Giter Club home page Giter Club logo

x509test's Introduction

x509test

If you have any questions, suggestions, comments, concerns, or interesting stories, please email [email protected].

Description:

x509test is a software written in Python 3 that test the x509 certificate verification process of the target SSL/TLS client. The inspiration of this software comes from multiple reports on the insecurity of a SSL/TLS client due to incorrect verification of x509 certificate chain. This phenomenon is caused by many factors. One of which is the lack of negative feedback from over-acceptance of invalid certificates. This software is an attempt to increase the security of a client-side SSL/TLS software by providing negative feedbacks to the developers.

Test Procedure:

  1. The software takes in a user-supplied fqdn, where the fqdn is the destination of the client connection

  2. The software reads the certificate and key of the root CA. If no root CA is specified, the software generate a self-signed certificate that acts as the root CA. (NOTE: the root certificate must be trusted by the client software; either by including it to the OS’s trust store or manually configure the client software to trust the certificate.)

  3. The software generates a set of test certificates. Some are signed directly by the root CA while others are chained with other intermediate CAs. The majority of the test certificates contain flaws.

  4. The software starts a SSL/TLS server and waits for a client to connect. Each session corresponds to a single test certificate chain. If the client completes the handshake procedure with an invalid certificate chain, or terminates the handshake procedure with a valid certificate chain, then the software will denote such behavior as a potential violation. Regardless of the outcome, the software always terminates the connection once result is obtained and starts a new session with a different test certificate chain. (NOTE: some ports require root privilege, so it is recommended to run this software in root.)

  5. Results will be printed to the terminal, or a file if specified, as the test progresses. There are only three possible results from a given test. Pass means no non-compliance behavior is observed; fail means non-compliance behavior encountered; unsupported means the underlying system in which x509test is running on does not support the particular test.

Dependencies:

Python 3.2
pyOpenSSL 0.14
pyasn1 0.1.7
pyasn1_modules 0.0.5
OpenSSL 1.0.1

Installation:

Currently, no installation procedure is needed. After all dependencies are installed, simply go to the X509Test folder and run x509test.py using python interpreter to start the program.

Example Run:

All following examples use www.tls.test as the fqdn, which means it is pretending to be the server of the (fake) site www.tls.test.

All following examples assume Linux-based OS. Windows users should run the command prompt as administrator (equivalent of sudo) and specify the path to your python3.exe executable file (equivalent of python3).

All following examples assume the current working directory is X509Test (the downloaded folder that contains x509test.py and other items.)

Please make sure that no other service is using the same port that you are about to use.

  1. A server listens on port 443 with an IPv4 address of 10.1.2.3:
    sudo python3 x509test.py www.tls.test -a 10.1.2.3 -p 443

  2. A server listens on port 8080 with a loop back address, and rebuild all test cases:
    sudo python3 x509test.py www.tls.test -r -p 8080

  3. List all available test cases (fqdn can be any string):
    python3 x509test.py fqdn -l

  4. Run functionality test only:
    sudo python3 x509test.py www.tls.test -c func

  5. Run both functionality and certificate tests with SSL3:
    sudo python3 x509test.py www.tls.test -c full --ssl SSLv3

  6. The root certificate is encrypted with password 'secret':
    sudo python3 x509test.py www.tls.test --ca-password secret

  7. Print the current version and license of the software (fqdn can be any string):
    python3 x509test.py fqdn --version

More options can be found by using --help:
python3 x509test.py fqdn --help

Why use x509test:

  1. Security is hard
  2. x509test is easy to use
  3. x509test is open-source
  4. x509test is free

Thank you for using x509test.

x509test's People

Contributors

coruus avatar dweinstein avatar yymax avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.