Debugging TLS/SSL John Downey | @jtdowney @jtdowney 1

@jtdowney 2

@jtdowney 3

The views expressed in this presentation are my own, and not those of PayPal or any of its affiliates. @jtdowney 4

Terminology 4 SSL - Secure Sockets Layer 4 TLS - Transport Layer Security @jtdowney 5

TLS/SSL = HTTPS = ! @jtdowney 6

History and Background @jtdowney 7

History 4 1995 - Netscape releases SSL 2.0 4 1996 - Netscape releases SSL 3.0 4 1999 - IETF releases TLS 1.0 (RFC 2246) 4 2006 - IETF releases TLS 1.1 (RFC 4346) 4 2008 - IETF releases TLS 1.2 (RFC 5246) 4 TLS 1.3 in draft (github.com/tlswg/tls13-spec) @jtdowney 8

Problem 1. Confidentiality 2. Integrity 3. Identification @jtdowney 9

Broad types of cryptography 4 Symmetric cryptography - both sides share the same key 4 Asymmetric (public key) cryptography - each side has a different key @jtdowney 10

Public Key Cryptography 4 Solves the key distribution problem 4 Algorithms typically based on hard math problems 4 Fills two roles 4 Digital signatures 4 Key exchange @jtdowney 11

Digital Signatures 4 Allows a public verification key to be published 4 A signer keeps the private signing key 4 Messages from the signer can be verified 4 Also protects integrity @jtdowney 12

Key Exchange 4 Asymmetric crypto is far slower than symmetric cryptography 4 Uses asymmetric to setup a shared key, so both sides can switch to symmetric @jtdowney 13

Algorithms 4 Digital Signatures - RSA, DSA, ECDSA 4 Key Exchange - RSA, DH, ECDH @jtdowney 14

RSA Security 4 Company founded by Ron Rivest, Adi Shamir, Leonard Adleman 4 Built to develop crypto based products and standards 4 Held patent on RSA Algorithm until September 2000 @jtdowney 15

Public Key Cryptography Standards 4 Developed by RSA Security to standardize usage of RSA 4 Relied on ASN.1 as basic file format @jtdowney 16

ASN.1 4 Abstract syntax notation, one 4 Describes a tree structure 4 Typically use Distinguished Encoding Rules (DER) 4 Binary format 4 Canonical representation @jtdowney 17

PEM Files 4 Privacy Enhanced Mail (PEM) 4 Never really used 4 Base64 encoded DER data 4 Have headers that describe the contents 4 -----BEGIN CERTIFICATE----- 4 The "preferred" format for OpenSSL @jtdowney 18

File extensions 4 Never well established 4 The extension may describe the format but not the contents (.pem, .der) 4 Or it may describe the contents but not the format (.cer, .crt, .key) @jtdowney 19

OpenSSL 4 Fork of SSLeay 4 Created by Eric A. Young 4 Forked when he went to work for RSA Security 4 By far the most popular open source TLS/SSL library @jtdowney 20

Most common problems (as I see them) 4 Certificate/CSR/key/etc in wrong format 4 Server requires SNI and client doesn't support it 4 Intermediate certificate isn't being served 4 Default (and insecure) settings left enabled @jtdowney 21

Working with Key Files @jtdowney 22

Generate an RSA Key $ openssl genrsa -out demo.pem Generating RSA private key, 2048 bit long modulus ...............................+++ .....................+++ e is 65537 (0x10001) @jtdowney 23

PKCS #1 4 Original standard for RSA 4 Describes storage of RSA key in a file 4 Still preferred format by OpenSSL @jtdowney 24

View RSA PEM file (PKCS #1) $ head demo.pem -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAw2OAGP1sa0rm4BM9lmBdnB9hHhJz6LajSGB1eg6S+D0UXeop 1ITMdtFW0idd769Wl58R3uw5AvNsbClB2zOa9zjFK8c3szynI/nCYkzpMlp8OcKM lz05qRUDQZ2hYV+z0wAYIGrx61lrvui1H2nioiFNOaZ10lPRljmc9Wg/WvtyowMK YUp5ps1HbOYSnNajfi+UBl0YoT/q3nR410CQl76rxuljYODVf3g5tV6VVL9IxDtJ HJIJxeU+RiWZOudkzWVNDpJmfSnHfJ/vOOo/utzHwGdBfyptHQDecwyG3jRy4Ztp pXAbqVTZjlNaaalsYueBxWM9mbjtgy80DSg7twIDAQABAoIBAEhZ8/lM/nTMi6m1 9jxU+tTxGblVA+7MkrIeZeIIu4uIsp4EM/EqK7xj0E6JnVNADkSe9rMhrgrVsPRs YqKU/XFGaFzJrGqGry23Mq/L4x5uO0n4LK9kUJG34jjN8hBoq+IaStTWRTbtKeTL ryYuw2leA4axiTeVKisCsoh9TdiWVg7Svt31B9oEcYD26EgVV7rkJwmNNdBss5Ds @jtdowney 25

View RSA Key Details $ openssl rsa -text -in demo.pem | head writing RSA key Private-Key: (2048 bit) modulus: 00:c3:63:80:18:fd:6c:6b:4a:e6:e0:13:3d:96:60: 5d:9c:1f:61:1e:12:73:e8:b6:a3:48:60:75:7a:0e: 92:f8:3d:14:5d:ea:29:d4:84:cc:76:d1:56:d2:27: 5d:ef:af:56:97:9f:11:de:ec:39:02:f3:6c:6c:29: 41:db:33:9a:f7:38:c5:2b:c7:37:b3:3c:a7:23:f9: c2:62:4c:e9:32:5a:7c:39:c2:8c:97:3d:39:a9:15: 03:41:9d:a1:61:5f:b3:d3:00:18:20:6a:f1:eb:59: 6b:be:e8:b5:1f:69:e2:a2:21:4d:39:a6:75:d2:53: @jtdowney 26

View RSA parse details (PKCS #1) $ openssl asn1parse -in demo.pem 0:d=0 hl=4 l=1187 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=4 l= 257 prim: INTEGER :C3638018FD6C6B4AE... 268:d=1 hl=2 l= 3 prim: INTEGER :010001 273:d=1 hl=4 l= 256 prim: INTEGER :4859F3F94CFE74CC8... 533:d=1 hl=3 l= 129 prim: INTEGER :EA7858DA0442FCACA... 665:d=1 hl=3 l= 129 prim: INTEGER :D55478D835A975238... 797:d=1 hl=3 l= 128 prim: INTEGER :3F9086CDFC0FC8FE6... 928:d=1 hl=3 l= 129 prim: INTEGER :B15D41FBC0E1DB1A6... 1060:d=1 hl=3 l= 128 prim: INTEGER :41DAB94D9A546263F... @jtdowney 27

PKCS #8 4 Expands key storage beyond RSA 4 DSA, ECDSA, etc @jtdowney 28

Convert PKCS #1 key to PKCS #8 $ openssl pkcs8 -topk8 -nocrypt -in demo.pem -out demo.pk8 @jtdowney 29

View RSA PEM file (PKCS #8) $ head demo.pk8 -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDY4AY/WxrSubg Ez2WYF2cH2EeEnPotqNIYHV6DpL4PRRd6inUhMx20VbSJ13vr1aXnxHe7DkC82xs KUHbM5r3OMUrxzezPKcj+cJiTOkyWnw5woyXPTmpFQNBnaFhX7PTABggavHrWWu+ 6LUfaeKiIU05pnXSU9GWOZz1aD9a+3KjAwphSnmmzUds5hKc1qN+L5QGXRihP+re dHjXQJCXvqvG6WNg4NV/eDm1XpVUv0jEO0kckgnF5T5GJZk652TNZU0OkmZ9Kcd8 n+846j+63MfAZ0F/Km0dAN5zDIbeNHLhm2mlcBupVNmOU1ppqWxi54HFYz2ZuO2D LzQNKDu3AgMBAAECggEASFnz+Uz+dMyLqbX2PFT61PEZuVUD7sySsh5l4gi7i4iy ngQz8SorvGPQTomdU0AORJ72syGuCtWw9GxiopT9cUZoXMmsaoavLbcyr8vjHm47 Sfgsr2RQkbfiOM3yEGir4hpK1NZFNu0p5MuvJi7DaV4DhrGJN5UqKwKyiH1N2JZW @jtdowney 30

View RSA parse details (PKCS #8) openssl asn1parse -in demo.pk8 0:d=0 hl=4 l=1213 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=2 l= 13 cons: SEQUENCE 9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption 20:d=2 hl=2 l= 0 prim: NULL 22:d=1 hl=4 l=1191 prim: OCTET STRING [HEX DUMP]:308204A... @jtdowney 31

Convert PEM encoded key to DER encoded $ openssl rsa -inform PEM -outform DER -in demo.pem -out demo.der writing RSA key $ xxd demo.der | head 00000000: 3082 04a3 0201 0002 8201 0100 c363 8018 0............c.. 00000010: fd6c 6b4a e6e0 133d 9660 5d9c 1f61 1e12 .lkJ...=.`]..a.. 00000020: 73e8 b6a3 4860 757a 0e92 f83d 145d ea29 s...H`uz...=.].) 00000030: d484 cc76 d156 d227 5def af56 979f 11de ...v.V.']..V.... 00000040: ec39 02f3 6c6c 2941 db33 9af7 38c5 2bc7 .9..ll)A.3..8.+. 00000050: 37b3 3ca7 23f9 c262 4ce9 325a 7c39 c28c 7.<.#..bL.2Z|9.. 00000060: 973d 39a9 1503 419d a161 5fb3 d300 1820 .=9...A..a_.... 00000070: 6af1 eb59 6bbe e8b5 1f69 e2a2 214d 39a6 j..Yk....i..!M9. 00000080: 75d2 53d1 9639 9cf5 683f 5afb 72a3 030a u.S..9..h?Z.r... 00000090: 614a 79a6 cd47 6ce6 129c d6a3 7e2f 9406 aJy..Gl.....~/.. @jtdowney 32

Working with Certificates @jtdowney 33

$ head braintree.pem -----BEGIN CERTIFICATE----- MIIHFzCCBf+gAwIBAgIQdlPhj8bBtjhpkzOjtu2ZGzANBgkqhkiG9w0BAQsFADB3 MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMzE3MDAwMDAwWhcNMTcwMzE2 MjM1OTU5WjCCAR0xEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD VQQFEwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UEEQwKOTUxMzEtMjAyMTET MBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpvc2UxFjAUBgNVBAkM DTIyMTEgTiAxc3QgU3QxFTATBgNVBAoMDFBheVBhbCwgSW5jLjEdMBsGA1UECwwU @jtdowney 34

X.509 Certificate 4 Format for digital certificates 4 Uses ASN.1 for the basic file format 4 Wraps public key 4 Specifies subject of certificate and issuer 4 Contents are digitally signed by issuer 4 Lists lifetime of validity @jtdowney 35

View certificate information $ openssl x509 -text -in braintree.pem | head -n 20 Certificate: Data: Version: 3 (0x2) Serial Number: 76:53:e1:8f:c6:c1:b6:38:69:93:33:a3:b6:ed:99:1b Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust N... Validity Not Before: Mar 17 00:00:00 2015 GMT Not After : Mar 16 23:59:59 2017 GMT Subject: jurisdictionC=US/jurisdictionST=Delaware/busines... Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d4:8e:55:07:7c:a2:89:f5:4f:a0:d2:80:82:63: d6:09:a1:86:19:e3:68:52:f5:49:66:d9:d7:e9:61: 33:77:3c:04:8b:cc:43:99:b5:e3:b9:a1:23:40:a9: 26:32:8c:fe:60:31:eb:5d:da:2d:42:3e:4a:0b:a9: e7:d3:17:19:bf:8a:7b:3e:37:2a:f2:dd:3e:4c:62: @jtdowney 36

X.509 Extensions $ openssl x509 -text -in braintree.pem ... X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.braintreepayments.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication ... @jtdowney 37

X.509 Certificate Request 4 Sent to certificate authority 4 Contains public key for certificate 4 Requestor signs contents @jtdowney 38

Generate a certificate request $ openssl req -new -key demo.pem -out demo.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Illinois Locality Name (eg, city) []:Chicago Organization Name (eg, company) [Internet Widgits Pty Ltd]:PayPal Organizational Unit Name (eg, section) []:Braintree Common Name (e.g. server FQDN or YOUR name) []:demo.braintreepayments.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: @jtdowney 39

View certificate request $ openssl req -text -in demo.csr | head -n 20 Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Illinois, L=Chicago, O=PayPal, OU=Braintree, CN=demo.braintreepayments.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:63:80:18:fd:6c:6b:4a:e6:e0:13:3d:96:60: 5d:9c:1f:61:1e:12:73:e8:b6:a3:48:60:75:7a:0e: 92:f8:3d:14:5d:ea:29:d4:84:cc:76:d1:56:d2:27: 5d:ef:af:56:97:9f:11:de:ec:39:02:f3:6c:6c:29: 41:db:33:9a:f7:38:c5:2b:c7:37:b3:3c:a7:23:f9: c2:62:4c:e9:32:5a:7c:39:c2:8c:97:3d:39:a9:15: 03:41:9d:a1:61:5f:b3:d3:00:18:20:6a:f1:eb:59: 6b:be:e8:b5:1f:69:e2:a2:21:4d:39:a6:75:d2:53: d1:96:39:9c:f5:68:3f:5a:fb:72:a3:03:0a:61:4a: 79:a6:cd:47:6c:e6:12:9c:d6:a3:7e:2f:94:06:5d: 18:a1:3f:ea:de:74:78:d7:40:90:97:be:ab:c6:e9: 63:60:e0:d5:7f:78:39:b5:5e:95:54:bf:48:c4:3b: @jtdowney 40

PKCS #12 4 Format for combing keys and certificates 4 Preferred format for Windows 4 Can optionally be encrypted with password 4 Extensions .p12 and .pfx @jtdowney 41

Java Keystore and Keytool 4 Similar to PKCS #12 files 4 Combine multiple types of items (keys, certs, etc) 4 Preferred format for Java ecosystem @jtdowney 42

Debugging Connections @jtdowney 43

curl $ curl -vI https://www.braintreepayments.com * Rebuilt URL to: https://www.braintreepayments.com/ * Trying 54.215.8.63... * Connected to www.braintreepayments.com (54.215.8.63) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * Server certificate: www.braintreepayments.com * Server certificate: Symantec Class 3 EV SSL CA - G3 * Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5 > HEAD / HTTP/1.1 > Host: www.braintreepayments.com > User-Agent: curl/7.43.0 > Accept: */* @jtdowney 44

openssl s_client $ openssl s_client -connect www.braintreepayments.com:443 CONNECTED(00000003) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary... verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network... verify return:1 depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Net... verify return:1 depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCa... OU = Braintree Production, CN = www.braintreepayments.com verify return:1 --- Certificate chain 0 s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=P... intreepayments.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Sy... 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Sy... i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006... 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006... i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certificati... ... @jtdowney 45

openssl s_client $ openssl s_client -connect www.braintreepayments.com:443 ... SSL handshake has read 5063 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 387E121C8195A337BC24EDAB3962627E01E974841E039D4D3... Session-ID-ctx: Master-Key: B158E366C9D89BC74C7CD183CDF4AC0498899D9ED2D6A00CA... Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None ...snip... Start Time: 1446134858 Timeout : 300 (sec) Verify return code: 0 (ok) --- @jtdowney 46

OpenSSL 4 Does not ship with any root certificates 4 Operating systems and browsers do 4 On Linux these are generally gathered from the Mozilla list 4 On OS X 4 Contains special patches which cause it to fall back to the OS X root certificates 4 The version is super old @jtdowney 47

sslyze $ brew install sslyze $ sslyze --regular www.braintreepayments.com:443 ... SCAN RESULTS FOR WWW.BRAINTREEPAYMENTS.COM:443 - 54.215.8.63:443 ------------------------------------------------------------------- ...snip... * Certificate - Content: SHA1 Fingerprint: 8ab0dc85c10af4c0e396e7586c85a3b74a39aa91 Common Name: www.braintreepayments.com Issuer: Symantec Class 3 EV SSL CA - G3 Serial Number: 7653E18FC6C1B638699333A3B6ED991B Not Before: Mar 17 00:00:00 2015 GMT Not After: Mar 16 23:59:59 2017 GMT Signature Algorithm: sha256WithRSAEncryption Public Key Algorithm: rsaEncryption Key Size: 2048 bit Exponent: 65537 (0x10001) X509v3 Subject Alternative Name: {'DNS': ['www.braintreepayments.com']} ... @jtdowney 48

sslyze $ sslyze --regular www.braintreepayments.com:443 ... SCAN RESULTS FOR WWW.BRAINTREEPAYMENTS.COM:443 - 54.215.8.63:443 ------------------------------------------------------------------- ...snip... * Certificate - Trust: Hostname Validation: OK - Subject Alternative Name matches Google CA Store (09/2015): OK - Certificate is trusted Java 6 CA Store (Update 65): OK - Certificate is trusted Microsoft CA Store (09/2015): OK - Certificate is trusted Apple CA Store (OS X 10.10.5): OK - Certificate is trusted Mozilla NSS CA Store (09/2015): OK - Certificate is trusted Certificate Chain Received: ['www.braintreepayments.com', 'Symantec Cl... ... @jtdowney 49

@jtdowney 50

SSL Labs https://www.ssllabs.com @jtdowney 51

testssl.sh $ brew install testssl $ testssl.sh www.braintreepayments.cam ... --> Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK) CCS (CVE-2014-0224) not vulnerable (OK) Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) NOT ok: uses gzip HTTP compression (only "/" tested) POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507), experim. Downgrade attack prevention supported (OK) FREAK (CVE-2015-0204) Local problem: /usr/local/opt/openssl/bin/openssl doesn't have any EXPORT RSA ciphers configured LOGJAM (CVE-2015-4000), experimental Local problem: /usr/local/opt/openssl/bin/openssl doesn't have any DHE EXPORT ciphers configured BEAST (CVE-2011-3389) TLS1: DES-CBC3-SHA -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2 RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) ... @jtdowney 52

How TLS Works @jtdowney 53

@jtdowney 54

Client Hello 4 Protocol the client wants (i.e. TLS 1.2) 4 Ciphers the client supports 4 Extensions (introduced after TLS 1.0 but in a compatible way) 4 Server Name Indication (SNI) @jtdowney 55

Server Name Indication 4 Allows a client to tell a server which vhost they want 4 Without it, every hostname needs its own IP 4 Can be expensive for hosting 4 Host information is sent after TLS handshake (HTTP Host Header) 4 SNI support is still not 100% @jtdowney 56

Server Hello 4 Server picks protocol and cipher suite 4 Provides some session re-negotiation values @jtdowney 57

Server Certificate 4 Server provides its certificate and any intermediate nessecary @jtdowney 58

@jtdowney 59

Client Certificate [optional] 4 Server asks for client to provide a certificate 4 Indicates what parameters would be allowed 4 Clients sends its own certificate and any intermediate @jtdowney 60

Change Cipher Spec 4 Indicates the end of the handshake 4 Following the Finished message, data will be encrypted @jtdowney 61

TLS Verification @jtdowney 62

@jtdowney 63

@jtdowney 64

Chain of Trust @jtdowney 65

@jtdowney 66

Hostname Verification @jtdowney 67

TLS Server Settings https://mozilla.github.io/server-side-tls/ssl-config-generator/ @jtdowney 68

@jtdowney Questions @jtdowney 69

References 4 https://datacenteroverlords.com/2011/09/25/ssl- who-do-you-trust/ @jtdowney 70

Bonus Round @jtdowney 71

Quick Survey of Known Problems @jtdowney 72

MAC then Encrypt 4 Attacks 4 BEAST 4 POODLE 4 Lucky13 4 Workaround is to use AEAD ciphersuites 4 GCM 4 Chacha20Poly1305 @jtdowney 73

Compression 4 CRIME (SSL compression) 4 BREACH (HTTP compression) @jtdowney 74

Long tail of support 4 Many servers still support SSLv3 4 Some servers support SSLv2 4 Attacks 4 DROWN: Breaking TLS using SSLv2 4 SWEET32: Breaking 3DES for long running connections @jtdowney 75