Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Debugging TLS/SSL at DevOpsDays Boston

Debugging TLS/SSL at DevOpsDays Boston

John Downey

August 26, 2016
Tweet

More Decks by John Downey

Other Decks in Programming

Transcript

  1. The views expressed in this presentation are my own, and

    not those of PayPal or any of its affiliates. @jtdowney 5
  2. Terminology 4 SSL - Secure Sockets Layer 4 TLS -

    Transport Layer Security @jtdowney 6
  3. History 4 1995 - Netscape releases SSL 2.0 4 1996

    - Netscape releases SSL 3.0 4 1999 - IETF releases TLS 1.0 (RFC 2246) 4 2006 - IETF releases TLS 1.1 (RFC 4346) 4 2008 - IETF releases TLS 1.2 (RFC 5246) 4 TLS 1.3 in draft (github.com/tlswg/tls13-spec) @jtdowney 9
  4. Broad types of cryptography 4 Symmetric cryptography - both sides

    share the same key 4 Asymmetric (public key) cryptography - each side has a different key @jtdowney 11
  5. Public Key Cryptography 4 Solves the key distribution problem 4

    Algorithms typically based on hard math problems 4 Fills two roles 4 Digital signatures 4 Key exchange @jtdowney 12
  6. Digital Signatures 4 Allows a public verification key to be

    published 4 A signer keeps the private signing key 4 Messages from the signer can be verified 4 Also protects integrity @jtdowney 13
  7. Key Exchange 4 Asymmetric crypto is far slower than symmetric

    cryptography 4 Uses asymmetric to setup a shared key, so both sides can switch to symmetric @jtdowney 14
  8. Algorithms 4 Digital Signatures - RSA, DSA, ECDSA 4 Key

    Exchange - RSA, DH, ECDH @jtdowney 15
  9. RSA Security 4 Company founded by Ron Rivest, Adi Shamir,

    Leonard Adleman 4 Built to develop crypto based products and standards 4 Held patent on RSA Algorithm until September 2000 @jtdowney 16
  10. Public Key Cryptography Standards 4 Developed by RSA Security to

    standardize usage of RSA 4 Relied on ASN.1 as basic file format @jtdowney 17
  11. ASN.1 4 Abstract syntax notation, one 4 Describes a tree

    structure 4 Typically use Distinguished Encoding Rules (DER) 4 Binary format 4 Canonical representation @jtdowney 18
  12. PEM Files 4 Privacy Enhanced Mail (PEM) 4 Never really

    used 4 Base64 encoded DER data 4 Have headers that describe the contents 4 -----BEGIN CERTIFICATE----- 4 The "preferred" format for OpenSSL @jtdowney 19
  13. File extensions 4 Never well established 4 The extension may

    describe the format but not the contents (.pem, .der) 4 Or it may describe the contents but not the format (.cer, .crt, .key) @jtdowney 20
  14. OpenSSL 4 Fork of SSLeay 4 Created by Eric A.

    Young 4 Forked when he went to work for RSA Security 4 By far the most popular open source TLS/SSL library @jtdowney 21
  15. Most common problems (as I see them) 4 Certificate/CSR/key/etc in

    wrong format 4 Server requires SNI and client doesn't support it 4 Intermediate certificate isn't being served 4 Default (and insecure) settings left enabled @jtdowney 22
  16. Generate an RSA Key $ openssl genrsa -out demo.pem Generating

    RSA private key, 2048 bit long modulus ...............................+++ .....................+++ e is 65537 (0x10001) @jtdowney 24
  17. PKCS #1 4 Original standard for RSA 4 Describes storage

    of RSA key in a file 4 Still preferred format by OpenSSL @jtdowney 25
  18. View RSA PEM file (PKCS #1) $ head demo.pem -----BEGIN

    RSA PRIVATE KEY----- MIIEowIBAAKCAQEAw2OAGP1sa0rm4BM9lmBdnB9hHhJz6LajSGB1eg6S+D0UXeop 1ITMdtFW0idd769Wl58R3uw5AvNsbClB2zOa9zjFK8c3szynI/nCYkzpMlp8OcKM lz05qRUDQZ2hYV+z0wAYIGrx61lrvui1H2nioiFNOaZ10lPRljmc9Wg/WvtyowMK YUp5ps1HbOYSnNajfi+UBl0YoT/q3nR410CQl76rxuljYODVf3g5tV6VVL9IxDtJ HJIJxeU+RiWZOudkzWVNDpJmfSnHfJ/vOOo/utzHwGdBfyptHQDecwyG3jRy4Ztp pXAbqVTZjlNaaalsYueBxWM9mbjtgy80DSg7twIDAQABAoIBAEhZ8/lM/nTMi6m1 9jxU+tTxGblVA+7MkrIeZeIIu4uIsp4EM/EqK7xj0E6JnVNADkSe9rMhrgrVsPRs YqKU/XFGaFzJrGqGry23Mq/L4x5uO0n4LK9kUJG34jjN8hBoq+IaStTWRTbtKeTL ryYuw2leA4axiTeVKisCsoh9TdiWVg7Svt31B9oEcYD26EgVV7rkJwmNNdBss5Ds @jtdowney 26
  19. View RSA Key Details $ openssl rsa -text -in demo.pem

    | head writing RSA key Private-Key: (2048 bit) modulus: 00:c3:63:80:18:fd:6c:6b:4a:e6:e0:13:3d:96:60: 5d:9c:1f:61:1e:12:73:e8:b6:a3:48:60:75:7a:0e: 92:f8:3d:14:5d:ea:29:d4:84:cc:76:d1:56:d2:27: 5d:ef:af:56:97:9f:11:de:ec:39:02:f3:6c:6c:29: 41:db:33:9a:f7:38:c5:2b:c7:37:b3:3c:a7:23:f9: c2:62:4c:e9:32:5a:7c:39:c2:8c:97:3d:39:a9:15: 03:41:9d:a1:61:5f:b3:d3:00:18:20:6a:f1:eb:59: 6b:be:e8:b5:1f:69:e2:a2:21:4d:39:a6:75:d2:53: @jtdowney 27
  20. View RSA parse details (PKCS #1) $ openssl asn1parse -in

    demo.pem 0:d=0 hl=4 l=1187 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=4 l= 257 prim: INTEGER :C3638018FD6C6B4AE... 268:d=1 hl=2 l= 3 prim: INTEGER :010001 273:d=1 hl=4 l= 256 prim: INTEGER :4859F3F94CFE74CC8... 533:d=1 hl=3 l= 129 prim: INTEGER :EA7858DA0442FCACA... 665:d=1 hl=3 l= 129 prim: INTEGER :D55478D835A975238... 797:d=1 hl=3 l= 128 prim: INTEGER :3F9086CDFC0FC8FE6... 928:d=1 hl=3 l= 129 prim: INTEGER :B15D41FBC0E1DB1A6... 1060:d=1 hl=3 l= 128 prim: INTEGER :41DAB94D9A546263F... @jtdowney 28
  21. Convert PKCS #1 key to PKCS #8 $ openssl pkcs8

    -topk8 -nocrypt -in demo.pem -out demo.pk8 @jtdowney 30
  22. View RSA PEM file (PKCS #8) $ head demo.pk8 -----BEGIN

    PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDY4AY/WxrSubg Ez2WYF2cH2EeEnPotqNIYHV6DpL4PRRd6inUhMx20VbSJ13vr1aXnxHe7DkC82xs KUHbM5r3OMUrxzezPKcj+cJiTOkyWnw5woyXPTmpFQNBnaFhX7PTABggavHrWWu+ 6LUfaeKiIU05pnXSU9GWOZz1aD9a+3KjAwphSnmmzUds5hKc1qN+L5QGXRihP+re dHjXQJCXvqvG6WNg4NV/eDm1XpVUv0jEO0kckgnF5T5GJZk652TNZU0OkmZ9Kcd8 n+846j+63MfAZ0F/Km0dAN5zDIbeNHLhm2mlcBupVNmOU1ppqWxi54HFYz2ZuO2D LzQNKDu3AgMBAAECggEASFnz+Uz+dMyLqbX2PFT61PEZuVUD7sySsh5l4gi7i4iy ngQz8SorvGPQTomdU0AORJ72syGuCtWw9GxiopT9cUZoXMmsaoavLbcyr8vjHm47 Sfgsr2RQkbfiOM3yEGir4hpK1NZFNu0p5MuvJi7DaV4DhrGJN5UqKwKyiH1N2JZW @jtdowney 31
  23. View RSA parse details (PKCS #8) openssl asn1parse -in demo.pk8

    0:d=0 hl=4 l=1213 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=2 l= 13 cons: SEQUENCE 9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption 20:d=2 hl=2 l= 0 prim: NULL 22:d=1 hl=4 l=1191 prim: OCTET STRING [HEX DUMP]:308204A... @jtdowney 32
  24. Convert PEM encoded key to DER encoded $ openssl rsa

    -inform PEM -outform DER -in demo.pem -out demo.der writing RSA key $ xxd demo.der | head 00000000: 3082 04a3 0201 0002 8201 0100 c363 8018 0............c.. 00000010: fd6c 6b4a e6e0 133d 9660 5d9c 1f61 1e12 .lkJ...=.`]..a.. 00000020: 73e8 b6a3 4860 757a 0e92 f83d 145d ea29 s...H`uz...=.].) 00000030: d484 cc76 d156 d227 5def af56 979f 11de ...v.V.']..V.... 00000040: ec39 02f3 6c6c 2941 db33 9af7 38c5 2bc7 .9..ll)A.3..8.+. 00000050: 37b3 3ca7 23f9 c262 4ce9 325a 7c39 c28c 7.<.#..bL.2Z|9.. 00000060: 973d 39a9 1503 419d a161 5fb3 d300 1820 .=9...A..a_.... 00000070: 6af1 eb59 6bbe e8b5 1f69 e2a2 214d 39a6 j..Yk....i..!M9. 00000080: 75d2 53d1 9639 9cf5 683f 5afb 72a3 030a u.S..9..h?Z.r... 00000090: 614a 79a6 cd47 6ce6 129c d6a3 7e2f 9406 aJy..Gl.....~/.. @jtdowney 33
  25. $ head braintree.pem -----BEGIN CERTIFICATE----- MIIHFzCCBf+gAwIBAgIQdlPhj8bBtjhpkzOjtu2ZGzANBgkqhkiG9w0BAQsFADB3 MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTUwMzE3MDAwMDAwWhcNMTcwMzE2 MjM1OTU5WjCCAR0xEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB

    AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD VQQFEwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UEEQwKOTUxMzEtMjAyMTET MBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpvc2UxFjAUBgNVBAkM DTIyMTEgTiAxc3QgU3QxFTATBgNVBAoMDFBheVBhbCwgSW5jLjEdMBsGA1UECwwU @jtdowney 35
  26. X.509 Certificate 4 Format for digital certificates 4 Uses ASN.1

    for the basic file format 4 Wraps public key 4 Specifies subject of certificate and issuer 4 Contents are digitally signed by issuer 4 Lists lifetime of validity @jtdowney 36
  27. View certificate information $ openssl x509 -text -in braintree.pem |

    head -n 20 Certificate: Data: Version: 3 (0x2) Serial Number: 76:53:e1:8f:c6:c1:b6:38:69:93:33:a3:b6:ed:99:1b Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust N... Validity Not Before: Mar 17 00:00:00 2015 GMT Not After : Mar 16 23:59:59 2017 GMT Subject: jurisdictionC=US/jurisdictionST=Delaware/busines... Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d4:8e:55:07:7c:a2:89:f5:4f:a0:d2:80:82:63: d6:09:a1:86:19:e3:68:52:f5:49:66:d9:d7:e9:61: 33:77:3c:04:8b:cc:43:99:b5:e3:b9:a1:23:40:a9: 26:32:8c:fe:60:31:eb:5d:da:2d:42:3e:4a:0b:a9: e7:d3:17:19:bf:8a:7b:3e:37:2a:f2:dd:3e:4c:62: @jtdowney 37
  28. X.509 Extensions $ openssl x509 -text -in braintree.pem ... X509v3

    extensions: X509v3 Subject Alternative Name: DNS:www.braintreepayments.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication ... @jtdowney 38
  29. X.509 Certificate Request 4 Sent to certificate authority 4 Contains

    public key for certificate 4 Requestor signs contents @jtdowney 39
  30. Generate a certificate request $ openssl req -new -key demo.pem

    -out demo.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Illinois Locality Name (eg, city) []:Chicago Organization Name (eg, company) [Internet Widgits Pty Ltd]:PayPal Organizational Unit Name (eg, section) []:Braintree Common Name (e.g. server FQDN or YOUR name) []:demo.braintreepayments.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: @jtdowney 40
  31. View certificate request $ openssl req -text -in demo.csr |

    head -n 20 Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Illinois, L=Chicago, O=PayPal, OU=Braintree, CN=demo.braintreepayments.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:63:80:18:fd:6c:6b:4a:e6:e0:13:3d:96:60: 5d:9c:1f:61:1e:12:73:e8:b6:a3:48:60:75:7a:0e: 92:f8:3d:14:5d:ea:29:d4:84:cc:76:d1:56:d2:27: 5d:ef:af:56:97:9f:11:de:ec:39:02:f3:6c:6c:29: 41:db:33:9a:f7:38:c5:2b:c7:37:b3:3c:a7:23:f9: c2:62:4c:e9:32:5a:7c:39:c2:8c:97:3d:39:a9:15: 03:41:9d:a1:61:5f:b3:d3:00:18:20:6a:f1:eb:59: 6b:be:e8:b5:1f:69:e2:a2:21:4d:39:a6:75:d2:53: d1:96:39:9c:f5:68:3f:5a:fb:72:a3:03:0a:61:4a: 79:a6:cd:47:6c:e6:12:9c:d6:a3:7e:2f:94:06:5d: 18:a1:3f:ea:de:74:78:d7:40:90:97:be:ab:c6:e9: 63:60:e0:d5:7f:78:39:b5:5e:95:54:bf:48:c4:3b: @jtdowney 41
  32. PKCS #12 4 Format for combing keys and certificates 4

    Preferred format for Windows 4 Can optionally be encrypted with password 4 Extensions .p12 and .pfx @jtdowney 42
  33. Java Keystore and Keytool 4 Similar to PKCS #12 files

    4 Combine multiple types of items (keys, certs, etc) 4 Preferred format for Java ecosystem @jtdowney 43
  34. curl $ curl -vI https://www.braintreepayments.com * Rebuilt URL to: https://www.braintreepayments.com/

    * Trying 54.215.8.63... * Connected to www.braintreepayments.com (54.215.8.63) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * Server certificate: www.braintreepayments.com * Server certificate: Symantec Class 3 EV SSL CA - G3 * Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5 > HEAD / HTTP/1.1 > Host: www.braintreepayments.com > User-Agent: curl/7.43.0 > Accept: */* @jtdowney 45
  35. openssl s_client $ openssl s_client -connect www.braintreepayments.com:443 CONNECTED(00000003) depth=3 C

    = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary... verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network... verify return:1 depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Net... verify return:1 depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCa... OU = Braintree Production, CN = www.braintreepayments.com verify return:1 --- Certificate chain 0 s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=P... intreepayments.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Sy... 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Sy... i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006... 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006... i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certificati... ... @jtdowney 46
  36. openssl s_client $ openssl s_client -connect www.braintreepayments.com:443 ... SSL handshake

    has read 5063 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 387E121C8195A337BC24EDAB3962627E01E974841E039D4D3... Session-ID-ctx: Master-Key: B158E366C9D89BC74C7CD183CDF4AC0498899D9ED2D6A00CA... Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None ...snip... Start Time: 1446134858 Timeout : 300 (sec) Verify return code: 0 (ok) --- @jtdowney 47
  37. OpenSSL 4 Does not ship with any root certificates 4

    Operating systems and browsers do 4 On Linux these are generally gathered from the Mozilla list 4 On OS X 4 Contains special patches which cause it to fall back to the OS X root certificates 4 The version is super old @jtdowney 48
  38. sslyze $ brew install sslyze $ sslyze --regular www.braintreepayments.com:443 ...

    SCAN RESULTS FOR WWW.BRAINTREEPAYMENTS.COM:443 - 54.215.8.63:443 ------------------------------------------------------------------- ...snip... * Certificate - Content: SHA1 Fingerprint: 8ab0dc85c10af4c0e396e7586c85a3b74a39aa91 Common Name: www.braintreepayments.com Issuer: Symantec Class 3 EV SSL CA - G3 Serial Number: 7653E18FC6C1B638699333A3B6ED991B Not Before: Mar 17 00:00:00 2015 GMT Not After: Mar 16 23:59:59 2017 GMT Signature Algorithm: sha256WithRSAEncryption Public Key Algorithm: rsaEncryption Key Size: 2048 bit Exponent: 65537 (0x10001) X509v3 Subject Alternative Name: {'DNS': ['www.braintreepayments.com']} ... @jtdowney 49
  39. sslyze $ sslyze --regular www.braintreepayments.com:443 ... SCAN RESULTS FOR WWW.BRAINTREEPAYMENTS.COM:443

    - 54.215.8.63:443 ------------------------------------------------------------------- ...snip... * Certificate - Trust: Hostname Validation: OK - Subject Alternative Name matches Google CA Store (09/2015): OK - Certificate is trusted Java 6 CA Store (Update 65): OK - Certificate is trusted Microsoft CA Store (09/2015): OK - Certificate is trusted Apple CA Store (OS X 10.10.5): OK - Certificate is trusted Mozilla NSS CA Store (09/2015): OK - Certificate is trusted Certificate Chain Received: ['www.braintreepayments.com', 'Symantec Cl... ... @jtdowney 50
  40. Client Hello 4 Protocol the client wants (i.e. TLS 1.2)

    4 Ciphers the client supports 4 Extensions (introduced after TLS 1.0 but in a compatible way) 4 Server Name Indication (SNI) @jtdowney 55
  41. Server Name Indication 4 Allows a client to tell a

    server which vhost they want 4 Without it, every hostname needs its own IP 4 Can be expensive for hosting 4 Host information is sent after TLS handshake (HTTP Host Header) 4 SNI support is still not 100% @jtdowney 56
  42. Server Hello 4 Server picks protocol and cipher suite 4

    Provides some session re-negotiation values @jtdowney 57
  43. Client Certificate [optional] 4 Server asks for client to provide

    a certificate 4 Indicates what parameters would be allowed 4 Clients sends its own certificate and any intermediate @jtdowney 60
  44. Change Cipher Spec 4 Indicates the end of the handshake

    4 Following the Finished message, data will be encrypted @jtdowney 61
  45. MAC then Encrypt 4 Attacks 4 BEAST 4 POODLE 4

    Lucky13 4 Workaround is to use AEAD ciphersuites 4 GCM 4 Chacha20Poly1305 @jtdowney 73
  46. Long tail of support 4 Many servers still support SSLv3

    4 Some servers support SSLv2 4 Attacks 4 DROWN: Breaking TLS using SSLv2 4 SWEET32: Breaking 3DES for long running connections @jtdowney 75