",
"finding" : "OCSP stapling : offered"
}
New:
----
{
"id" : "cert_key_size <cert#1>",
"severity" : "INFO",
"finding" : "Server keys 2048 bits"
},{
"id" : "cert_fingerprint_SHA1 <cert#1>",
"severity" : "INFO",
"finding" : "2940BC13ECF7DAF30B9084CC734C3B971D73B3BB"
},{
"id" : "cert_fingerprint_SHA256 <cert#1>",
"severity" : "INFO",
"finding" : "30BA61012FFE7CEAAF9A148A0CB0C5C852A9C04F4B1C27DB6EFA9919C7F49CCF"
},{
"id" : "cert_serial <cert#1>",
"severity" : "INFO",
"finding" : "01BFD1DC15006E0ABBA7C670FF5E1101"
}
[..]
{
"id" : "OCSP_stapling <cert#2>",
"severity" : "OK",
"finding" : "offered"
}
This PR also fixes the JSON output where for "OCSP must staple" the id was just
'id" : "OCSP must staple: ocsp_must_staple",' for multiple server
certificates without the certificate number.
As far as the code is concerned: $json_prefix should be a variable which is
used for the id object. If there was more then one certificates for a single
host detected, $json_postfix carries the certificate number.
Unit tests need to be fixed -- if possible.
@dcooper16 this is my attempt to make stuff a little bit more maintainable
The client signatures are now in a separate file that can be updated from the data at SSL labs by running a single program.
I send this pull request to you because I based my work on you branch that hasn't been merged yet.
parse_client_ciphers now gets the results from the SSL labs API
Wrote a parse to conver wireshark SSL Handshake ciphers lists to openssl cipher lists