My TLS was broken

My TLS was broken

Ee5407f7a79eb620c4fd54c136847b33?s=128

Piyush Verma

January 19, 2019
Tweet

Transcript

  1. 2.

    My TLS was broken My TLS is broken My TLS

    was broken My TLS is broken My TLS was broken My TLS will be broken
  2. 8.

    TCP TLS Server func main() { cer, err := tls.LoadX509KeyPair("server.crt",

    "server.key") config := &tls.Config{Certificates: []tls.Certificate{cer}} ln , err := tls.Listen("tcp", ":443", config) conn, err := ln.Accept() go handleConnection(conn) }
  3. 9.

    TLS Client func main() { conf := &tls.Config{//InsecureSkipVerify: true} conn,

    err := tls.Dial("tcp", "ldap.ha.tsengine.io:847", conf) n, err := conn.Write([]byte("hello\n")) buf := make([]byte, 100) n, err = conn.Read(buf) log.Println(n, err) }
  4. 12.

    func main() { listener, _ := net.Listen("tcp", "127.0.0.1:8000") conn, err

    := listener.Accept() bytesRead, err := conn.Read(...) if string(buffer[0:bytesRead]) == STARTTLS { conn := tls.Server(unenc_conn, &config) var buffer = make([]byte, 1024) conn.Handshake() ... } } TLS Client
  5. 13.
  6. 17.

    meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Full Name: URI:http://crl4.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com
  7. 23.

    Client Certificate Certificate: Issuer: C = IN, ST = MH,

    L = Pune, OU = TS Sre Certificate Authority, CN = TS Sre CA Validity Not Before: Jan 18 06:53:00 2019 GMT Not After : Jan 17 06:53:00 2024 GMT Subject: C = IN, ST = MH, L = Pune, OU = TrustingSocial, CN = tls_demo_client Authority Information Access: OCSP - URI:http://ca.ha.tsengine.io:7889 CA Issuers - URI:http://ca.ha.tsengine.io:1500/intermediate/intermediate.crt X509v3 CRL Distribution Points: Full Name: URI:http://ca.ha.tsengine.io:6688/api/v1/cfssl/crl
  8. 24.

    certificate, err := tls.LoadX509KeyPair(cert, key) tlsConfig := &tls.Config{ ServerName: "my-server",

    ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, } ln, err := tls.Listen("tcp", ":443", config) conn, err := ln.Accept() go handleConnection(conn) Accepting Client Certs
  9. 28.

    certPool := x509.NewCertPool() b, err := ioutil.ReadFile(rootPath) certPool.AppendCertsFromPEM(bs) tlsConfig :=

    &tls.Config{ ServerName: "my-server", ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, ClientCAs: certPool, } Accepting Client Certs
  10. 29.

    certificate, err := tls.LoadX509KeyPair(cert, key) certPool := x509.NewCertPool() b, err

    := ioutil.ReadFile(rootPath) certPool.AppendCertsFromPEM(bs) tlsConfig := &tls.Config{ Certificates: []tls.Certificate{certificate}, RootCAs: certPool, } Accepting Server Certs
  11. 32.

    CRL

  12. 33.

    meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com
  13. 34.

    CRL

  14. 35.

    CRL

  15. 37.
  16. 38.

    meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com
  17. 39.
  18. 41.
  19. 45.

    What’s the most fragile thing in the Universe? a) Silence

    b) Taylor Swift’s heart. c) Neymar’s Shin d) Internet Security
  20. 46.
  21. 49.

    cert, err := x509.ParseCertificate(cert) // ok := callOCSPServer(cert) if !ok

    { // Certificate is revoked } tlsConfig := &tls.Config{ ServerName: "my-server", ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, ClientCAs: certPool, VerifyPeerCertificate: certValidator, } Accepting Client Certs
  22. 50.