SSL Debugging at Chicago Coder Conference 2016

Transcript

1. SSL Debugging
   or: Everything you wanted to know about TLS/SSL but were afraid to ask
   @jtdowney 1
   

   View Slide

2. @jtdowney 2
   

   View Slide

3. @jtdowney 3
   

   View Slide

4. The views expressed in this
   presentation are my own,
   and not those of PayPal or
   any of its affiliates.
   @jtdowney 4
   

   View Slide

5. Terminology
   4 SSL - Secure Sockets Layer
   4 TLS - Transport Layer Security
   @jtdowney 5
   

   View Slide

6. History and
   Background
   @jtdowney 6
   

   View Slide

7. History
   4 1995 - Netscape releases SSL 2.0
   4 1996 - Netscape releases SSL 3.0
   4 1999 - IETF releases TLS 1.0 (RFC 2246)
   4 2006 - IETF releases TLS 1.1 (RFC 4346)
   4 2008 - IETF releases TLS 1.2 (RFC 5246)
   4 TLS 1.3 in draft (github.com/tlswg/tls13-spec)
   @jtdowney 7
   

   View Slide

8. Problem
   1. Confidentiality
   2. Integrity
   3. Identification
   @jtdowney 8
   

   View Slide

9. Broad types of cryptography
   4 Symmetric cryptography - both sides share the same
   key
   4 Asymmetric (public key) cryptography - each side
   has a different key
   @jtdowney 9
   

   View Slide

10. Public Key Cryptography
    4 Solves the key distribution problem
    4 Algorithms typically based on hard math problems
    4 Fills two roles
    4 Digital signatures
    4 Key exchange
    @jtdowney 10
    

    View Slide

11. Digital Signatures
    4 Allows a public verification key to be published
    4 A signer keeps the private signing key
    4 Messages from the signer can be verified
    4 Also protects integrity
    @jtdowney 11
    

    View Slide

12. Key Exchange
    4 Asymmetric crypto is far slower than symmetric
    cryptography
    4 Uses asymmetric to setup a shared key, so both sides
    can switch to symmetric
    @jtdowney 12
    

    View Slide

13. Algorithms
    4 Digital Signatures - RSA, DSA, ECDSA
    4 Key Exchange - RSA, DH, ECDH
    @jtdowney 13
    

    View Slide

14. RSA Security
    4 Company founded by Ron Rivest, Adi Shamir,
    Leonard Adleman
    4 Built to develop crypto based products and
    standards
    4 Held patent on RSA Algorithm until September 2000
    @jtdowney 14
    

    View Slide

15. Public Key Cryptography Standards
    4 Developed by RSA Security to standardize usage of
    RSA
    4 Relied on ASN.1 as basic file format
    @jtdowney 15
    

    View Slide

16. ASN.1
    4 Abstract syntax notation, one
    4 Describes a tree structure
    4 Typically use Distinguished Encoding Rules (DER)
    4 Binary format
    4 Canonical representation
    @jtdowney 16
    

    View Slide

17. PEM Files
    4 Privacy Enhanced Mail (PEM)
    4 Never really used
    4 Base64 encoded DER data
    4 Have headers that describe the contents
    4 -----BEGIN CERTIFICATE-----
    4 The "preferred" format for OpenSSL
    @jtdowney 17
    

    View Slide

18. File extensions
    4 Never well established
    4 The extension may describe the format but not the
    contents (.pem, .der)
    4 Or it may describe the contents but not the format
    (.cer, .crt, .key)
    @jtdowney 18
    

    View Slide

19. OpenSSL
    4 Fork of SSLeay
    4 Created by Eric A. Young
    4 Forked when he went to work for RSA Security
    4 By far the most popular open source TLS/SSL library
    @jtdowney 19
    

    View Slide

20. Working with
    Key Files
    @jtdowney 20
    

    View Slide

21. Generate an RSA Key
    $ openssl genrsa -out demo.pem
    Generating RSA private key, 2048 bit long modulus
    ...............................+++
    .....................+++
    e is 65537 (0x10001)
    @jtdowney 21
    

    View Slide

22. PKCS #1
    4 Original standard for RSA
    4 Describes storage of RSA key in a file
    4 Still preferred format by OpenSSL (but not Java)
    @jtdowney 22
    

    View Slide

23. View RSA PEM file (PKCS #1)
    $ head demo.pem
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAw2OAGP1sa0rm4BM9lmBdnB9hHhJz6LajSGB1eg6S+D0UXeop
    1ITMdtFW0idd769Wl58R3uw5AvNsbClB2zOa9zjFK8c3szynI/nCYkzpMlp8OcKM
    lz05qRUDQZ2hYV+z0wAYIGrx61lrvui1H2nioiFNOaZ10lPRljmc9Wg/WvtyowMK
    YUp5ps1HbOYSnNajfi+UBl0YoT/q3nR410CQl76rxuljYODVf3g5tV6VVL9IxDtJ
    HJIJxeU+RiWZOudkzWVNDpJmfSnHfJ/vOOo/utzHwGdBfyptHQDecwyG3jRy4Ztp
    pXAbqVTZjlNaaalsYueBxWM9mbjtgy80DSg7twIDAQABAoIBAEhZ8/lM/nTMi6m1
    9jxU+tTxGblVA+7MkrIeZeIIu4uIsp4EM/EqK7xj0E6JnVNADkSe9rMhrgrVsPRs
    YqKU/XFGaFzJrGqGry23Mq/L4x5uO0n4LK9kUJG34jjN8hBoq+IaStTWRTbtKeTL
    ryYuw2leA4axiTeVKisCsoh9TdiWVg7Svt31B9oEcYD26EgVV7rkJwmNNdBss5Ds
    @jtdowney 23
    

    View Slide

24. View RSA Key Details
    $ openssl rsa -text -in demo.pem | head
    writing RSA key
    Private-Key: (2048 bit)
    modulus:
    00:c3:63:80:18:fd:6c:6b:4a:e6:e0:13:3d:96:60:
    5d:9c:1f:61:1e:12:73:e8:b6:a3:48:60:75:7a:0e:
    92:f8:3d:14:5d:ea:29:d4:84:cc:76:d1:56:d2:27:
    5d:ef:af:56:97:9f:11:de:ec:39:02:f3:6c:6c:29:
    41:db:33:9a:f7:38:c5:2b:c7:37:b3:3c:a7:23:f9:
    c2:62:4c:e9:32:5a:7c:39:c2:8c:97:3d:39:a9:15:
    03:41:9d:a1:61:5f:b3:d3:00:18:20:6a:f1:eb:59:
    6b:be:e8:b5:1f:69:e2:a2:21:4d:39:a6:75:d2:53:
    @jtdowney 24
    

    View Slide

25. View RSA parse details (PKCS #1)
    $ openssl asn1parse -in demo.pem
    0:d=0 hl=4 l=1187 cons: SEQUENCE
    4:d=1 hl=2 l= 1 prim: INTEGER :00
    7:d=1 hl=4 l= 257 prim: INTEGER :C3638018FD6C6B4AE...
    268:d=1 hl=2 l= 3 prim: INTEGER :010001
    273:d=1 hl=4 l= 256 prim: INTEGER :4859F3F94CFE74CC8...
    533:d=1 hl=3 l= 129 prim: INTEGER :EA7858DA0442FCACA...
    665:d=1 hl=3 l= 129 prim: INTEGER :D55478D835A975238...
    797:d=1 hl=3 l= 128 prim: INTEGER :3F9086CDFC0FC8FE6...
    928:d=1 hl=3 l= 129 prim: INTEGER :B15D41FBC0E1DB1A6...
    1060:d=1 hl=3 l= 128 prim: INTEGER :41DAB94D9A546263F...
    @jtdowney 25
    

    View Slide

26. PKCS #8
    4 Expands key storage beyond RSA
    4 Preferred format for Java
    @jtdowney 26
    

    View Slide

27. Convert PKCS #1 key to PKCS #8
    $ openssl pkcs8 -topk8 -nocrypt -in demo.pem -out demo.pk8
    @jtdowney 27
    

    View Slide

28. View RSA PEM file (PKCS #8)
    $ head demo.pk8
    -----BEGIN PRIVATE KEY-----
    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDY4AY/WxrSubg
    Ez2WYF2cH2EeEnPotqNIYHV6DpL4PRRd6inUhMx20VbSJ13vr1aXnxHe7DkC82xs
    KUHbM5r3OMUrxzezPKcj+cJiTOkyWnw5woyXPTmpFQNBnaFhX7PTABggavHrWWu+
    6LUfaeKiIU05pnXSU9GWOZz1aD9a+3KjAwphSnmmzUds5hKc1qN+L5QGXRihP+re
    dHjXQJCXvqvG6WNg4NV/eDm1XpVUv0jEO0kckgnF5T5GJZk652TNZU0OkmZ9Kcd8
    n+846j+63MfAZ0F/Km0dAN5zDIbeNHLhm2mlcBupVNmOU1ppqWxi54HFYz2ZuO2D
    LzQNKDu3AgMBAAECggEASFnz+Uz+dMyLqbX2PFT61PEZuVUD7sySsh5l4gi7i4iy
    ngQz8SorvGPQTomdU0AORJ72syGuCtWw9GxiopT9cUZoXMmsaoavLbcyr8vjHm47
    Sfgsr2RQkbfiOM3yEGir4hpK1NZFNu0p5MuvJi7DaV4DhrGJN5UqKwKyiH1N2JZW
    @jtdowney 28
    

    View Slide

29. View RSA parse details (PKCS #8)
    openssl asn1parse -in demo.pk8
    0:d=0 hl=4 l=1213 cons: SEQUENCE
    4:d=1 hl=2 l= 1 prim: INTEGER :00
    7:d=1 hl=2 l= 13 cons: SEQUENCE
    9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
    20:d=2 hl=2 l= 0 prim: NULL
    22:d=1 hl=4 l=1191 prim: OCTET STRING [HEX DUMP]:308204A...
    @jtdowney 29
    

    View Slide

30. Get public key from private key
    $ openssl rsa -pubout -in demo.pem -out demo_pub.pem
    $ cat demo_pub.pem
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2OAGP1sa0rm4BM9lmBd
    nB9hHhJz6LajSGB1eg6S+D0UXeop1ITMdtFW0idd769Wl58R3uw5AvNsbClB2zOa
    9zjFK8c3szynI/nCYkzpMlp8OcKMlz05qRUDQZ2hYV+z0wAYIGrx61lrvui1H2ni
    oiFNOaZ10lPRljmc9Wg/WvtyowMKYUp5ps1HbOYSnNajfi+UBl0YoT/q3nR410CQ
    l76rxuljYODVf3g5tV6VVL9IxDtJHJIJxeU+RiWZOudkzWVNDpJmfSnHfJ/vOOo/
    utzHwGdBfyptHQDecwyG3jRy4ZtppXAbqVTZjlNaaalsYueBxWM9mbjtgy80DSg7
    twIDAQAB
    -----END PUBLIC KEY-----
    @jtdowney 30
    

    View Slide

31. Convert PEM encoded key to DER
    encoded
    $ openssl rsa -inform PEM -outform DER -in demo.pem -out demo.der
    writing RSA key
    $ xxd demo.der | head
    00000000: 3082 04a3 0201 0002 8201 0100 c363 8018 0............c..
    00000010: fd6c 6b4a e6e0 133d 9660 5d9c 1f61 1e12 .lkJ...=.`]..a..
    00000020: 73e8 b6a3 4860 757a 0e92 f83d 145d ea29 s...H`uz...=.].)
    00000030: d484 cc76 d156 d227 5def af56 979f 11de ...v.V.']..V....
    00000040: ec39 02f3 6c6c 2941 db33 9af7 38c5 2bc7 .9..ll)A.3..8.+.
    00000050: 37b3 3ca7 23f9 c262 4ce9 325a 7c39 c28c 7.<.#..bL.2Z|9..
    00000060: 973d 39a9 1503 419d a161 5fb3 d300 1820 .=9...A..a_....
    00000070: 6af1 eb59 6bbe e8b5 1f69 e2a2 214d 39a6 j..Yk....i..!M9.
    00000080: 75d2 53d1 9639 9cf5 683f 5afb 72a3 030a u.S..9..h?Z.r...
    00000090: 614a 79a6 cd47 6ce6 129c d6a3 7e2f 9406 aJy..Gl.....~/..
    @jtdowney 31
    

    View Slide

32. Working with
    Certificates
    @jtdowney 32
    

    View Slide

33. $ head braintree.pem
    -----BEGIN CERTIFICATE-----
    MIIHFzCCBf+gAwIBAgIQdlPhj8bBtjhpkzOjtu2ZGzANBgkqhkiG9w0BAQsFADB3
    MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
    BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
    IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMzE3MDAwMDAwWhcNMTcwMzE2
    MjM1OTU5WjCCAR0xEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB
    AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD
    VQQFEwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UEEQwKOTUxMzEtMjAyMTET
    MBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpvc2UxFjAUBgNVBAkM
    DTIyMTEgTiAxc3QgU3QxFTATBgNVBAoMDFBheVBhbCwgSW5jLjEdMBsGA1UECwwU
    @jtdowney 33
    

    View Slide

34. X.509 Certificate
    4 Format for digital certificates
    4 Uses ASN.1 for the basic file format
    4 Wraps public key
    4 Specifies subject of certificate and issuer
    4 Contents are digitally signed by issuer
    4 Lists lifetime of validity
    @jtdowney 34
    

    View Slide

35. View certificate information
    $ openssl x509 -text -in braintree.pem | head -n 20
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    76:53:e1:8f:c6:c1:b6:38:69:93:33:a3:b6:ed:99:1b
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust N...
    Validity
    Not Before: Mar 17 00:00:00 2015 GMT
    Not After : Mar 16 23:59:59 2017 GMT
    Subject: jurisdictionC=US/jurisdictionST=Delaware/busines...
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    00:d4:8e:55:07:7c:a2:89:f5:4f:a0:d2:80:82:63:
    d6:09:a1:86:19:e3:68:52:f5:49:66:d9:d7:e9:61:
    33:77:3c:04:8b:cc:43:99:b5:e3:b9:a1:23:40:a9:
    26:32:8c:fe:60:31:eb:5d:da:2d:42:3e:4a:0b:a9:
    e7:d3:17:19:bf:8a:7b:3e:37:2a:f2:dd:3e:4c:62:
    @jtdowney 35
    

    View Slide

36. X.509 Extensions
    $ openssl x509 -text -in braintree.pem
    ...
    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:www.braintreepayments.com
    X509v3 Basic Constraints:
    CA:FALSE
    X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
    X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication
    ...
    @jtdowney 36
    

    View Slide

37. Extract public key from certificate
    $ openssl x509 -pubkey -noout -in braintree.pem
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1I5VB3yiifVPoNKAgmPW
    CaGGGeNoUvVJZtnX6WEzdzwEi8xDmbXjuaEjQKkmMoz+YDHrXdotQj5KC6nn0xcZ
    v4p7Pjcq8t0+TGKSp+dJr1Fk0Tx9i7Fk+Lq2yEfQYGymyuzmDk4pzwbMkzMjuqkw
    lWMxErPshjynBK5g4TEc8pTCYtX39mVMPhXdcj3V6auk3ubbgpbz5DCyh0JiwnNK
    84sA8ydCFs4csF9g3hJYws/J6KL9jxDfLkf5jWQLA6inxyX1zRKRwrlOyTCFIs6X
    KGBr5Cjei6NI/9NYCLClxcfKJ6qDpCOf6PZj3JTk9fzF3KMrPWoc7SRE1MwfYX63
    cwIDAQAB
    -----END PUBLIC KEY-----
    @jtdowney 37
    

    View Slide

38. View certificate parse details
    $ openssl asn1parse -in braintree.pem | head -n 20
    0:d=0 hl=4 l=1815 cons: SEQUENCE
    4:d=1 hl=4 l=1535 cons: SEQUENCE
    8:d=2 hl=2 l= 3 cons: cont [ 0 ]
    10:d=3 hl=2 l= 1 prim: INTEGER :02
    13:d=2 hl=2 l= 16 prim: INTEGER :7653E18FC6C1B638699333A3B6ED991B
    31:d=2 hl=2 l= 13 cons: SEQUENCE
    33:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
    44:d=3 hl=2 l= 0 prim: NULL
    46:d=2 hl=2 l= 119 cons: SEQUENCE
    48:d=3 hl=2 l= 11 cons: SET
    50:d=4 hl=2 l= 9 cons: SEQUENCE
    52:d=5 hl=2 l= 3 prim: OBJECT :countryName
    57:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
    61:d=3 hl=2 l= 29 cons: SET
    63:d=4 hl=2 l= 27 cons: SEQUENCE
    65:d=5 hl=2 l= 3 prim: OBJECT :organizationName
    70:d=5 hl=2 l= 20 prim: PRINTABLESTRING :Symantec Corporation
    92:d=3 hl=2 l= 31 cons: SET
    94:d=4 hl=2 l= 29 cons: SEQUENCE
    96:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
    @jtdowney 38
    

    View Slide

39. X.509 Certificate Request
    4 Sent to certificate authority
    4 Contains public key for certificate
    4 Requestor signs contents
    @jtdowney 39
    

    View Slide

40. Generate a certificate request
    $ openssl req -new -key demo.pem -out demo.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Illinois
    Locality Name (eg, city) []:Chicago
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:PayPal
    Organizational Unit Name (eg, section) []:Braintree
    Common Name (e.g. server FQDN or YOUR name) []:demo.braintreepayments.com
    Email Address []:
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    @jtdowney 40
    

    View Slide

41. View certificate request
    $ openssl req -text -in demo.csr | head -n 20
    Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=US, ST=Illinois, L=Chicago, O=PayPal, OU=Braintree, CN=demo.braintreepayments.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    00:c3:63:80:18:fd:6c:6b:4a:e6:e0:13:3d:96:60:
    5d:9c:1f:61:1e:12:73:e8:b6:a3:48:60:75:7a:0e:
    92:f8:3d:14:5d:ea:29:d4:84:cc:76:d1:56:d2:27:
    5d:ef:af:56:97:9f:11:de:ec:39:02:f3:6c:6c:29:
    41:db:33:9a:f7:38:c5:2b:c7:37:b3:3c:a7:23:f9:
    c2:62:4c:e9:32:5a:7c:39:c2:8c:97:3d:39:a9:15:
    03:41:9d:a1:61:5f:b3:d3:00:18:20:6a:f1:eb:59:
    6b:be:e8:b5:1f:69:e2:a2:21:4d:39:a6:75:d2:53:
    d1:96:39:9c:f5:68:3f:5a:fb:72:a3:03:0a:61:4a:
    79:a6:cd:47:6c:e6:12:9c:d6:a3:7e:2f:94:06:5d:
    18:a1:3f:ea:de:74:78:d7:40:90:97:be:ab:c6:e9:
    63:60:e0:d5:7f:78:39:b5:5e:95:54:bf:48:c4:3b:
    @jtdowney 41
    

    View Slide

42. Extract public key from certificate
    request
    $ openssl req -pubkey -in demo.csr -noout
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw2OAGP1sa0rm4BM9lmBd
    nB9hHhJz6LajSGB1eg6S+D0UXeop1ITMdtFW0idd769Wl58R3uw5AvNsbClB2zOa
    9zjFK8c3szynI/nCYkzpMlp8OcKMlz05qRUDQZ2hYV+z0wAYIGrx61lrvui1H2ni
    oiFNOaZ10lPRljmc9Wg/WvtyowMKYUp5ps1HbOYSnNajfi+UBl0YoT/q3nR410CQ
    l76rxuljYODVf3g5tV6VVL9IxDtJHJIJxeU+RiWZOudkzWVNDpJmfSnHfJ/vOOo/
    utzHwGdBfyptHQDecwyG3jRy4ZtppXAbqVTZjlNaaalsYueBxWM9mbjtgy80DSg7
    twIDAQAB
    -----END PUBLIC KEY-----
    @jtdowney 42
    

    View Slide

43. PKCS #12
    4 Format for combing keys and certificates
    4 Preferred format for Windows
    4 Can optionally be encrypted with password
    4 Extensions .p12 and .pfx
    @jtdowney 43
    

    View Slide

44. Debugging Connections
    @jtdowney 44
    

    View Slide

45. curl
    $ curl -vI https://www.braintreepayments.com
    * Rebuilt URL to: https://www.braintreepayments.com/
    * Trying 54.215.8.63...
    * Connected to www.braintreepayments.com (54.215.8.63) port 443 (#0)
    * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    * Server certificate: www.braintreepayments.com
    * Server certificate: Symantec Class 3 EV SSL CA - G3
    * Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5
    > HEAD / HTTP/1.1
    > Host: www.braintreepayments.com
    > User-Agent: curl/7.43.0
    > Accept: */*
    @jtdowney 45
    

    View Slide

46. openssl s_client
    $ openssl s_client -connect www.braintreepayments.com:443
    CONNECTED(00000003)
    depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary...
    verify return:1
    depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network...
    verify return:1
    depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Net...
    verify return:1
    depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCa...
    OU = Braintree Production, CN = www.braintreepayments.com
    verify return:1
    ---
    Certificate chain
    0 s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=P...
    intreepayments.com
    i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Sy...
    1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Sy...
    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006...
    2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006...
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certificati...
    ...
    @jtdowney 46
    

    View Slide

47. openssl s_client
    $ openssl s_client -connect www.braintreepayments.com:443
    ...
    SSL handshake has read 5063 bytes and written 444 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 387E121C8195A337BC24EDAB3962627E01E974841E039D4D3...
    Session-ID-ctx:
    Master-Key: B158E366C9D89BC74C7CD183CDF4AC0498899D9ED2D6A00CA...
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    ...snip...
    Start Time: 1446134858
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---
    @jtdowney 47
    

    View Slide

48. OpenSSL
    4 Does not ship with any root certificates
    4 Operating systems and browsers do
    4 On Linux these are generally gathered from the Mozilla list
    4 On OS X
    4 Contains special patches which cause it to fall back to the
    OS X root certificates
    4 The version is super old
    @jtdowney 48
    

    View Slide

49. sslyze
    $ brew install sslyze
    $ sslyze --regular www.braintreepayments.com:443
    ...
    SCAN RESULTS FOR WWW.BRAINTREEPAYMENTS.COM:443 - 54.215.8.63:443
    -------------------------------------------------------------------
    ...snip...
    * Certificate - Content:
    SHA1 Fingerprint: 8ab0dc85c10af4c0e396e7586c85a3b74a39aa91
    Common Name: www.braintreepayments.com
    Issuer: Symantec Class 3 EV SSL CA - G3
    Serial Number: 7653E18FC6C1B638699333A3B6ED991B
    Not Before: Mar 17 00:00:00 2015 GMT
    Not After: Mar 16 23:59:59 2017 GMT
    Signature Algorithm: sha256WithRSAEncryption
    Public Key Algorithm: rsaEncryption
    Key Size: 2048 bit
    Exponent: 65537 (0x10001)
    X509v3 Subject Alternative Name: {'DNS': ['www.braintreepayments.com']}
    ...
    @jtdowney 49
    

    View Slide

50. sslyze
    $ sslyze --regular www.braintreepayments.com:443
    ...
    SCAN RESULTS FOR WWW.BRAINTREEPAYMENTS.COM:443 - 54.215.8.63:443
    -------------------------------------------------------------------
    ...snip...
    * Certificate - Trust:
    Hostname Validation: OK - Subject Alternative Name matches
    Google CA Store (09/2015): OK - Certificate is trusted
    Java 6 CA Store (Update 65): OK - Certificate is trusted
    Microsoft CA Store (09/2015): OK - Certificate is trusted
    Apple CA Store (OS X 10.10.5): OK - Certificate is trusted
    Mozilla NSS CA Store (09/2015): OK - Certificate is trusted
    Certificate Chain Received: ['www.braintreepayments.com', 'Symantec Cl...
    ...
    @jtdowney 50
    

    View Slide

51. @jtdowney 51
    

    View Slide

52. SSL Labs
    https://www.ssllabs.com
    @jtdowney 52
    

    View Slide

53. How TLS Works
    @jtdowney 53
    

    View Slide

54. @jtdowney 54
    

    View Slide

55. Client Hello
    4 Protocol the client wants (i.e. TLS 1.2)
    4 Ciphers the client supports
    4 Extensions (introduced after TLS 1.0 but in a
    compatible way)
    4 Server Name Indication (SNI)
    @jtdowney 55
    

    View Slide

56. Server Name Indication
    4 Allows a client to tell a server which vhost they want
    4 Without it, every hostname needs its own IP
    4 Can be expensive for hosting
    4 Host information is sent after TLS handshake (HTTP
    Host Header)
    4 SNI support is still not 100%
    @jtdowney 56
    

    View Slide

57. Server Hello
    4 Server picks protocol and cipher suite
    4 Provides some session re-negotiation values
    @jtdowney 57
    

    View Slide

58. Server Certificate
    4 Server provides its certificate and any intermediate
    nessecary
    @jtdowney 58
    

    View Slide

59. @jtdowney 59
    

    View Slide

60. Client Certificate [optional]
    4 Server asks for client to provide a certificate
    4 Indicates what parameters would be allowed
    4 Clients sends its own certificate and any
    intermediate
    @jtdowney 60
    

    View Slide

61. Change Cipher Spec
    4 Indicates the end of the handshake
    4 Following the Finished message, data will be
    encrypted
    @jtdowney 61
    

    View Slide

62. TLS Verification
    @jtdowney 62
    

    View Slide

63. @jtdowney 63
    

    View Slide

64. @jtdowney 64
    

    View Slide

65. Pitfalls
    1. Not verifying the certificate chain
    2. Not verifying the hostname
    3. Using a broken library
    @jtdowney 65
    

    View Slide

66. @jtdowney 66
    

    View Slide

67. $ curl -k https://example.com
    or
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    @jtdowney 67
    

    View Slide

68. Pitfalls
    1. Not verifying the certificate chain
    2. Not verifying the hostname
    3. Using a broken library
    @jtdowney 68
    

    View Slide

69. 4 Hostname verification is protocol dependent
    4 OpenSSL doesn't have it built in
    4 Also, some people just turn it off:
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
    @jtdowney 69
    

    View Slide

70. Pitfalls
    1. Not verifying the certificate chain
    2. Not verifying the hostname
    3. Using a broken library
    @jtdowney 70
    

    View Slide

71. @jtdowney 71
    

    View Slide

72. @jtdowney 72
    

    View Slide

73. Recommendations
    4 Do ensure you're validating connections
    4 Lean on a framework/library if possible
    4 But check that it also does the right thing
    4 Setup and automated test to validate this setting
    @jtdowney 73
    

    View Slide

74. Quick Survey
    of Known Problems
    @jtdowney 74
    

    View Slide

75. MAC then Encrypt
    4 Attacks
    4 BEAST
    4 POODLE
    4 Lucky13
    4 Workaround is to use AEAD ciphersuites
    4 GCM
    4 Chacha20Poly1305
    @jtdowney 75
    

    View Slide

76. Compression
    4 CRIME (SSL compression)
    4 BREACH (HTTP compression)
    @jtdowney 76
    

    View Slide

77. Long tail of support
    4 Many servers still support SSLv3
    4 Some servers support SSLv2
    4 Attacks
    4 DROWN: Breaking TLS using SSLv2
    @jtdowney 77
    

    View Slide

78. TLS Server Settings
    https://mozilla.github.io/server-side-tls/ssl-config-generator/
    @jtdowney 78
    

    View Slide

79. Questions
    @jtdowney 79
    

    View Slide