THE

SPRAWL


researchopenssl

Client

Verify Server Certificate

OpenSSL's s_client can be used to verify server's certificate. In order to do that, you must specify either a complete path or a directory where CA trusted certificates are stored:

openssl s_client -connect google.com:443 -CApath /etc/ssl/certs/

NOTE: The client will warn you, but still connect to the server even if certificate verification fails.

Check Cipher Support

In order to verify SSL server's support of a specific cipher, you can define a custom cipher suite when using OpenSSL's client. Below is a sample command:

openssl s_client -connect google.com:443 -cipher RC4-MD5

Once openssl s_client establishes a secure session, you may issue all commands supported by the underlying application protocol:

GET / HTTP/1.1

HTTP/1.1 302 Found
Cache-Control: private
Location: http://www.google.com
Content-Type: text/html; charset=UTF-8
Content-Length: 218
Date: Thu, 09 Apr 2009 03:54:24 GMT
Server: GFE/2.0

For a complete list cipher suites and their abreviations, see ciphers man page. You can also display supported ciphers from the command line:

$ openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

Proxy connections

It is possible to use OpenSSL's client capabilities to create an SSL proxy for other applications.

Pipes

The simplest example is piping input from other applications into openssl to obtain output:

echo -e "GET / HTTP/1.0\n\n" | openssl s_client -connect google.com:443 -quiet

NetCat

We can use netcat as a listening service on arbitrary port to redirect output to the ssl client:

nc -l -p 8080 -c "/usr/bin/openssl s_client -connect www.wellsfargo.com:443 -quiet"

Now you can browse to port 8080 with any browser and get proxied to SSL version of the site.

In order to constantly restart the service, we can put the above command string in a loop:

while true; do nc -l -p 8080 -c "/usr/bin/openssl s_client -connect www.wellsfargo.com:443 -quiet"; done

inetd/xinetd

You can set up a more long term SSL proxy by means of existing superservers like inetd or xinetd.

In case of inetd you will first need to edit /etc/inetd.conf to add a listening port and associated listening server script

8080 stream tcp nowait root /root/ssl_proxy.sh ssl_proxy.sh

Next, we need to create ssl_proxy.sh server that would utilise OpenSSL to make requests and return responses to the client appplication:

#!/bin/sh
openssl s_client -connect www.wellsfargo.com:443 -quiet 2> /dev/null

Once you restart inetd service, you will be able to point your browser to localhost:8080 and view unencrypted version of www.wellsfargo.com.

Similar to inetd, you can create SSL proxy service on port 8080 with xinetd. Create ssl_proxy configuration file in /etc/xinetd.d/ directory with the following content:

#default: off
#description: OpenSSL proxy
service http-alt
{
   socket_type = stream
   wait = no
   protocol = tcp
   user = root
   server = /root/ssl_proxy.sh
   disable = no
}

Server

Start a Web Server

OpenSSL's s_server package can act as a limited web server.

First we need to generate a certificate. While it is possible to start an SSL server with no certificate, most browsers will not support it by default. The following command will generate a private key privkey.pem.

openssl req -new -x509 -out server.pem -nodes -keyout privkey.pem -subj /CN=localhost

Now we can start the openssl server and connect to it with a browser:

openssl s_server -accept 4443 -WWW -key privkey.pem

NOTE: The initial request to the root directory will return an error message, but you can still retrieve file in the current directory by specifying them in the URL.

If you want to skip the step where you need to generate a certificate, then you will need to use the -nocert flag and specify one of the supported Diffie-Helman Anonymous cipher suites:

openssl s_server -accept 4443 -WWW -nocert -cipher EXP-ADH-RC4-MD5

And here is the client portion:

$ openssl s_client -connect localhost:4443 -cipher EXP-ADH-RC4-MD5
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
[REMOVED]
GET / HTTP/1.0
HTTP/1.0 200 ok
Content-type: text/plain

Error accessing ''
read:errno=0

NOTE: There are checks in place for directory traversal, so if you want to access arbitrary files on a host, be sure to change working directory to root (/) before starting the openssl server.

Published on April 13th, 2009 by iphelix

sprawlsimilar

tls/ssl protocol

tls, ssl

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are two closely related protocols designed to protect confidentiality and integrity of data in transit between two hosts. Read more.

tls and ssl cipher suites

TLS/SSL protocols support a large number of cipher suites. A cipher suite is a collection of symmetric and asymmetric encryption algorithms used by hosts to establish a secure communication. Supported cipher suites can be classified based on encryption algorithm strength, key length, key exchange and authentication mechanisms. Some cipher suites offer better level of security than others (e.g. Several weak cipher suites were developed for export to comply with US export law). There are more than 200 known cipher suites. Read more.

sslmap

Download sslmap-0.2.0.py
Size 58.8 KB
DateJanuary 27th, 2010
Version0.2

SSLMap is a lightweight TLS/SSL cipher suite scanner.

  • Uses custom TLS/SSL query engine for increased reliability/speed (No need for third-party libraries such as OpenSSL)
  • Tests for 200+ known cipher suites.
  • Capable of discovering undocumented cipher suites.
  • Advises on cipher suite security based on Protocol, Key Exchange, Authentication, Encryption algorithm, and other parameters.
  • Configurable handshake versions (e.g. TLSv1.1, SSLv2.0) Read more.

stunnel

tls, ssl

Stunnel allows a user to tunnel any TCP based application protocol through a connection secured by TLS/SSL. Read more.


sprawlcomments

π
///\oo/\\\