My TLS was broken

My TLS was broken

Ee5407f7a79eb620c4fd54c136847b33?s=128

Piyush Verma

January 19, 2019
Tweet

Transcript

  1. My TLS is broken and probably yours too.

  2. My TLS was broken My TLS is broken My TLS

    was broken My TLS is broken My TLS was broken My TLS will be broken
  3. Part 1: The GreenLock

  4. HTTPS func main() { http.ListenAndServeTLS(":443", "server.crt", "server.key", nil) }

  5. Picture or it didn’t happen

  6. HTTPS Server

  7. Part 2: TCP TLS

  8. TCP TLS Server func main() { cer, err := tls.LoadX509KeyPair("server.crt",

    "server.key") config := &tls.Config{Certificates: []tls.Certificate{cer}} ln , err := tls.Listen("tcp", ":443", config) conn, err := ln.Accept() go handleConnection(conn) }
  9. TLS Client func main() { conf := &tls.Config{//InsecureSkipVerify: true} conn,

    err := tls.Dial("tcp", "ldap.ha.tsengine.io:847", conf) n, err := conn.Write([]byte("hello\n")) buf := make([]byte, 100) n, err = conn.Read(buf) log.Println(n, err) }
  10. Server Client TCP

  11. Part 3: Opportunistic TLS

  12. func main() { listener, _ := net.Listen("tcp", "127.0.0.1:8000") conn, err

    := listener.Accept() bytesRead, err := conn.Read(...) if string(buffer[0:bytesRead]) == STARTTLS { conn := tls.Server(unenc_conn, &config) var buffer = make([]byte, 1024) conn.Handshake() ... } } TLS Client
  13. Part 4

  14. TLS Client Auth Handshake

  15. TLS Exchange

  16. Certificates

  17. meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Full Name: URI:http://crl4.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com
  18. Sharing is not Caring, Your parents have been lying.

  19. Part 5: Client Authentication

  20. Client Authentication

  21. Why is Client Auth needed?

  22. But we use API Keys

  23. Client Certificate Certificate: Issuer: C = IN, ST = MH,

    L = Pune, OU = TS Sre Certificate Authority, CN = TS Sre CA Validity Not Before: Jan 18 06:53:00 2019 GMT Not After : Jan 17 06:53:00 2024 GMT Subject: C = IN, ST = MH, L = Pune, OU = TrustingSocial, CN = tls_demo_client Authority Information Access: OCSP - URI:http://ca.ha.tsengine.io:7889 CA Issuers - URI:http://ca.ha.tsengine.io:1500/intermediate/intermediate.crt X509v3 CRL Distribution Points: Full Name: URI:http://ca.ha.tsengine.io:6688/api/v1/cfssl/crl
  24. certificate, err := tls.LoadX509KeyPair(cert, key) tlsConfig := &tls.Config{ ServerName: "my-server",

    ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, } ln, err := tls.Listen("tcp", ":443", config) conn, err := ln.Accept() go handleConnection(conn) Accepting Client Certs
  25. Deprecation of Internal & Reserved IP Addresses Circa 2012

  26. Part 6: PKI

  27. PKI Infrastructure

  28. certPool := x509.NewCertPool() b, err := ioutil.ReadFile(rootPath) certPool.AppendCertsFromPEM(bs) tlsConfig :=

    &tls.Config{ ServerName: "my-server", ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, ClientCAs: certPool, } Accepting Client Certs
  29. certificate, err := tls.LoadX509KeyPair(cert, key) certPool := x509.NewCertPool() b, err

    := ioutil.ReadFile(rootPath) certPool.AppendCertsFromPEM(bs) tlsConfig := &tls.Config{ Certificates: []tls.Certificate{certificate}, RootCAs: certPool, } Accepting Server Certs
  30. Part 7: Take it Back

  31. How do you take-back a Cert?

  32. CRL

  33. meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com
  34. CRL

  35. CRL

  36. Problems with CRL

  37. OCSP

  38. meson10@DESKTOP-S7PEUGG:~$ openssl x509 -in <(openssl s_client -connect wikipedia.com:443 2>&1 <

    /dev/null | sed -n '/-----BEGIN/,/-----END/p') -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:30:94:62:d1:fe:a6:0a:e0:ba:bf:f5:ef:8b:c5:45 Validity Not Before: Dec 21 00:00:00 2017 GMT Not After : Jan 24 12:00:00 2019 GMT X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-ha-server-g6.crl Authority Information Access: OCSP - URI:http://ocsp.digicert.com
  39. OCSP Flow

  40. - Server Down? - DDOS CA - Privacy Compromise OCSP

    Challenges
  41. Soft Fail

  42. Soft Fail: Firefox

  43. Soft Fail: Chrome

  44. Hard Fail?

  45. What’s the most fragile thing in the Universe? a) Silence

    b) Taylor Swift’s heart. c) Neymar’s Shin d) Internet Security
  46. Part 7

  47. Why do you revoke keys?

  48. https://github.com/indutny/heartbleed

  49. cert, err := x509.ParseCertificate(cert) // ok := callOCSPServer(cert) if !ok

    { // Certificate is revoked } tlsConfig := &tls.Config{ ServerName: "my-server", ClientAuth: tls.RequireAndVerifyClientCert, Certificates: []tls.Certificate{certificate}, ClientCAs: certPool, VerifyPeerCertificate: certValidator, } Accepting Client Certs
  50. Part 8

  51. CAtoolkit http:/ /github.com/tsocial/ca toolkit

  52. Maybe, Security is just a feeling?

  53. xps:~$ whoami Piyush Verma Site Reliability Engineering Trusting Social Twitter:

    meson10