Debugging TLS/SSL at DevOpsDays Boston

Debugging TLS/SSL
John Downey | @jtdowney
@jtdowney 1

View Slide

Chicago
@jtdowney 2

View Slide

@jtdowney 3

View Slide

@jtdowney 4

View Slide

The views expressed in this
presentation are my own,
and not those of PayPal or
any of its affiliates.
@jtdowney 5

View Slide

Terminology
4 SSL - Secure Sockets Layer
4 TLS - Transport Layer Security
@jtdowney 6

View Slide

TLS/SSL = HTTPS = !
@jtdowney 7

View Slide

History and
Background
@jtdowney 8

View Slide

History
4 1995 - Netscape releases SSL 2.0
4 1996 - Netscape releases SSL 3.0
4 1999 - IETF releases TLS 1.0 (RFC 2246)
4 TLS 1.3 in draft (github.com/tlswg/tls13-spec)
@jtdowney 9

View Slide

Problem
1. Confidentiality
2. Integrity
3. Identification
@jtdowney 10

View Slide

Broad types of cryptography
4 Symmetric cryptography - both sides share the same
key
4 Asymmetric (public key) cryptography - each side
has a different key
@jtdowney 11

View Slide

Public Key Cryptography
4 Solves the key distribution problem
4 Algorithms typically based on hard math problems
4 Fills two roles
4 Digital signatures
4 Key exchange
@jtdowney 12

View Slide

Digital Signatures
4 Allows a public verification key to be published
4 A signer keeps the private signing key
4 Messages from the signer can be verified
4 Also protects integrity
@jtdowney 13

View Slide

Key Exchange
4 Asymmetric crypto is far slower than symmetric
cryptography
4 Uses asymmetric to setup a shared key, so both sides
can switch to symmetric
@jtdowney 14

View Slide

Algorithms
4 Digital Signatures - RSA, DSA, ECDSA
4 Key Exchange - RSA, DH, ECDH
@jtdowney 15

View Slide

RSA Security
4 Company founded by Ron Rivest, Adi Shamir,
Leonard Adleman
4 Built to develop crypto based products and
standards
4 Held patent on RSA Algorithm until September 2000
@jtdowney 16

View Slide

Public Key Cryptography Standards
4 Developed by RSA Security to standardize usage of
RSA
4 Relied on ASN.1 as basic file format
@jtdowney 17

View Slide

ASN.1
4 Abstract syntax notation, one
4 Describes a tree structure
4 Typically use Distinguished Encoding Rules (DER)
4 Binary format
4 Canonical representation
@jtdowney 18

View Slide

PEM Files
4 Privacy Enhanced Mail (PEM)
4 Never really used
4 Base64 encoded DER data
4 Have headers that describe the contents
4 -----BEGIN CERTIFICATE-----
4 The "preferred" format for OpenSSL
@jtdowney 19

View Slide

File extensions
4 Never well established
4 The extension may describe the format but not the
contents (.pem, .der)
4 Or it may describe the contents but not the format
(.cer, .crt, .key)
@jtdowney 20

View Slide

OpenSSL
4 Fork of SSLeay
4 Created by Eric A. Young
4 Forked when he went to work for RSA Security
4 By far the most popular open source TLS/SSL library
@jtdowney 21

View Slide

Most common problems (as I see them)
4 Certificate/CSR/key/etc in wrong format
4 Server requires SNI and client doesn't support it
4 Intermediate certificate isn't being served
4 Default (and insecure) settings left enabled
@jtdowney 22

View Slide

Working with
Key Files
@jtdowney 23

View Slide

Generate an RSA Key
$ openssl genrsa -out demo.pem
Generating RSA private key, 2048 bit long modulus
...............................+++
.....................+++
e is 65537 (0x10001)
@jtdowney 24

View Slide

PKCS #1
4 Original standard for RSA
4 Describes storage of RSA key in a file
4 Still preferred format by OpenSSL
@jtdowney 25

View Slide

View RSA PEM file (PKCS #1)
$ head demo.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAw2OAGP1sa0rm4BM9lmBdnB9hHhJz6LajSGB1eg6S+D0UXeop
1ITMdtFW0idd769Wl58R3uw5AvNsbClB2zOa9zjFK8c3szynI/nCYkzpMlp8OcKM
lz05qRUDQZ2hYV+z0wAYIGrx61lrvui1H2nioiFNOaZ10lPRljmc9Wg/WvtyowMK
YUp5ps1HbOYSnNajfi+UBl0YoT/q3nR410CQl76rxuljYODVf3g5tV6VVL9IxDtJ
HJIJxeU+RiWZOudkzWVNDpJmfSnHfJ/vOOo/utzHwGdBfyptHQDecwyG3jRy4Ztp
pXAbqVTZjlNaaalsYueBxWM9mbjtgy80DSg7twIDAQABAoIBAEhZ8/lM/nTMi6m1
9jxU+tTxGblVA+7MkrIeZeIIu4uIsp4EM/EqK7xj0E6JnVNADkSe9rMhrgrVsPRs
YqKU/XFGaFzJrGqGry23Mq/L4x5uO0n4LK9kUJG34jjN8hBoq+IaStTWRTbtKeTL
ryYuw2leA4axiTeVKisCsoh9TdiWVg7Svt31B9oEcYD26EgVV7rkJwmNNdBss5Ds
@jtdowney 26

View Slide

View RSA Key Details
$ openssl rsa -text -in demo.pem | head
writing RSA key
Private-Key: (2048 bit)
modulus:
00:c3:63:80:18:fd:6c:6b:4a:e6:e0:13:3d:96:60:
5d:9c:1f:61:1e:12:73:e8:b6:a3:48:60:75:7a:0e:
92:f8:3d:14:5d:ea:29:d4:84:cc:76:d1:56:d2:27:
5d:ef:af:56:97:9f:11:de:ec:39:02:f3:6c:6c:29:
41:db:33:9a:f7:38:c5:2b:c7:37:b3:3c:a7:23:f9:
c2:62:4c:e9:32:5a:7c:39:c2:8c:97:3d:39:a9:15:
03:41:9d:a1:61:5f:b3:d3:00:18:20:6a:f1:eb:59:
6b:be:e8:b5:1f:69:e2:a2:21:4d:39:a6:75:d2:53:
@jtdowney 27

View Slide

View RSA parse details (PKCS #1)
$ openssl asn1parse -in demo.pem
0:d=0 hl=4 l=1187 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=4 l= 257 prim: INTEGER :C3638018FD6C6B4AE...
273:d=1 hl=4 l= 256 prim: INTEGER :4859F3F94CFE74CC8...
533:d=1 hl=3 l= 129 prim: INTEGER :EA7858DA0442FCACA...
665:d=1 hl=3 l= 129 prim: INTEGER :D55478D835A975238...
797:d=1 hl=3 l= 128 prim: INTEGER :3F9086CDFC0FC8FE6...
928:d=1 hl=3 l= 129 prim: INTEGER :B15D41FBC0E1DB1A6...
1060:d=1 hl=3 l= 128 prim: INTEGER :41DAB94D9A546263F...
@jtdowney 28

View Slide

PKCS #8
4 Expands key storage beyond RSA
4 DSA, ECDSA, etc
@jtdowney 29

View Slide

Convert PKCS #1 key to PKCS #8
$ openssl pkcs8 -topk8 -nocrypt -in demo.pem -out demo.pk8
@jtdowney 30

View Slide

View RSA PEM file (PKCS #8)
$ head demo.pk8
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDY4AY/WxrSubg
Ez2WYF2cH2EeEnPotqNIYHV6DpL4PRRd6inUhMx20VbSJ13vr1aXnxHe7DkC82xs
KUHbM5r3OMUrxzezPKcj+cJiTOkyWnw5woyXPTmpFQNBnaFhX7PTABggavHrWWu+
6LUfaeKiIU05pnXSU9GWOZz1aD9a+3KjAwphSnmmzUds5hKc1qN+L5QGXRihP+re
dHjXQJCXvqvG6WNg4NV/eDm1XpVUv0jEO0kckgnF5T5GJZk652TNZU0OkmZ9Kcd8
n+846j+63MfAZ0F/Km0dAN5zDIbeNHLhm2mlcBupVNmOU1ppqWxi54HFYz2ZuO2D
LzQNKDu3AgMBAAECggEASFnz+Uz+dMyLqbX2PFT61PEZuVUD7sySsh5l4gi7i4iy
ngQz8SorvGPQTomdU0AORJ72syGuCtWw9GxiopT9cUZoXMmsaoavLbcyr8vjHm47
Sfgsr2RQkbfiOM3yEGir4hpK1NZFNu0p5MuvJi7DaV4DhrGJN5UqKwKyiH1N2JZW
@jtdowney 31

View Slide

View RSA parse details (PKCS #8)
openssl asn1parse -in demo.pk8
0:d=0 hl=4 l=1213 cons: SEQUENCE
7:d=1 hl=2 l= 13 cons: SEQUENCE
9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
20:d=2 hl=2 l= 0 prim: NULL
22:d=1 hl=4 l=1191 prim: OCTET STRING [HEX DUMP]:308204A...
@jtdowney 32

View Slide

Convert PEM encoded key to DER
encoded
$ openssl rsa -inform PEM -outform DER -in demo.pem -out demo.der
writing RSA key
$ xxd demo.der | head
00000000: 3082 04a3 0201 0002 8201 0100 c363 8018 0............c..
00000010: fd6c 6b4a e6e0 133d 9660 5d9c 1f61 1e12 .lkJ...=.`]..a..
00000020: 73e8 b6a3 4860 757a 0e92 f83d 145d ea29 s...H`uz...=.].)
00000030: d484 cc76 d156 d227 5def af56 979f 11de ...v.V.']..V....
00000040: ec39 02f3 6c6c 2941 db33 9af7 38c5 2bc7 .9..ll)A.3..8.+.
00000050: 37b3 3ca7 23f9 c262 4ce9 325a 7c39 c28c 7.<.#..bL.2Z|9..
00000060: 973d 39a9 1503 419d a161 5fb3 d300 1820 .=9...A..a_....
00000070: 6af1 eb59 6bbe e8b5 1f69 e2a2 214d 39a6 j..Yk....i..!M9.
00000080: 75d2 53d1 9639 9cf5 683f 5afb 72a3 030a u.S..9..h?Z.r...
00000090: 614a 79a6 cd47 6ce6 129c d6a3 7e2f 9406 aJy..Gl.....~/..
@jtdowney 33

View Slide

Working with
Certificates
@jtdowney 34

View Slide

$ head braintree.pem
-----BEGIN CERTIFICATE-----
MIIHFzCCBf+gAwIBAgIQdlPhj8bBtjhpkzOjtu2ZGzANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMzE3MDAwMDAwWhcNMTcwMzE2
MjM1OTU5WjCCAR0xEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB
AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD
VQQFEwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UEEQwKOTUxMzEtMjAyMTET
MBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpvc2UxFjAUBgNVBAkM
DTIyMTEgTiAxc3QgU3QxFTATBgNVBAoMDFBheVBhbCwgSW5jLjEdMBsGA1UECwwU
@jtdowney 35

View Slide

X.509 Certificate
4 Format for digital certificates
4 Uses ASN.1 for the basic file format
4 Wraps public key
4 Specifies subject of certificate and issuer
4 Contents are digitally signed by issuer
4 Lists lifetime of validity
@jtdowney 36

View Slide

View certificate information
$ openssl x509 -text -in braintree.pem | head -n 20
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:53:e1:8f:c6:c1:b6:38:69:93:33:a3:b6:ed:99:1b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust N...
Validity
Not Before: Mar 17 00:00:00 2015 GMT
Not After : Mar 16 23:59:59 2017 GMT
Subject: jurisdictionC=US/jurisdictionST=Delaware/busines...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d4:8e:55:07:7c:a2:89:f5:4f:a0:d2:80:82:63:
d6:09:a1:86:19:e3:68:52:f5:49:66:d9:d7:e9:61:
33:77:3c:04:8b:cc:43:99:b5:e3:b9:a1:23:40:a9:
26:32:8c:fe:60:31:eb:5d:da:2d:42:3e:4a:0b:a9:
e7:d3:17:19:bf:8a:7b:3e:37:2a:f2:dd:3e:4c:62:
@jtdowney 37

View Slide

X.509 Extensions
$ openssl x509 -text -in braintree.pem
...
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.braintreepayments.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
...
@jtdowney 38

View Slide

X.509 Certificate Request
4 Sent to certificate authority
4 Contains public key for certificate
4 Requestor signs contents
@jtdowney 39

View Slide

Generate a certificate request
$ openssl req -new -key demo.pem -out demo.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Illinois
Locality Name (eg, city) []:Chicago
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PayPal
Organizational Unit Name (eg, section) []:Braintree
Common Name (e.g. server FQDN or YOUR name) []:demo.braintreepayments.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
@jtdowney 40

View Slide

View certificate request
$ openssl req -text -in demo.csr | head -n 20
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Illinois, L=Chicago, O=PayPal, OU=Braintree, CN=demo.braintreepayments.com
Subject Public Key Info:
Public-Key: (2048 bit)
Modulus:
00:c3:63:80:18:fd:6c:6b:4a:e6:e0:13:3d:96:60:
5d:9c:1f:61:1e:12:73:e8:b6:a3:48:60:75:7a:0e:
92:f8:3d:14:5d:ea:29:d4:84:cc:76:d1:56:d2:27:
5d:ef:af:56:97:9f:11:de:ec:39:02:f3:6c:6c:29:
41:db:33:9a:f7:38:c5:2b:c7:37:b3:3c:a7:23:f9:
c2:62:4c:e9:32:5a:7c:39:c2:8c:97:3d:39:a9:15:
03:41:9d:a1:61:5f:b3:d3:00:18:20:6a:f1:eb:59:
6b:be:e8:b5:1f:69:e2:a2:21:4d:39:a6:75:d2:53:
d1:96:39:9c:f5:68:3f:5a:fb:72:a3:03:0a:61:4a:
79:a6:cd:47:6c:e6:12:9c:d6:a3:7e:2f:94:06:5d:
18:a1:3f:ea:de:74:78:d7:40:90:97:be:ab:c6:e9:
63:60:e0:d5:7f:78:39:b5:5e:95:54:bf:48:c4:3b:
@jtdowney 41

View Slide

PKCS #12
4 Format for combing keys and certificates
4 Preferred format for Windows
4 Can optionally be encrypted with password
4 Extensions .p12 and .pfx
@jtdowney 42

View Slide

Java Keystore and Keytool
4 Similar to PKCS #12 files
4 Combine multiple types of items (keys, certs, etc)
4 Preferred format for Java ecosystem
@jtdowney 43

View Slide

Debugging Connections
@jtdowney 44

View Slide

curl
$ curl -vI https://www.braintreepayments.com
* Rebuilt URL to: https://www.braintreepayments.com/
* Trying 54.215.8.63...
* Connected to www.braintreepayments.com (54.215.8.63) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: www.braintreepayments.com
* Server certificate: Symantec Class 3 EV SSL CA - G3
* Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5
> HEAD / HTTP/1.1
> Host: www.braintreepayments.com
> User-Agent: curl/7.43.0
> Accept: */*
@jtdowney 45

View Slide

openssl s_client
$ openssl s_client -connect www.braintreepayments.com:443
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary...
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network...
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Net...
verify return:1
depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCa...
OU = Braintree Production, CN = www.braintreepayments.com
verify return:1
---
Certificate chain
0 s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=P...
intreepayments.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Sy...
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Sy...
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006...
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006...
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certificati...
...
@jtdowney 46

View Slide

openssl s_client
$ openssl s_client -connect www.braintreepayments.com:443
...
SSL handshake has read 5063 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 387E121C8195A337BC24EDAB3962627E01E974841E039D4D3...
Session-ID-ctx:
Master-Key: B158E366C9D89BC74C7CD183CDF4AC0498899D9ED2D6A00CA...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
...snip...
Start Time: 1446134858
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
@jtdowney 47

View Slide

OpenSSL
4 Does not ship with any root certificates
4 Operating systems and browsers do
4 On Linux these are generally gathered from the Mozilla list
4 On OS X
4 Contains special patches which cause it to fall back to the
OS X root certificates
4 The version is super old
@jtdowney 48

View Slide

sslyze
$ brew install sslyze
$ sslyze --regular www.braintreepayments.com:443
...
SCAN RESULTS FOR WWW.BRAINTREEPAYMENTS.COM:443 - 54.215.8.63:443
-------------------------------------------------------------------
...snip...
* Certificate - Content:
SHA1 Fingerprint: 8ab0dc85c10af4c0e396e7586c85a3b74a39aa91
Common Name: www.braintreepayments.com
Issuer: Symantec Class 3 EV SSL CA - G3
Serial Number: 7653E18FC6C1B638699333A3B6ED991B
Not Before: Mar 17 00:00:00 2015 GMT
Not After: Mar 16 23:59:59 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
Key Size: 2048 bit
Exponent: 65537 (0x10001)
X509v3 Subject Alternative Name: {'DNS': ['www.braintreepayments.com']}
...
@jtdowney 49

View Slide

sslyze
$ sslyze --regular www.braintreepayments.com:443
...
SCAN RESULTS FOR WWW.BRAINTREEPAYMENTS.COM:443 - 54.215.8.63:443
-------------------------------------------------------------------
...snip...
* Certificate - Trust:
Hostname Validation: OK - Subject Alternative Name matches
Google CA Store (09/2015): OK - Certificate is trusted
Java 6 CA Store (Update 65): OK - Certificate is trusted
Microsoft CA Store (09/2015): OK - Certificate is trusted
Apple CA Store (OS X 10.10.5): OK - Certificate is trusted
Mozilla NSS CA Store (09/2015): OK - Certificate is trusted
Certificate Chain Received: ['www.braintreepayments.com', 'Symantec Cl...
...
@jtdowney 50

View Slide

@jtdowney 51

View Slide

SSL Labs
https://www.ssllabs.com
@jtdowney 52

View Slide

How TLS Works
@jtdowney 53

View Slide

@jtdowney 54

View Slide

Client Hello
4 Protocol the client wants (i.e. TLS 1.2)
4 Ciphers the client supports
4 Extensions (introduced after TLS 1.0 but in a
compatible way)
4 Server Name Indication (SNI)
@jtdowney 55

View Slide

Server Name Indication
4 Allows a client to tell a server which vhost they want
4 Without it, every hostname needs its own IP
4 Can be expensive for hosting
4 Host information is sent after TLS handshake (HTTP
Host Header)
4 SNI support is still not 100%
@jtdowney 56

View Slide

Server Hello
4 Server picks protocol and cipher suite
4 Provides some session re-negotiation values
@jtdowney 57

View Slide

Server Certificate
4 Server provides its certificate and any intermediate
nessecary
@jtdowney 58

View Slide

@jtdowney 59

View Slide

Client Certificate [optional]
4 Server asks for client to provide a certificate
4 Indicates what parameters would be allowed
4 Clients sends its own certificate and any
intermediate
@jtdowney 60

View Slide

Change Cipher Spec
4 Indicates the end of the handshake
4 Following the Finished message, data will be
encrypted
@jtdowney 61

View Slide

TLS Verification
@jtdowney 62

View Slide

@jtdowney 63

View Slide

@jtdowney 64

View Slide

Chain of Trust
@jtdowney 65

View Slide

@jtdowney 66

View Slide

Hostname Verification
@jtdowney 67

View Slide

TLS Server Settings
https://mozilla.github.io/server-side-tls/ssl-config-generator/
@jtdowney 68

View Slide

Questions
@jtdowney 69

View Slide

References
4 https://datacenteroverlords.com/2011/09/25/ssl-
who-do-you-trust/
@jtdowney 70

View Slide

Bonus Round
@jtdowney 71

View Slide

Quick Survey
of Known Problems
@jtdowney 72

View Slide

MAC then Encrypt
4 Attacks
4 BEAST
4 POODLE
4 Lucky13
4 Workaround is to use AEAD ciphersuites
4 GCM
4 Chacha20Poly1305
@jtdowney 73

View Slide

Compression
4 CRIME (SSL compression)
4 BREACH (HTTP compression)
@jtdowney 74

View Slide

Long tail of support
4 Many servers still support SSLv3
4 Some servers support SSLv2
4 Attacks
4 DROWN: Breaking TLS using SSLv2
4 SWEET32: Breaking 3DES for long running
connections
@jtdowney 75

View Slide

Debugging TLS/SSL at DevOpsDays Boston

Debugging TLS/SSL at DevOpsDays Boston

John Downey

More Decks by John Downey

Other Decks in Programming

Featured

Transcript