Upgrade to Pro — share decks privately, control downloads, hide ads and more …

My TLS was broken

My TLS was broken

Piyush Verma

January 19, 2019
Tweet

More Decks by Piyush Verma

Other Decks in Technology

Transcript

  1. My TLS was broken My TLS is broken My TLS

    was broken My TLS is broken My TLS was broken My TLS will be broken
  2. TCP TLS Server func main() { cer, err := tls.LoadX509KeyPair("server.crt",

    "server.key") config := &tls.Config{Certificates: []tls.Certificate{cer}} ln , err := tls.Listen("tcp", ":443", config) conn, err := ln.Accept() go handleConnection(conn) }
  3. TLS Client func main() { conf := &tls.Config{//InsecureSkipVerify: true} conn,

    err := tls.Dial("tcp", "ldap.ha.tsengine.io:847", conf) n, err := conn.Write([]byte("hello\n")) buf := make([]byte, 100) n, err = conn.Read(buf) log.Println(n, err) }
  4. func main() { listener, _ := net.Listen("tcp", "127.0.0.1:8000") conn, err

    := listener.Accept() bytesRead, err := conn.Read(...) if string(buffer[0:bytesRead]) == STARTTLS { conn := tls.Server(unenc_conn, &config) var buffer = make([]byte, 1024) conn.Handshake() ... } } TLS Client
  5. meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Full Name: URI:http://crl4.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com
  6. Client Certificate Certificate: Issuer: C = IN, ST = MH,

    L = Pune, OU = TS Sre Certificate Authority, CN = TS Sre CA Validity Not Before: Jan 18 06:53:00 2019 GMT Not After : Jan 17 06:53:00 2024 GMT Subject: C = IN, ST = MH, L = Pune, OU = TrustingSocial, CN = tls_demo_client Authority Information Access: OCSP - URI:http://ca.ha.tsengine.io:7889 CA Issuers - URI:http://ca.ha.tsengine.io:1500/intermediate/intermediate.crt X509v3 CRL Distribution Points: Full Name: URI:http://ca.ha.tsengine.io:6688/api/v1/cfssl/crl
  7. certificate, err := tls.LoadX509KeyPair(cert, key) tlsConfig := &tls.Config{ ServerName: "my-server",

    ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, } ln, err := tls.Listen("tcp", ":443", config) conn, err := ln.Accept() go handleConnection(conn) Accepting Client Certs
  8. certPool := x509.NewCertPool() b, err := ioutil.ReadFile(rootPath) certPool.AppendCertsFromPEM(bs) tlsConfig :=

    &tls.Config{ ServerName: "my-server", ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, ClientCAs: certPool, } Accepting Client Certs
  9. certificate, err := tls.LoadX509KeyPair(cert, key) certPool := x509.NewCertPool() b, err

    := ioutil.ReadFile(rootPath) certPool.AppendCertsFromPEM(bs) tlsConfig := &tls.Config{ Certificates: []tls.Certificate{certificate}, RootCAs: certPool, } Accepting Server Certs
  10. CRL

  11. meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com
  12. CRL

  13. CRL

  14. meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com
  15. What’s the most fragile thing in the Universe? a) Silence

    b) Taylor Swift’s heart. c) Neymar’s Shin d) Internet Security
  16. cert, err := x509.ParseCertificate(cert) // ok := callOCSPServer(cert) if !ok

    { // Certificate is revoked } tlsConfig := &tls.Config{ ServerName: "my-server", ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, ClientCAs: certPool, VerifyPeerCertificate: certValidator, } Accepting Client Certs