smutt / danish-rust Goto Github PK

View Code? Open in Web Editor NEW

4.0 1.0 0.0 335 KB

A generalized reimplentation of Danish in rust

License: BSD 3-Clause "New" or "Revised" License

Rust 81.72% Python 15.63% Roff 2.65%

dane tls tlsa pcap rust

danish-rust's Introduction

Overview

Danish is an experiment in middle-box DANE (RFC 6698) for HTTPS.

Danish is a daemon that listens for HTTPS TLS handshake traffic and captures the TLS/SNI and certificates. It then performs DNS lookups for DNS TLSA records to determine if the responding server is sending the correct X.509 certificate in its TLS ServerHello message.

If the certificates and DNS TLSA records do NOT match, iptables/ip6tables ACLs are installed to block user traffic to the offending website. ACLs are installed to both blackhole the immediate TCP traffic and prevent any further attempts at users connecting to the offending website. Users are then prevented from connecting to the offending website for the TTL of the relevant DNS TLSA RR.

This is a full rewrite of Python Danish in Rust. For the Python version of Danish go to Python Danish

Supported Protocols and Versions

Danish currently supports TLS 1.0 - 1.2, IPv4/IPv6.

Installation

Once compiled Danish is just an executable. Put the executable and the danish man page somewhere on your system and you're good to go.

Requirements

Linux
iptables
ip6tables for IPv6 support
kernel module kmod-ipt-filter
iptables module iptables-mod-filter

Building Danish

Install the rust compiler
Fork this repository
Compile Danish cargo build

Danish requires the following development libraries for compilation.

lib-pcap
lib-pthread

Options

-c, --chain iptables/ip6tables top level chain. Only chains allowed are OUTPUT and FORWARD. Use OUTPUT to run danish in host mode and FORWARD to run danish in middlebox mode. Default value is OUTPUT.

-i, --interface pcap interface to listen on, typically the network interface with the default route. Default value is eth0.

-h, --help display help and exit

-r, --rpz Enable Response Policy Zones(RPZ) operation. If enabled danish will block any SNI that fails resolution for A and AAAA. Default value is disabled.

-s, --sub-chain iptables/ip6tables sub-chain for installing ACLs. Special chain used only for danish ACLs. Default value is danish.

-v,--version display version information and then exit

danish-rust's People

Contributors

Stargazers

Watchers

danish-rust's Issues

TLS Session Resumption

It may be worth it in the future to explicitly ignore TLS session resumption ClientHellos. Now we don't, and I need to investigate how best to handle this.

Rule for TLS 1.2 is:
if tls.ClientHello.SessionIdLength == 0:
not session_resumption
else:
session_resumption

Middlebox vs Host -> FORWARD vs OUTPUT

Add support to toggle between iptables/ip6tables OUTPUT and FORWARD tables. We currently have OUTPUT hardcoded for end hosts. But for middleboxes we need to install ACLs in the FORWARD table.

Sometimes fail when DELAY==0 in load-test.py

When we set DELAY in load-test.py to 0 we sometimes fail to insert ACLs when validation fails. It looks like pcap is not giving us the packets. Need to investigate.

valid-test.py usage 2 broken

0 is ANY, 2 is [-1]

for tlsa in tlsa_rrs:
if tlsa['usage'] == 0 or tlsa['usage'] == 2: # Trust Anchor <-- This line is wrong

Need to break out 0 and 2

Error parsing SPKI from freebsd.org

Need to get smarter about installing ACLs for string match

Need to get smarter about installing ACLs for string match. If we block foo.org we also block asdfoo.org. Need to either use perfect offsets of specify adjacent characters.

Support TLS 1.3

Write some load tests

Write some load tests in python

Add TLS 1.2 checking

Ignore TLS versions other than 1.2. Right now I think we just assume 1.2 and that's not good.

Add RPZ support as configurable directive

Install egress ACL if DNS lookup for A/AAAA RR for SNI == NXDOMAIN

Better modularize code

ServerHello begun but no client_cache entry

Why is this happening?

[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1
[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1
[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1
[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1
[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1
[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1
[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1
[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1
[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1
[DEBUG danish_rust] ServerHello begun but no client_cache entry for "192.168.1.153_95.179.156.120_59688"
[DEBUG danish_rust] Investigating server_cache_v4 staleness 1