qsslcaudit release v0.6.0

Submitted by pavel on Thu, 07/04/2019 - 14:46

This is a new release of our tool designed to assess TLS clients security (certificates validation, protocols and ciphers support): v0.6.0.

The single huge feature added: support of assessing DTLS clients.

DTLS is an implementation of TLS protocols for UDP protocol. There are two versions available at the time of writing: DTLSv1.0 and DTLSv1.2. DTLSv1.0 is based on TLSv1.1 (surprise!) and DTLSv1.2 on TLSv1.2. For now they are considered as safe from the security perspective. However, nothing stops clients to use weak ciphers and do not properly check server's certificates. qsscaudit is now capable of handling such cases.

Although the protocol was designed in 2012+ there is not much use of it. However, the existing solutions are quite sensitive: VPN clients, real time media client, etc.

This change implementation required quite a lot of refactoring. However, we hope that existing functionality was not affected. Any issues and feature requests are welcomed on Github's issue tracker.

qsslcaudit repository

Consider the following example.

Launching qsslcaudit listener:

$ qsslcaudit --dtls --selected-tests 3

Launching OpenSSL DTLS client:

$ echo "encrypted data" | openssl s_client -host 127.0.0.1 -port 8443 -dtls1

qsslcaudit results (test failure is expected as s_client trusts server):

$ qsslcaudit --dtls --selected-tests 3
preparing selected tests...

SSL library used: OpenSSL 1.0.2i  22 Sep 2016

running test #3: certificate trust test with self-signed certificate for www.example.com
listening on 127.0.0.1:8443
connection from: 127.0.0.1:52425
SSL connection established
received data: encrypted data

DTLS error detected:
        The DTLS connection has been shutdown(RemoteClosedConnectionError)
report:
test failed, client accepted fake certificate, data was intercepted
test finished

tests results summary table:
+----+------------------------------------+------------+-----------------------------+
| ## |             Test Name              |   Result   |           Comment           |
+----+------------------------------------+------------+-----------------------------+
|  3 | self-signed certificate for invali | FAILED !!! | mitm possible               |
|    | d domain trust                     |            |                             |
+----+------------------------------------+------------+-----------------------------+
most likely all connections were established by the same client, some collected details:
source host: 127.0.0.1
protocol: DTLSv1.0
accepted ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_DHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_DHE_RSA_WITH_AES_128_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_128_CBC_SHA:TLS_EMPTY_RENEGOTIATION_INFO_SCSV

qsslcaudit version: 0.6.0-snapshot

Contacts

+32 (0) 2 215 53 58

Gremwell BVBA
Sint-Katherinastraat 24
1742 Ternat
Belgium
VAT: BE 0821.897.133.