Chapter 2. Testing TLS with OpenSSL - Feisty Duck

Using OpenSSL for testing purposes has become more difficult recently because, ... The recent one is useful to test modern features (e.g., TLS 1.3), ... OpenSSLCookbook>OpenSSLCookbook:Chapter 2. TestingTLSwithOpenSSL×Ifyoulikethis,youwillloveBulletproofSSLandTLSUsecodeCOOKBOOK5atcheckoutfor£5off.BuyNow2TestingTLSwithOpenSSLDuetothelargenumberofprotocolfeaturesandimplementationquirks,it’ssometimes difficulttodeterminetheexactconfigurationandfeaturesofsecureservers.Althoughmany toolsexistforthispurpose,it’softendifficulttoknowexactlyhowtheywork,andthat sometimesmakesitdifficulttofullytrusttheirresults.EventhoughIspentyearstesting secureserversandhaveaccesstogoodtools,whenIreallywanttounderstandwhatisgoing on,IresorttousingOpenSSLandWireshark.IamnotsayingthatyoushoulduseOpenSSLfor everydaytesting;onthecontrary,youshouldfindanautomatedtoolthatyoutrust.For onlinetesting,IrecommendHardenize;22forofflinework,considertestssl.sh.23Butwhenyoureallyneedtobecertainofsomething,theonlywayistogetyour handsdirtywithOpenSSL.Custom-CompileOpenSSLforTestingUsingOpenSSLfortestingpurposeshasbecomemoredifficultrecentlybecause, paradoxically,OpenSSLitselfgotbetter.IntheaftermathofHeartbleed,theOpenSSL developersundertookagreatoverhaul,oneaspectofwhichwasremovalofobsolete cryptography.Thatisgreatnewsforeveryone,ofcourse,butdoesmake ourlivesmoredifficult.Totestforawidevarietyof conditions,wemayneedtousetwoversions:onerecentandoneold.Therecentoneis usefultotestmodernfeatures(e.g.,TLS1.3),buttheoldoneiswhatyouneedtotest obsoletefunctionality.Atthetimeofwriting,thenewversionwillmostdefinitelybefromthe1.1.1branch. Asfortheold,aftersomeresearch,IsettledonOpenSSL1.0.2g,configuredsothatthe removalofsomeobsoletefeaturesisreverted:$./config\ --prefix=/opt/openssl-1.0.2g\ --openssldir=/opt/openssl-1.0.2g\ no-shared\ enable-ssl2\ enable-ssl3\ enable-weak-ssl-ciphersThroughoutthischapter,IwillrefertothesetwoversionsofOpenSSLas newandold.That’showyou’llknowwhich versiontouseforthetesting.Refertothepreviouschapterformoreinformationon howtoconfigureandinstallOpenSSL.ConnectingtoTLSServicesOpenSSLcomeswithaclienttoolthatyoucanusetoconnecttoasecureserver.The toolissimilartotelnetorncinthesensethat ithandlestheencryptionaspectbutallowsyoutofullycontrolthelayerthatcomes next.Toconnecttoaserver,youneedtosupplyahostnameandaport.Forexample:$openssls_client-crlf\ -connectwww.feistyduck.com:443\ -servernamewww.feistyduck.comNoticethatyouhadtosupplythehostnametwice.The-connect switchisusedtoestablishtheTCPconnection,but-servernameis usedtospecifythehostnamesentattheTLSlevel.StartingwithOpenSSL1.1.1,the s_clienttoolautomaticallyconfiguresthelatter.You’llstill needtousethe-servernameswitchif(1)you’reusinganearlierversionofOpenSSL,(2)you’reconnectingtoanIPaddress,or (3)theTLShostneedstobedifferent. Usethe-noservernameswitchtoavoidsendinghostnameinformationin theTLShandshake.Onceyoutypethecommand,you’regoingtoseealotofdiagnosticoutput(moreabout thatinamoment)followedbyanopportunitytotypewhateveryouwant.Becausewe’re talkingtoanHTTPserver,themostsensiblethingtodoistosubmitanHTTPrequest. Inthefollowingexample,IuseaHEADrequestbecauseitinstructs theservernottosendtheresponsebody:HEAD/HTTP/1.0 Host:www.feistyduck.com HTTP/1.1200OK Date:Mon,24Aug202016:38:02GMT Server:Apache Strict-Transport-Security:max-age=31536000;includeSubDomains;preload Cache-control:no-cache,must-revalidate Content-Type:text/html;charset=UTF-8 Transfer-Encoding:chunked Set-Cookie:JSESSIONID=882D48C8842EA82E3F3AFACC4425A695;Path=/;Secure;HttpOnly Connection:close read:errno=0NoteIf,whenconnectingtoaremoteserverinthisway,theTLShandshakecompletes butyou’regettingdisconnectedafterthefirstHTTPrequestline,checkthatyou’ve specifiedthe-crlfswitchonthecommandline.Thisswitch ensuresthatthenewlinesyoutypearetranslatedtoacarriagereturnplusline feedcombotoensurestringHTTPcompliance.NowweknowthattheTLScommunicationlayerisworking:wegotthroughtotheHTTP server,submittedarequest,andreceivedaresponseback.Let’sgobacktothe diagnosticoutput.Thefirstcoupleoflineswillshowtheinformationabouttheserver certificate:CONNECTED(00000003) depth=2C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=↩ COMODORSACertificationAuthority verifyreturn:1 depth=1C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=↩ COMODORSADomainValidationSecureServerCA verifyreturn:1 depth=0OU=DomainControlValidated,OU=PositiveSSL,CN=www.feistyduck.com verifyreturn:1Thenextsectionintheoutputlistsallthecertificatespresentedbytheserverin theorderinwhichtheyweredelivered:Certificatechain 0s:OU=DomainControlValidated,OU=PositiveSSL,CN=www.feistyduck.com i:C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩ RSADomainValidationSecureServerCA 1s:C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩ RSADomainValidationSecureServerCA i:C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩ RSACertificationAuthorityForeachcertificate,thefirstlineshowsthesubjectandthesecondlineshowsthe issuerinformation.Thispartisveryusefulwhenyouneedtoseeexactlywhatcertificatesaresent; browsercertificateviewerstypicallydisplayreconstructedcertificatechainsthatcan bealmostcompletelydifferentfromthepresentedones.Todetermineifthechainis nominallycorrect,youmightwishtoverifythatthesubjectsandissuersmatch.You startwiththeleaf(webserver)certificateatthetop,andthenyougodownthelist, matchingtheissuerofthecurrentcertificatetothesubjectofthenext.Thelast issueryouseecanpointtosomerootcertificatethatisnotinthechain,or—ifthe self-signedrootisincluded—itcanpointtoitself.Thenextitemintheoutputistheservercertificate;it’salotoftext,butI’m goingtoremovemostofitforbrevity:Servercertificate -----BEGINCERTIFICATE----- MIIFUzCCBDugAwIBAgIRAPR/CbWZEksfCIRqxNcesPIwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD [...] L1MPjFiB5pyvf9jDBxv8TmG4Q6TnDDhw2t2Qil6lhsPAMZ9odP22W3uaLE1y7aB6 zbQXjVsc3E1THfFZWRzDPsU4fN/1iGlbrcAWa2sFfhJXrCDfAowFJ8A1n9jMiNEG WfQfGgA2ar2xUtsqA7Re6XlXOlwBPuQ= -----ENDCERTIFICATE----- subject=OU=DomainControlValidated,OU=PositiveSSL,CN=www.feistyduck.com issuer=C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩ RSADomainValidationSecureServerCANoteBydefault,thes_clienttoolshowsjusttheleafcertificate. Ifyouwishtoobtaintheentirechain,usethe-showcerts switch.Ifyouwanttohaveabetterlookatthecertificate,you’llfirstneedtocopyit fromtheoutputandstoreitinaseparatefile.I’lldiscusshowtodothatinthenext section.ThefollowingisalotofinformationabouttheTLSconnection,mostofwhichis self-explanatory:--- NoclientcertificateCAnamessent Peersigningdigest:SHA512 Peersignaturetype:RSA ServerTempKey:ECDH,P-256,256bits --- SSLhandshakehasread3624bytesandwritten446bytes Verification:OK --- New,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256 Serverpublickeyis2048bit SecureRenegotiationISsupported Compression:NONE Expansion:NONE NoALPNnegotiated SSL-Session: Protocol:TLSv1.2 Cipher:ECDHE-RSA-AES128-GCM-SHA256 Session-ID:73FC4831AF053C46291C2D8CC90BF7F1D5B12178E488FBB4DC49A302B870E8DE Session-ID-ctx: Master-Key:E60DA9C6669C2C7DFFD8A3AD2CD17405CC0B9B69C4184469D779A9BA19A6FD4B3D602A02↩ 3BD8B23F8D9A9FF2CBB5DDF7 PSKidentity:None PSKidentityhint:None SRPusername:None TLSsessionticketlifetimehint:300(seconds) TLSsessionticket: 0000-3195ffd04c42ddd0-2464035cfc551d171...LB..$d.\.U.. 0010-05c4611fb8bafdfe-f76c6ce9aea2493f..a......ll...I? 0020-c519d4e969a579d5-af1326c82ce7f001....i.y...&.,... 0030-3b42d8c0294cfa7e-88aa8dc80b3096ce;B..)L.~.....0.. 0040-43402c090baa2ed5-61e3347aa3782f93C@,.....a.4z.x/. 0050-675ab99678f5e769-b7b62d8c008f04abgZ..x..i..-..... 0060-421d26db92ec2d2f-ba1cc66187640ed5B.&...-/...a.d.. 0070-f2ce20d007a5e26d-c64550c24514a8ee......m.EP.E... 0080-597c63e1d7d8b0b6-7621d21397ebbd97Y|c.....v!...... 0090-a1d3e85c61dada2d-8580dbaede5697e1...\a..-.....V.. 00a0-e87a25f9bfcfb618-485bb003a5e6ec0a.z%.....H[...... 00b0-bf2f0d1a6bae7910-809ccf4d668f9043./..k.y....Mf..C 00c0-695432be0c8957e8-6d81b53e5bcb5e8eiT2...W.m..>[.^. StartTime:1598288068 Timeout:7200(sec) Verifyreturncode:0(ok) Extendedmastersecret:noThemostimportantinformationhereistheprotocolversion(TLS1.2)andciphersuite used(ECDHE-RSA-AES128-GCM-SHA256).Donotethatprotocolinformation appearsintwolocations,whichispotentiallyconfusingwhendifferentversionsare shown.Thefirstlocationdescribestheminimumprotocolrequirementwiththenegotiated ciphersuite,whilethesecondlocationpointstotheactualprotocolversioncurrently beingnegotiated.Youwillseeadifferenceinprotocolversionswithsomeoldercipher suites—forexample:New,TLSv1/SSLv3,CipherisDHE-RSA-AES128-SHATheselectedsuitecouldbeusedwithSSL3.0,butit’susedwithTLS1.2onthis connection:Protocol:TLSv1.2 Cipher:DHE-RSA-AES128-SHAsYoucanalsodeterminethattheserverhasissuedtoyouasessionIDandaTLS sessionticket(awayofresumingsessionswithouthavingtheservermaintainstate)and thatsecurerenegotiationissupported.NoteIfyou’reconnectingtoaTLS1.3server,theoutputmaybedifferent.Sometimes youwillobservelessinformationinitially,withadditionalinformationarriving laterinbursts.Thisbehaviordependsontheimplementationandreflectsthe changesinTLS1.3,whichtransmitssessionticketsasseparateprotocolmessages thataresentonlyafterthehandshakeiscomplete.Additionally,multiplesession ticketsareusuallysentonthesameconnection.CertificateVerificationJustbecauseyouareabletoconnecttoaTLSserver,thatdoesn’tmeanthatthe serviceisconfiguredcorrectly,eveniftheserversupportsalltherightprotocolsand ciphersuites.Itisequallyimportantthattheconfiguredcertificatematchesthe correctDNSnames.Bydefault,thes_clienttoolreportsbutotherwiseignores certificateissues.Further,beforeyoubegintotrustitsjudgmentyouneedtobe confidentthatitcanrecognizeavalidcertificatewhenitseesone.Thisisespecially truewhenyou’reusingacustom-compiledbinary.Intheexamplefromtheprevioussection,theverificationstatuscode(shownonthe penultimateline)was0,whichmeansthattheverificationhasbeen successful.Ifyou’reconnectingtoaserverthathasavalidpubliccertificatebutyou seestatus20instead,thatprobablymeansthattrustedrootshaven’t beencorrectlyconfigured:Verifyreturncode:20(unabletogetlocalissuercertificate)Atthispoint,ifyoudon’twishtofixyourOpenSSLinstallation,youcaninsteaduse the-CApathswitchtopointtothelocationwheretherootsarekept. Forexample:$openssls_client-connectwww.feistyduck.com:443-CApath/etc/ssl/certs/Ifyouinsteadhaveasinglefilewiththerootsinit,usethe -CAfileswitch:$openssls_client-connectwww.feistyduck.com:443\ -CAfile/etc/ssl/certs/ca-certificates.crtEvenifyougetasuccessfulstatuscodeatthispoint,thatdoesn’tmeanthatthe certificateiscorrectlyconfigured.That’sbecausethes_clienttool doesn’tcheckthatthecertificateiscorrectforthegivenhostname;youhavetotell ittodothatmanuallyandtellitwhichhostnametouse:$openssls_client-connectwww.feistyduck.com:443-verify_hostnamewww.feistyduck.comIfthereisamismatch,youmightseestatuscode62:Verifyreturncode:62(Hostnamemismatch)Otherwise,you’llseethefamiliarstatuscode0.Intherare instancethatyouneedtoverifyacertificatethathasbeenissuedforanIPaddress insteadofahostname,you’llneedtousethe-verify_ipswitchfor theverification.TestingProtocolsthatUpgradetoTLSWhenusedwithHTTP,TLSwrapstheentireplain-textcommunicationchanneltoform HTTPS.Someotherprotocolsstartoffasplaintext,butthentheyupgradetoencryption. Ifyouwanttotestsuchaprotocol,you’llhavetotellOpenSSLwhichprotocolitisso thatitcanupgradeonyourbehalf.Providetheprotocolinformationusingthe -starttlsswitch.Forexample:$openssls_client-connectgmail-smtp-in.l.google.com:25-starttlssmtpAtthetimeofwriting,thesupportedprotocolsinrecentOpenSSLreleasesare smtp,pop3,imap, ftp,xmpp,xmpp-server, irc,postgres,mysql, lmtp,nntp,sieve,and ldap.ThereislesschoicewithOpenSSL1.0.2g: smtp,pop3,imap, ftp,andxmpp.Someprotocolsrequiretheclienttoprovidetheirnames.Forexample,forSMTP, OpenSSLwillusemail.example.combydefault,butyoucanspecifythe correctvaluewiththe-nameswitch.Ifyou’retestingXMPP,youmay needtospecifythecorrectservername;youcandothiswiththe -xmpphostswitch.ExtractingRemoteCertificatesWhenyouconnecttoaremotesecureserverusings_client,itwill dumptheserver’sPEM-encodedcertificatetostandardoutput.Ifyouneedthe certificateforanyreason,youcancopyitfromthescroll-backbuffer.Ifyouknowin advanceyouonlywanttoretrievethecertificate,youcanusethiscommandlineasa shortcut:$echo|openssls_client-connectwww.feistyduck.com:4432>&1|sed--quiet'/-BEGIN↩ CERTIFICATE-/,/-ENDCERTIFICATE-/p'>feistyduck.crtThepurposeoftheechocommandatthebeginningistoseparate yourshellfroms_client.Ifyoudon’tdothat, s_clientwillwaitforyourinputuntiltheservertimesout (whichmaypotentiallytakeaverylongtime).Bydefault,s_clientwillprintonlytheleafcertificate;ifyou wanttoprinttheentirechain,giveitthe-showcertsswitch.With thatswitchenabled,thepreviouscommandlinewillplaceallthecertificatesinthe samefile.$echo|openssls_client-showcerts-connectwww.feistyduck.com:4432>&1|sed--quiet↩ '/-BEGINCERTIFICATE-/,/-ENDCERTIFICATE-/p'>feistyduck.chainAnotherusefultrickistopipetheoutputofs_clientdirectlyto thex509tool.Thefollowingcommandshowsdetailedserver information,alongwithitsSHA256fingerprint:$echo|openssls_client-connectwww.feistyduck.com:4432>&1|opensslx509-noout↩ -text-fingerprint-sha256Sometimesyouwillneedtotakethecertificatefingerprintanduseitwithother tools.Unfortunately,OpenSSLoutputscertificatesinaformatthatshowsindividual bytesandseparatesthemusingcolons.Thishandycommandlinenormalizescertificate fingerprintsbyremovingthecolonsandconvertingthehexadecimalcharactersto lowercase:$echo|openssls_client-connectwww.feistyduck.com:4432>&1|opensslx509-noout↩ -fingerprint-sha256|sed's/://g'|tr'[:upper:]''[:lower:]'|sed's/sha256↩ fingerprint=//g'NoteConnectingtoremoteTLSserversandreviewingtheircertificatesisapretty commonoperation,butyoushouldn’tspendyourtimerememberingandtypingthese longcommands.Instead,investintowritingacoupleofshellfunctionsthatwill packagethisfunctionalityintoeasy-to-usecommands.TestingProtocolSupportBydefault,s_clientwilltrytousethebestprotocoltotalkto theremoteserverandreportthenegotiatedversioninoutput.Asmentionedearlier,you willfindtheprotocolversionintheoutputtwice,andyouwantthelinethat explicitlytalksabouttheprotocol:24Protocol:TLSv1.2Ifyouneedtotestsupportforspecificprotocolversions,youhavetwooptions.You canexplicitlychooseoneprotocoltotestbysupplyingoneofthe -ssl2,-ssl3,-tls1, -tls1_1,-tls1_2,ortls1_3 switches.Naturally,eachswitchrequiressupportforaspecificprotocolversioninthe testingtool.Ifyouwanttoexcludeaparticularprotocolfromthetesting,thereisa familyofswitchesthatdisableprotocols(e.g.,-no_tls_1_2forTLS 1.2).Sometimesthatmaybethebetterapproach.StartingwithOpenSSL1.1.0,thereare twonewoptions,-min_protocoland-max_protocol, whichcontroltheminimumandmaximumprotocolversion,respectively.Forexample,here’stheoutputyoumightgetwhentestingaserverthatdoesn’t supportacertainprotocolversion:$openssls_client-connectwww.example.com:443-tls1_2 CONNECTED(00000003) 140455015261856:error:1408F10B:SSLroutines:SSL3_GET_RECORD:wrongversionnumber:s3↩ _pkt.c:340: --- nopeercertificateavailable --- NoclientcertificateCAnamessent --- SSLhandshakehasread5bytesandwritten7bytes --- New,(NONE),Cipheris(NONE) SecureRenegotiationISNOTsupported Compression:NONE Expansion:NONE SSL-Session: Protocol:TLSv1.2 Cipher:0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg:None PSKidentity:None PSKidentityhint:None SRPusername:None StartTime:1339231204 Timeout:7200(sec) Verifyreturncode:0(ok) ---UnderstandingifaserversupportsSSL2.0maysometimesrequiremorework,duetothe factthatthisoldandveryinsecureversionoftheSSLprotocolusesadifferent handshakefromthatusedfromSSL3.0onwards.AlthoughserversthatsupportonlySSL 2.0shouldnowbeveryrare,tocheckthiseventuality,you’llneedtosubmitaseparate checkusingthe-ssl2switch.AnotherprotocoldifferenceisthatSSL2.0serversaresometimesseenwithoutany configuredciphersuites.Inthatcase,althoughSSL2.0issupported,technically speaking,anyhandshakeattemptswillstillfail.Youshouldtreatthissituationas misconfiguration.TestingCipherSuiteConfigurationIt’snotverylikelythatyouwillbespendingalotoftimetestingciphersuite configurationusingOpenSSLonthecommandline.Thisisbecauseyoucaneffectively testforonlyonesuiteatatime;testingformorethan300ciphersuitesthatare supportedbyTLS1.2andearlierprotocolrevisionswouldtakeaconsiderableamountof time.Thisisaperfectopportunitytousethosehandytoolsthatautomatethe process.Still,therewillbetimeswhenyouwillneedtoprobeserverstodetermineifthey supportaparticularsuiteoracryptographicprimitive,orifthepreferenceis correctlyconfigured.TheintroductionofTLS1.3madetestinginthisareaslightlymorecomplicated,but it’sstillmanageable.Becauseofthedifferencesbetweenthisprotocolversionandall otherrevisions,it’susuallybesttosplityourtestsintotwogroups.WhentestingTLS 1.3,alwaysusethe-ciphersuitesswitchincombinationwith -tls1_3.Theusualapproachistospecifyonlyonesuiteto determineifit’ssupported:$echo|openssls_client-connectwww.hardenize.com:443-tls1_3-ciphersuitesTLS_AES↩ _128_GCM_SHA2562>/dev/null|grepNew New,TLSv1.3,CipherisTLS_AES_128_GCM_SHA256Theoutputwillnaturallybedifferentifyoupickasuitethatisnot supported:$echo|openssls_client-connectwww.hardenize.com:443-tls1_3-ciphersuitesTLS_AES↩ _128_CCM_SHA2562>/dev/null|grepNew New,(NONE),Cipheris(NONE)Whenyou’retestingtheconfigurationofTLS1.2andearlierprotocolversions,use the-cipherswitchincombinationwith-no_tls1_3 (assumingyou’reusingaversionofOpenSSLthatsupportsTLS1.3):$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipherAESGCM↩ 2>/dev/null|grepNew New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256Asyoucanseeinthepreviousexample,whentestingTLS1.2andearlieryoudon’t havetospecifyonlyoneciphersuite,butinthatcaseyouwillneedtoobservewhat hasbeennegotiated.Ifyouwanttoprobefurther,youcanalwaystweakthecommandline toremovethepreviouslynegotiatedsuite:$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩ 'AESGCM:!ECDHE-ECDSA-AES128-GCM-SHA256'2>/dev/null|grepNew New,TLSv1.2,CipherisECDHE-ECDSA-AES256-GCM-SHA384Eventhoughyouwon’tbetestingforagreatmanysuitesmanually,thereisaquick waytodetermineifaparticularserversupportsanyofthemanybadcryptographic primitives.Todothis,useyouroldOpenSSLversionandlistall thebadciphersuitekeywords,likethis:$echo|openssls_client-connectexample.com:443-cipher'3DESDESRC2RC4IDEASEED↩ CAMELLIAMD5aNULLeNULLEXPORTLOW'2>/dev/null|grepNew New,TLSv1/SSLv3,CipherisDHE-RSA-CAMELLIA256-SHAAnothergoodtestistoseeifaserversupportstheRSAkeyexchangethatdoesn’t supportforwardsecrecy:$echo|/opt/openssl-1.0.2g/bin/openssls_client-connectexample.com:443-cipherk↩ RSA2>/dev/null|grepNew New,TLSv1/SSLv3,CipherisAES128-GCM-SHA256Ideally,you’dgetahandshakefailurehere,butit’snotterribleifyoudon’t, providedtheserverusestheRSAkeyexchangeonlyasamatteroflastresort.Youcan checkthisbyofferingsuiteswithforwardsecrecyasyourleastpreferred option:$echo|/opt/openssl-1.0.2g/bin/openssls_client-connectexample.com:443-cipher'DHE↩ ECDHEkRSA+kECDHE+kDHE'2>/dev/null|grepNew New,TLSv1/SSLv3,CipherisECDHE-RSA-AES128-GCM-SHA256TestingCipherSuitePreferenceAsageneralrule,TLSserversshouldalwaysbeconfiguredtoenforcetheircipher suitepreferences,ensuringthattheynegotiatetheirpreferredciphersuitewithevery client.ThisfeatureisessentialwithTLS1.2andearlierprotocolrevisions,which supportmanyciphersuites,mostofthemundesirable.It’sadifferentstorywithTLS 1.3:itonlyhasahandfulofsuitesavailableatthistimeandallofthemaresecure, soenforcingserverpreferencedoesn’tmatterthatmuch.25NoteBecauseciphersuitepreferencedoesn’tmattermuchwithTLS1.3,somestacks don’tevensupportitwiththisprotocol,eveniftheydowithearlierprotocol versions.Thus,forthebestresults,youwillwanttotestseparatelyforTLS1.3 andeverythingelse—orseparatelyforeverysupportedprotocol.Thisisanothercase inwhichautomationisthebetterchoice.Totestforserversuitepreference,youfirstneedtohavesomeideaofwhatsuites aresupported.Forexample,youcouldhavethecompletelistofsupportedsuites. Alternatively,youcanprobetheserverwithdifferentsuitetypes—forexample,those thatuseECDHEversusDHEorRSAkeyexchange.Withtwosuitesinhand,youneedtoinitiatetwoconnections,firstofferingoneof thesuitesasyourfirstchoice,thentheother:$echo|openssls_client-connectwww.hardenize.com:443-tls1_3-ciphersuites'TLS_AES↩ _128_GCM_SHA256:TLS_AES_256_GCM_SHA384'2>/dev/null|grepNew New,TLSv1.3,CipherisTLS_AES_128_GCM_SHA256 zoom:~ivanr$echo|openssls_client-connectwww.hardenize.com:443-tls1_3↩ -ciphersuites'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256'2>/dev/null|grepNew New,TLSv1.3,CipherisTLS_AES_256_GCM_SHA384Ifyouseethesamesuitenegotiatedonbothconnections,thatmeansthattheserver isconfiguredtoactivelyselectnegotiatedsuites.Otherwise,itisn’t.Theserverin thepreviousexampleisoneofthoseTLS1.3serversthatdoesn’tenforcepreference. ThatverysameserverdoeshaveapreferencewithTLS1.2;wecanseethatitalways selectsabettersuite,evenwhenwepushittotheendofourlist:$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩ 'ECDHE+AESGCMRSA'2>/dev/null|grepNew New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256 $echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩ 'ECDHE+AESGCMRSA+ECDHE'2>/dev/null|grepNew New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256Whenitcomestoserversuitepreferencetesting,theChaCha20suitesarebest avoided.Thisisbecausesomeserverssupportanothertypeofpreference,wherethey treatAES-GCMandChaCha20suitesasequalintermsofsecurityandrespectclient preferenceasaspecialcase.Theideaisthattheclientwillpreferthefastercipher suite,whichistypicallyChaCha20formobiledevicesandAES-GCMfordesktops.Thatsaid,withserversthatsupportthistypeofpreference,youmaywanttotestif it’sworkingcorrectly.Todothat,you’llneedtousethreesupportedciphersuitesand threetests.Thepurposeofthefirsttwotestsistoestablishthattheserverselects itsfavoritesuitewhenChaCha20isnotinvolved:$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩ 'ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-CHACHA20-POLY1305↩ '2>/dev/null|grepNew New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256 $echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩ 'ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-CHACHA20-POLY130↩ 5'2>/dev/null|grepNew New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256Ifyouseethattheserverrespondswiththesamesuiteinbothcases,youcansubmit anothertestwithasupportedChaCha20suitefirst.Ifyouseetheserverselectingit, youknowit’sconfiguredtosupporttheclient-preferredsuite:$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩ 'ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-GCM-SHA256↩ '2>/dev/null|grepNew New,TLSv1.2,CipherisECDHE-ECDSA-CHACHA20-POLY1305TestingNamedGroupsNamedgroupsarepredefinedcryptographicparametersthatare usedforkeyexchange.InTLS1.3,namedgroupsincludebothellipticcurve(EC)and finitefield(DH)parameters.TLS1.2andearliergenerallyuseonlypredefinedelliptic curves;theserverprovidesDHparametersoneveryconnection.26Inahandshake,theclientandserverhavetoagreeonacommonnamedgroup overwhichthekeyexchangewilltakeplace,andit’simportantthattheselectedgroup satisfiesdesiredsecurityrequirements.Inpractice,thereisseldomaneedtotestserversfornamedgroups.Althoughthere’s afairnumberofnamedgroupsinvariousRFCs,OpenSSLisprobablytheonlymajorclient tohaveextensivesupport.Historically,youcouldonlyuseNIST’sP-256andP-384EC groupsbecausetheseweretheonlywidelysupportedcurves.Relativelyrecently,X25519 andX448groupswereaddedasanalternative.Becauseallthesecurvesarestrong,there islittleneedtospendtimethinkingaboutthem.Youmayfindyourselftestingnamedgroupconfigurationusuallytounderstandwhat yourwebserverisdoing.Forexample,youmaycareaboutX25519andwanttoensureit’s availableandpreferred.Totestforthis,usethes_clienttooland the-curvesswitch.Forexample,here’showtodetermineifasingle namedgroupissupported:$echo|openssls_client-connecthardenize.com:443-curvesX255192>/dev/null|grep↩ "ServerTempKey" ServerTempKey:X25519,253bitsOnsuccess,youwillseethenamedgroupintheoutput,becausethat’sthegroupthat wasselectedforthehandshake.Onfailure,youmayseenooutput,whichmeansthatthe handshakefailed.Alternatively,theserver,unabletonegotiateanECDHEsuite,may fallbacktoaDHEsuite,indicatedbythefollowingoutput:ServerTempKey:DH,2048bitsIfyouneedtotestfornamedgrouppreference,youneedtooffertwoormorenamed groups,withyourpreferredonelast.Ifyouseeitnegotiated,thatwillmeanthatthe serveractivelychoosesthegroupitconsidersmostappropriate.Usecolonstoseparate thegroupsandbeawarethatthenamesarecase-sensitive.$echo|openssls_client-connecthardenize.com:443-curvesprime256v1:X255192>/dev↩ /null|grep"ServerTempKey" ServerTempKey:X25519,253bitsNoteYoucangetthecompletelistofellipticcurvessupportedbyOpenSSLusingthe ecparamtoolandthe-list_curvesswitch. Tothatlist,addX25519andX448.Supportforfinitefieldgroupsiscurrentlynot availablebutshouldarrivewithOpenSSL3.0.TestingDANEDNS-basedAuthenticationofNamedEntities(DANE)issetof standardsthatenablesyoutoendorsetheTLScertificatesyouuseviaDNS configuration.Forthistowork,DANErequiresDNSitselftobesecure,whichmeansthat DNSSECisnecessary.Therefore,DANEisessentiallyamechanismforpinning;onlythe certificatesyouapprovewillbeacceptedasvalidbyDANE-enabledclients.DANEitself isnotcontroversial,butDNSSEC,onwhichitrelies,isaverydivisivetopic,withthe worldsplitbetweenthosewholoveitandthosewhohateit.Asaresult,DANEis currentlynotuniversallysupported.It’smorecommonlyusedtosecureSMTPservers; thereisnosupportatthebrowserlevel.SupportingDANEaddssomecomplexitytoyourTLSdeploymentsbecauseofthewayDNS configurationispropagatedandcached.Beforeyouuseanewcertificateyouneedto ensurethatyournewDNSconfiguration(endorsingthatcertificate)isfullypropagated. Thus,youwouldtypicallyfirstpublishyourDNSchanges,waitforaperiodtime sufficientforthecachestoclear,andonlythendeploythecertificates.27Thetestingitselfisstraightforward;youusethes_clienttool whilefeedingitDANEdata.Thisishandybecauseitenablesyoutotestaconnection evenbeforemakingDNSchanges.First,let’sseewhatDANEconfigurationlooks like.DANEstoresconfigurationinTLSAresourcerecords,usingtwoprefixlabelsto indicatetheprotocolandport:$host-tTLSA_25._tcp.mail.protonmail.ch _25._tcp.mail.protonmail.chhasTLSArecord31176BB66711DA416433CA890A5B2E5A0533C6006↩ 478F7D10A4469A947ACC8399E1 _25._tcp.mail.protonmail.chhasTLSArecord3116111A5698D23C89E09C36FF833C1487EDC1B0C↩ 841F87C49DAE8F7A09E11E979EThisoutputcontainstwoendorsements,onepercertificate.Havingtwoendorsementsis notunusual.Forexample,perhapsyoumighthaveaservicethatusestwocertificates (e.g.,onewithanRSAkeyandanotherwithanECDSAkey),oryouhaveabackup certificate,oryou’resimplyinatransitionalperiodwhenyou’reswitching certificates.Thethreenumbersatthebeginningindicatethattheendorsementtargets thecertificatedirectly(3)viaitspublickey(1)andaSHA256hash(1).Therestof thedataisthehashitself.Totest,youconnecttotheSMTPservicewhileprovidingtheDANEdatausingthe -dane_tlsa_domainand-dane_tlsa_rrdata switches:$openssls_client-starttlssmtp\ -connectmail.protonmail.ch:25\ -dane_tlsa_domainmail.protonmail.ch\ -dane_tlsa_rrdata"31176BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947ACC8399E↩ 1"Iftheverificationissuccessful,youwillseesomethinglikethisinthe output:--- SSLhandshakehasread5209bytesandwritten433bytes Verification:OK Verifiedpeername:*.protonmail.ch DANETLSA311...8f7d10a4469a947acc8399e1matchedEEcertificateatdepth0 ---Ifyou’dliketotestforvalidationfailure,justbreakthesuppliedhash.Theresult willbesimilartothefollowingoutput:--- SSLhandshakehasread5209bytesandwritten433bytes Verificationerror:NomatchingDANETLSArecords ---Forthebestresults,whentestingDANEinthisway,alwaysprovideallknownTLSA records(oneper-dane_tlsa_rrdataswitch).Ifyoudo,servicesthat usemultiplecertificatessimultaneouslywillcheckoutnomatterwhatcertificateis negotiated.ForTLS1.2andearlier,it’spossibletoforceaparticularcertificatevia achoiceofclient-supportedciphersuites(the-cipherswitch).TLS 1.3suitesaredifferent,andforthisprotocolversionyouwouldneedtousethe -sigalgsswitchwithavaluesuchas ecdsa_secp256r1_sha256or rsa_pss_rsae_sha256.TestingSessionResumptionWhencoupledwiththe-reconnectswitch,the s_clientcommandcanbeusedtotestsessionreuse.Inthismode, s_clientwillconnecttothetargetserversixtimes.Itwill createanewsessiononthefirstconnection,thentrytoreusethesamesessioninthe subsequentfiveconnections:$echo|openssls_client-connectwww.feistyduck.com:443-reconnectNoteDuetoabuginOpenSSL,atthetimeofwritingsessionresumptiontestingdoesn’t workincombinationwithTLS1.3.Untilthebugisresolved,28thebestyoucandoistesttheearlierprotocolversions.Usethe -no_tls1_3switch.Thepreviouscommandwillproduceaseaofoutput,mostofwhichyouwon’tcareabout. Thekeypartsaretheinformationaboutnewandreusedsessions.Thereshouldbeonly onenewsessionatthebeginning,indicatedbythefollowingline:New,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256Thisisfollowedbyfivesessionreuses,indicatedbylineslikethis:Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256Mostofthetime,youdon’twanttolookatallthatoutputandwantananswer quickly.Youcangetitusingthefollowingcommandline:$echo|openssls_client-connectwww.feistyduck.com:443-reconnect2>/dev/null|↩ grep'New\|Reuse' New,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256 Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256 Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256 Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256 Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256 Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256Here’swhatthecommanddoes:The-reconnectswitchactivatesthesessionreuse mode.The2>/dev/nullparthidesstderr output,whichyoudon’tcareabout.Finally,thepipedgrepcommandfiltersouttherestofthe fluffandletsthroughonlythelinesthatyoucareabout.NoteIfyoudon’twanttoincludesessionticketsinthetest—forexample,becausenot allclientssupportthisfeatureyet—youcandisablethismethodofresumptionusing the-no_ticketswitch.Thisoptiondoesn’tapplytoTLS 1.3.KeepingSessionStateacrossConnectionsIfyouneedbettercontroloverresumption,thes_clienttool providesoptionstopersisttheconnectionstatetoafile.Onyourfirstconnection, usethe-sess_outswitchtorecordthestate:$openssls_client-connectwww.feistyduck.com:443-sess_outsess.pemToviewtherecordedstate,usethesess_idtool:$opensslsess_id-insess.pem-noout-text SSL-Session: Protocol:TLSv1.2 Cipher:ECDHE-ECDSA-AES128-GCM-SHA256 Session-ID:F7384C2C4BE621F66045ECE12A89821FEE789C2E75B78C90C428BE37E0FE4599 Session-ID-ctx: Master-Key:9D39C582D9AA1618B2F16C7911C4BFFB61D6D1FD578A93B1145FD2B4DBFDE76EB2279BA5↩ 0AEFFCD95320BEEBC9489FAF PSKidentity:None PSKidentityhint:None SRPusername:None TLSsessionticketlifetimehint:64800(seconds) TLSsessionticket: 0000-a2d3e3040321856d-1a4f9c82fc4e15e0.....!.m.O...N.. 0010-9bb8b1240d95a30a-b824d4f5d2beb856...$.....$.....V 0020-b2f0e9c5e55331b5-247496bae4563268.....S1.$t...V2h 0030-febb7a7f28d7c419-6ac5ca223aa72d45..z.(...j..":.-E 0040-529174f7a8fa7540-02b9849c840da806R.t...u@........ 0050-c7a165af8b541974-52e8c4f4471c3ff0..e..T.tR...G.?. 0060-46351a3ca9a57330-33b720bddc8ab8f9F5.<..s03...... starttime:1602414785 timeout:300 verifyreturncode:20 extendedmastersecret:nofinally youtocompletelychangeconnectionparametersfromoneconnectiontoanother.for example yoursecond.thismaybeofusewhenyouneedtotestifsessionresumptioniscorrectly implementedonawebservercluster.manualcontrolofyourconnectionsallowsyouto spreadthemovertime rotation.checkingocsprevocationifanocspresponderismalfunctioning why.checkingcertificaterevocationstatusfromthecommandlineispossible notquitestraightforward.youneedtoperformthefollowingsteps:obtainthecertificatethatyouwishtocheckforr evocation.obtaintheissuingcertificate.determinetheurloftheocspresponder.submitanocsprequestandobserv etheresponse.forthefirsttwosteps switchspecified: certificatechainisproperlyconfigured issuer.toconfirm ofthesecond:certificatechain i:c="GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩" rsadomainvalidationsecureserverca miifuzccbdugawibagirapr zbqxjvsc3e1thffzwrzdpsu4fn wfqfgga2ar2xutsqa7re6xlxolwbpuq="-----ENDCERTIFICATE-----" rsacertificationauthority miigcdcca htelmakga1uebhmcr0ixgzazbgnvbagtekdyzwf0zxigtwfuy2hlc3rlcjeqma4g serversdon certificateinthechain tolookfortheauthorityinformationaccessextensionintheleaf certificate: authorityinformationaccess: caissuers-uri:http: .crt ocsp-uri:http: urloftheissuercertificate.iftheissuercertificateinformationisn youcantrytoopenthesiteinabrowser theissuingcertificatefromitscertificateviewer.ifallthatfails thecertificateinyourtruststoreorvisittheca responder commandasashortcut: http: issuer.crt warning:nononceinresponse responseverifyok fd.crt:good thisupdate:aug3022:35:122020gmt nextupdate:sep622:35:122020gmtyouwanttolookfortwothingsintheresponse.first isvalid checkwhattheresponsesaid.whenyouseegoodasthestatus meansthatthecertificatehasn revokedforrevokedcertificates.notethewarningmessageaboutthemissingnonceistellingyouthatopensslwanted to useanonceasaprotectionagainstreplayattacks notreplywithone.thisgenerallyhappensbecausecaswanttoimprovethe performanceoftheirocspresponders.whentheydisablethenonceprotection standardallowsit reusedforaperiodoftime.youmayencounterocsprespondersthatdonotrespondsuccessfullytotheprevious commandline.thefollowingsuggestionsmayhelpinsuchsituations.donotrequestanoncesomeserverscannothandle noncerequestsandrespondwitherrors.openssl willrequestanoncebydefault.todisablenonces correcthostnameinthehostheader encounteranerrormessagethatincludesanhttperrorcode addingthehostnametoyourocsprequest.youcandothiswiththehelpof the-headerswitch.withtheprevioustwopointsinmind following: issuer.crt-no_nonce-headerhostocsp.comodoca.comtestingocspstaplingocspstaplingisanoptionalfeaturetha tallowsaservercertificatetobe accompaniedbyanocspresponsethatprovesitsvalidity.becausetheocspresponseis deliveredoveranalreadyexistingconnection separately.ocspstaplingisusedonlyifrequestedbyaclient status_requestextensioninthehandshakerequest.aserverthat supportsocspstaplingwillrespondbyincludinganocspresponseaspartofthe handshake.whenusingthes_clienttool output.forexample nearthetopoftheoutput:connected ocspresponse:noresponsesentwithaserverthatdoessupportstapling output:ocspresponsedata: ocspresponsestatus:successful responsetype:basicocspresponse version:1 responderid:90af6a3a945a0bd890ea125673df43b43a28dae7 producedat:aug3022:35:122020gmt responses: certificateid: hashalgorithm:sha1 issuernamehash:7ae13ee8a0c42a2cb428cbe7a605461940e2a1e9 issuerkeyhash:90af6a3a945a0bd890ea125673df43b43a28dae7 serialnumber:f47f09b599124b1f08846ac4d71eb0f2 certstatus:good nextupdate:sep622:35:122020gmt signaturealgorithm:sha256withrsaencryption revoked.checkingcrlrevocationcheckingcertificateverificationwithacertificaterevocation list processisasfollows:obtainthecertificateyouwishtocheckforrevocation.obtaintheissuingcertificate.downl oadandverifythecrl.lookforthecertificateserialnumberinthecrl.thefirststepsoverlapwithocspchecking inthesectioncalled distributionpoints uri:http: lthenfetchthecrlfromtheca: verifyoknow serial="F47F09B599124B1F08846AC4D71EB0F2Atthispoint,youcanconverttheCRLintoahuman-readableformatandinspectit" manually: certificaterevocationlist version2 issuer:c="GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN↩" lastupdate:aug3107:52:032020gmt nextupdate:sep707:52:032020gmt crlextensions: x509v3authoritykeyidentifier: keyid:90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4:3a:28:da:e7 x509v3crlnumber: revokedcertificates: serialnumber:70dab4b3229280f04364bc58db2ab922 revocationdate:may2912:18:272017gmt serialnumber:51894d40389cdab84a7a6f3374e1d893 revocationdate:may3023:20:552017gmt certificates theserialnumberoftheservercertificateisonthelist revoked.ifyoudon long crltool.forexample: eb0f2testingrenegotiationintls weaknesses renegotiation protocolrevisions.thes_clienttoolhasacoupleoffeaturesthatcanassistyouwith manualtestingofrenegotiation.firstofall theremoteserversupportssecurerenegotiation.thisisbecauseaserverthatsupports securerenegotiationindicatesitssupportforitviaaspecialtlsextensionthatis exchangedduringthehandshakephase.whensupportisavailable likethis:new serverpublickeyis2048bit securerenegotiationissupported compression:none expansion:none ssl-session: different:securerenegotiationisnotsupportednotebecausetls1.3doesn toolwillalwaysgiveanegativeanswerifthisprotocolversionisnegotiated.to ensurereliableresults negotiationofanearlierprotocolversion.eveniftheserverindicatessupportforsecurerenegotiation whetheritalsoallowsclientstoinitiaterenegotiation.client-initiated renegotiationisaprotocolfeaturethatdoesn practice makestheservermoresusceptibletodenialofserviceattacks.toinitiaterenegotiation rcharacteronalinebyitself.forexample talkingtoanhttpserver awebserverthatsupportsclient-initiatedrenegotiation:get r renegotiating depth="2C=US,O=DigiCertInc,OU=www.digicert.com,CN=DigiCertHighAssurance↩" evrootca verifyreturn:1 validationserverca california mozillafoundation host:addons.mozilla.org http content-type:text date:mon location: strict-transport-security:max-age="31536000" content-length:49 connection:close movedpermanently.redirectingto clientagain.youcanseetheverificationofthecertificatechainintheoutput.the nextlineafterthatcontinueswiththehostrequestheader.seeing thewebserver variouswaystherenegotiationissuewasaddressedinvariousversionsofssl libraries keepitopenbutrefusetocontinuetotalkoverit timeout ontheconnection:head _pkt.c:592:atthetimeofwriting don successfulwithaserverthatdoesn theserversupportsinsecureclient-initiatedrenegotiation.notethemostreliablewaytotestforinsecurerenego tiationistousethemethod describedinthissection thediscoveryofinsecurerenegotiation isasmallnumberofserversthatsupportbothsecureandinsecurerenegotiation. thisvulnerabilityisdifficulttodetectwithmodernversionsofopenssl alwayspreferthesecureoption.testingforheartbleedyoucantestforheartbleedmanuallywithopensslorbyusingo neofthetools designedforthispurpose.therearenowmanyutilitiesavailable veryeasytoexploit.but accuracy.thereisevidencethatsometoolsfailtodetectvulnerableservers.29giventheseriousnessofheartbleed usingatoolthatgivesyoufullvisibilityoftheprocess.iamgoingtodescribean approachyoucanusewithonlyamodifiedversionofopenssl.somepartsofthetestdon versionthatsupportstheheartbeatprotocol forexample connecting: connected tlsserverextension> TLSserverextension"ECpointformats"(id=11),len=4 0000-03000102.... TLSserverextension"sessionticket"(id=35),len=0 TLSserverextension"heartbeat"(id=15),len=1 0000-01 [...]AserverthatdoesnotreturntheheartbeatextensionisnotvulnerabletoHeartbleed. Totestifaserverrespondstoheartbeatrequests,usethe-msg switchtorequestthatprotocolmessagesareshown,connecttotheserver,waituntil thehandshakecompletes,thentypeBandpressreturn:$openssls_client-connectwww.feistyduck.com:443-tlsextdebug-msg [...] --- B HEARTBEATING >>>TLS1.2[length0025],HeartbeatRequest 01001200003c831a9f1a5c84aa869e20 c7a2acd76ff0c9639bd585bf9a476127 d5224c7075 <<tlsext_hb_seq) +if((payload==(18+PAYLOAD_EXTRA))&&seq==s->tlsext_hb_seq) { s->tlsext_hb_seq++; s->tlsext_hb_pending=0; @@-2705,7+2706,7@@ /*MessageType*/ *p++=TLS1_HB_REQUEST; /*Payloadlength(18byteshere)*/ -s2n(payload,p); +s2n(payload+PAYLOAD_EXTRA,p); /*Sequencenumber*/ s2n(s->tlsext_hb_seq,p); /*16randombytes*/Tobuildanoninvasivetest,increasepayloadlengthbyupto16bytes,orthelength ofthepadding.Whenavulnerableserverrespondstosucharequest,itwillreturnthe paddingbutnothingelse.Tobuildaninvasivetest,increasethepayloadlengthby, say,32bytes.Avulnerableserverwillrespondwithapayloadof50bytes(18bytes sentbyOpenSSLbydefault,plusyour32bytes)andsend16bytesofpadding.By increasingthedeclaredlengthofthepayloadinthisway,avulnerableserverwill returnupto64KBofdata.AservernotvulnerabletoHeartbleedwillnot respond.ToproduceyourownHeartbleedtestingtool,unpackafreshcopyofOpenSSLsource code,editssl/t1_lib.ctomakethechangeasinthepatch,compile asusual,butdon’tinstall.Theresultingopensslbinarywillbe placedintheapps/subdirectory.Becauseitisstaticallycompiled, youcanrenameittosomethinglikeopenssl-heartbleedandmoveitto itspermanentlocation.Here’sanexampleoftheoutputyou’dgetwithavulnerableserverthatreturns16 bytesofserverdata(inbold):B HEARTBEATING >>>TLS1.2[length0025],HeartbeatRequest 01003200007ce8f5623503bb0034194d 577ef1e5906e71a92685961cc42bebd5 93e2d7bb5f <<