Giter Club home page Giter Club logo

x509test's Introduction

x509test

If you have any questions, suggestions, comments, concerns, or interesting stories, please email [email protected].

Description:

x509test is a software written in Python 3 that test the x509 certificate verification process of the target SSL/TLS client. The inspiration of this software comes from multiple reports on the insecurity of a SSL/TLS client due to incorrect verification of x509 certificate chain. This phenomenon is caused by many factors. One of which is the lack of negative feedback from over-acceptance of invalid certificates. This software is an attempt to increase the security of a client-side SSL/TLS software by providing negative feedbacks to the developers.

Test Procedure:

  1. The software takes in a user-supplied fqdn, where the fqdn is the destination of the client connection

  2. The software reads the certificate and key of the root CA. If no root CA is specified, the software generate a self-signed certificate that acts as the root CA. (NOTE: the root certificate must be trusted by the client software; either by including it to the OS’s trust store or manually configure the client software to trust the certificate.)

  3. The software generates a set of test certificates. Some are signed directly by the root CA while others are chained with other intermediate CAs. The majority of the test certificates contain flaws.

  4. The software starts a SSL/TLS server and waits for a client to connect. Each session corresponds to a single test certificate chain. If the client completes the handshake procedure with an invalid certificate chain, or terminates the handshake procedure with a valid certificate chain, then the software will denote such behavior as a potential violation. Regardless of the outcome, the software always terminates the connection once result is obtained and starts a new session with a different test certificate chain. (NOTE: some ports require root privilege, so it is recommended to run this software in root.)

  5. Results will be printed to the terminal, or a file if specified, as the test progresses. There are only three possible results from a given test. Pass means no non-compliance behavior is observed; fail means non-compliance behavior encountered; unsupported means the underlying system in which x509test is running on does not support the particular test.

Dependencies:

Python 3.2
pyOpenSSL 0.14
pyasn1 0.1.7
pyasn1_modules 0.0.5
OpenSSL 1.0.1

Installation:

Currently, no installation procedure is needed. After all dependencies are installed, simply go to the X509Test folder and run x509test.py using python interpreter to start the program.

Example Run:

All following examples use www.tls.test as the fqdn, which means it is pretending to be the server of the (fake) site www.tls.test.

All following examples assume Linux-based OS. Windows users should run the command prompt as administrator (equivalent of sudo) and specify the path to your python3.exe executable file (equivalent of python3).

All following examples assume the current working directory is X509Test (the downloaded folder that contains x509test.py and other items.)

Please make sure that no other service is using the same port that you are about to use.

  1. A server listens on port 443 with an IPv4 address of 10.1.2.3:
    sudo python3 x509test.py www.tls.test -a 10.1.2.3 -p 443

  2. A server listens on port 8080 with a loop back address, and rebuild all test cases:
    sudo python3 x509test.py www.tls.test -r -p 8080

  3. List all available test cases (fqdn can be any string):
    python3 x509test.py fqdn -l

  4. Run functionality test only:
    sudo python3 x509test.py www.tls.test -c func

  5. Run both functionality and certificate tests with SSL3:
    sudo python3 x509test.py www.tls.test -c full --ssl SSLv3

  6. The root certificate is encrypted with password 'secret':
    sudo python3 x509test.py www.tls.test --ca-password secret

  7. Print the current version and license of the software (fqdn can be any string):
    python3 x509test.py fqdn --version

More options can be found by using --help:
python3 x509test.py fqdn --help

Why use x509test:

  1. Security is hard
  2. x509test is easy to use
  3. x509test is open-source
  4. x509test is free

Thank you for using x509test.

x509test's People

Contributors

yymax avatar coruus avatar dweinstein avatar

Stargazers

avatar avatar Naoki MATSUMOTO avatar Diven avatar Yichen Liu avatar lilyus avatar Daniel Kertesz avatar JConerly avatar avatar Phil Ratcliffe avatar Tom Thorogood avatar Paul P. avatar Thomas B. Ruecker avatar ik5 avatar Thomas avatar Robert Merget avatar Kelby Ludwig avatar sefanll avatar Amit Vitekar avatar avatar avatar György Kiss avatar Mike Pennington avatar avatar Sergey avatar avatar Mike Cardosa avatar Kai Michaelis avatar avatar Alban Diquet avatar David Wong avatar Jack McPherson avatar Angus H. avatar Jack Lloyd avatar René Fischer avatar avatar avatar Sliim avatar Nico Suhl avatar avatar Markus Krogemann avatar Jim avatar Mtv Europe avatar Greg Back avatar avatar Danny Grander avatar Neal Harris avatar Todd Eddy avatar Niels Cölle avatar avatar Paul Kehrer avatar Gianluca Brindisi avatar Clark Wang avatar avatar avatar Jean-Christophe Sirot avatar Jamezz avatar Philippe Arteau avatar Jan Žák avatar Evan avatar Alex Weber avatar avatar David Magalhães avatar Johannes Feichtner avatar Babil G. Sarwar avatar Jonas Lejon avatar flyroom avatar avatar Evan avatar Stuart Larsen avatar Sergio Paganoni avatar Adrian Likins avatar Mike Weinberg avatar Mike English avatar Jason Jones avatar Linus Nordberg avatar medina avatar EvE avatar Neo The One avatar Timothy Lee avatar Eaden McKee avatar avatar Richard Buckle avatar Kolin Krewinkel avatar Sparky avatar Alicja Kario avatar Blake Frantz avatar Chris Sandulow avatar Marc avatar Kimmo Parviainen-Jalanko avatar Eloy avatar deknos avatar Alexander Knorr avatar Filipe Oliveira avatar Jamyn avatar Chris Jenkins avatar Marcin Pohl avatar Peter Clemenko avatar Byungho avatar avatar

Watchers

Meredith L. Patterson avatar Jens Kubieziel avatar Clark Wang avatar Rakhmad Azhari avatar Oscar Koeroo avatar Erlend Oftedal avatar SodaPhish avatar Bublik avatar Andy Wick avatar Jamyn avatar Nafeez avatar Kevin M. Gallagher avatar avatar Alexander K avatar avatar avatar Matthew Pettersson avatar Douglas S. Santos avatar avatar avatar Robert Merget avatar

Forkers

johnjohnsp1 mshuler wzr coruus chubbymaggie milstein majord4m4ge okoeroo dweinstein tomato42 pnc awick dragrow gitcollect olivierh59500 recompiler tehtbl rednixon

x509test's Issues

OpenSSL.crypto.Error: []

Hello!
I'm on Ubuntu.I wanted to install x509test with python3.5.I installed pyOpenSSL 0.14 ,pyasn1 0.1.7 ,pyasn1_modules 0.0.5 and OpenSSL 1.0.2. But it can't work .I really need help!Please!Thanks!

$sudo python3 x509test.py www.tls.test -c full --ssl SSLv3
Starting SSL/TLS X509 Certificate Test
Checking Root CA...
Checking Test Directory...
Building Functionality Test Cases...
Traceback (most recent call last):
File "x509test.py", line 12, in
Terminal().runTest()
File "/usr/bin/x509test/src/Terminal.py", line 246, in runTest
cases = cases.build()
File "/usr/bin/x509test/src/TestSet.py", line 61, in build
self.addTestCase(test, self.opt.replace)
File "/usr/bin/x509test/src/TestSet.py", line 310, in addTestCase
testCase.testBuild(replace)
File "/usr/bin/x509test/src/Test.py", line 239, in testBuild
self.procedure()
File "/usr/bin/x509test/src/Test.py", line 252, in procedure
cert.signer.build()
File "/usr/bin/x509test/src/Certificate.py", line 217, in build
self.keyPassword)
File "/usr/local/lib/python3.5/dist-packages/OpenSSL/crypto.py", line 2010, in load_privatekey
_raise_current_error()
File "/usr/local/lib/python3.5/dist-packages/OpenSSL/_util.py", line 22, in exception_from_error_queue
raise exceptionType(errors)
OpenSSL.crypto.Error: []

PyAsn1Error Empty substrate

Hi there,

I'm on OSX, installed dependencies via pip (via mac ports), python 3.3. For some reason the ASN1 parser seems to throw an Empty substrace error. Let me know if you need more debug info.

$ sudo python3.3 x509test.py www.tls.test -c full --ssl SSLv3
Starting SSL/TLS X509 Certificate Test
Checking Root CA...
Checking Test Directory...
Building Functionality Test Cases...
Building X509 Test Cases...
Traceback (most recent call last):
File "x509test.py", line 12, in
Terminal().runTest()
File "/opt/x509test/src/Terminal.py", line 246, in runTest
cases = cases.build()
File "/opt/x509test/src/TestSet.py", line 67, in build
self.addTestCase(test, self.opt.replace)
File "/opt/x509test/src/TestSet.py", line 310, in addTestCase
testCase.testBuild(replace)
File "/opt/x509test/src/Test.py", line 239, in testBuild
self.procedure()
File "/opt/x509test/src/Test.py", line 254, in procedure
cert.build()
File "/opt/x509test/src/Certificate.py", line 622, in build
cert = self.asnModify(cert, self.modifier.preSign)
File "/opt/x509test/src/Certificate.py", line 755, in asnModify
cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/pyasn1/codec/ber/decoder.py", line 792, in call
stGetValueDecoder, self, substrateFun
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/pyasn1/codec/ber/decoder.py", line 321, in valueDecoder
component, head = decodeFun(head, asn1Spec)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/pyasn1/codec/ber/decoder.py", line 792, in call
stGetValueDecoder, self, substrateFun
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/pyasn1/codec/ber/decoder.py", line 321, in valueDecoder
component, head = decodeFun(head, asn1Spec)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/pyasn1/codec/ber/decoder.py", line 792, in call
stGetValueDecoder, self, substrateFun
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/pyasn1/codec/ber/decoder.py", line 321, in valueDecoder
component, head = decodeFun(head, asn1Spec)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/pyasn1/codec/ber/decoder.py", line 792, in call
stGetValueDecoder, self, substrateFun
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.3/lib/python3.3/site-packages/pyasn1/codec/ber/decoder.py", line 217, in valueDecoder
raise error.PyAsn1Error('Empty substrate')
pyasn1.error.PyAsn1Error: Empty substrate

cheers,
floyd

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.