サーバーのSSL/TSLテストをやってみる
サーバーのSSL/TLSテストについて
CMAN
CMAN SSLチェック【証明書・プロトコル・暗号スイート確認】
日本語で使えるので、いろいろ使いやすいが、TLS1.3に対応していない。
SSL Server Test
サーバーのSSLテストでよく使われるらしい。
ただし、有料プランでなければ標準ポート(443)以外のチェックが行えないため、標準ポート以外でチェックしたい場合はできない。
testssl.sh
WebサーバーのSSL/TLSの対応状況とか、使用可能な証明書アルゴリズムとか脆弱性の対応状況を一括で確認できるbashスクリプト。
拡張子が「sh」となっているが、中身を見てみるとどうやら「bash」っぽい。
bashが使用できるシステムであればたぶん汎用的に使用できる。
ポートについても443以外のカスタムポートをチェックすることも可能。
testssl.shでやってみる
wgetでもgitでもいいので、とりあえずダウンロードして動かしてみるといろいろわかる。
usageはこんな感じ。
もちろん、オプションなしでtestssl.shを実行すれば同じものが見ることができる。
$ ./testssl.sh "testssl.sh [options] <URI>" or "testssl.sh <options>" "testssl.sh <option>", where <option> is mostly standalone and one of: --help what youre looking at -b, --banner displays banner + version of testssl.sh -v, --version same as previous -V, --local [pattern] pretty print all local ciphers (of openssl only). If search pattern supplied: it is an an ignore case word pattern of cipher hexcode or any other string in its name, kx or bits "testssl.sh [options] <URI>", where <URI> is: <URI> host|host:port|URL|URL:port port 443 is default, URL can only contain HTTPS as a protocol and [options] is/are: -t, --starttls <protocol> Does a run against a STARTTLS enabled service which is one of ftp, smtp, lmtp, pop3, imap, xmpp, xmpp-server, telnet, ldap, nntp, postgres, mysql --xmpphost <to_domain> For STARTTLS xmpp or xmpp-server checks it supplies the domainname (like SNI) --mx <domain/host> Tests MX records from high to low priority (STARTTLS, port 25) --file/-iL <fname> Mass testing option: Reads one testssl.sh command line per line from <fname>. Can be combined with --serial or --parallel. Implicitly turns on "--warnings batch". Text format 1: Comments via # allowed, EOF signals end of <fname> Text format 2: nmap output in greppable format (-oG), 1 port per line allowed --mode <serial|parallel> Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter) --warnings <batch|off> "batch" doesnt continue when a testing error is encountered, off continues and skips warnings --connect-timeout <seconds> useful to avoid hangers. Max <seconds> to wait for the TCP socket connect to return --openssl-timeout <seconds> useful to avoid hangers. Max <seconds> to wait before openssl connect will be terminated single check as <options> ("testssl.sh URI" does everything except -E and -g): -e, --each-cipher checks each local cipher remotely -E, --cipher-per-proto checks those per protocol -s, --std, --standard tests certain lists of cipher suites by strength -f, --fs, --nsa checks forward secrecy settings -p, --protocols checks TLS/SSL protocols (including SPDY/HTTP2) -g, --grease tests several server implementation bugs like GREASE and size limitations -S, --server-defaults displays the servers default picks and certificate info -P, --server-preference displays the servers picks: protocol+cipher -x, --single-cipher <pattern> tests matched <pattern> of ciphers (if <pattern> not a number: word match) -c, --client-simulation test client simulations, see which client negotiates with cipher and protocol -h, --header, --headers tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address -U, --vulnerable tests all (of the following) vulnerabilities (if applicable) -H, --heartbleed tests for Heartbleed vulnerability -I, --ccs, --ccs-injection tests for CCS injection vulnerability -T, --ticketbleed tests for Ticketbleed vulnerability in BigIP loadbalancers --BB, --robot tests for Return of Bleichenbachers Oracle Threat (ROBOT) vulnerability --SI, --starttls-injection tests for STARTTLS injection issues -R, --renegotiation tests for renegotiation vulnerabilities -C, --compression, --crime tests for CRIME vulnerability (TLS compression issue) -B, --breach tests for BREACH vulnerability (HTTP compression issue) -O, --poodle tests for POODLE (SSL) vulnerability -Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation -W, --sweet32 tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability -A, --beast tests for BEAST vulnerability -L, --lucky13 tests for LUCKY13 -WS, --winshock tests for winshock vulnerability -F, --freak tests for FREAK vulnerability -J, --logjam tests for LOGJAM vulnerability -D, --drown tests for DROWN vulnerability -4, --rc4, --appelbaum which RC4 ciphers are being offered? tuning / connect options (most also can be preset via environment variables): --fast omits some checks: using openssl for all ciphers (-e), show only first preferred cipher. -9, --full includes tests for implementation bugs and cipher per protocol (could disappear) --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks --ssl-native fallback to checks with OpenSSL where sockets are normally used --openssl <PATH> use this openssl binary (default: look in $PATH, $RUN_DIR of testssl.sh) --proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from $env ($http(s)_proxy) -6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity --ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI b) arg "one" means: just test the first DNS returns (useful for multiple IPs) -n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records --sneaky leave less traces in target logs: user agent, referer --user-agent <user agent> set a custom user agent instead of the standard user agent --ids-friendly skips a few vulnerability checks which may cause IDSs to block the scanning IP --phone-out allow to contact external servers for CRL download and querying OCSP responder --add-ca <CA files|CA dir> path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check --basicauth <user:pass> provide HTTP basic auth information. --reqheader <header> add custom http request headers output options (can also be preset via environment variables): --quiet dont output the banner. By doing this you acknowledge usage terms normally appearing in the banner --wide wide output for tests like RC4, BEAST. FS also with hexcode, kx, strength, RFC name --show-each for wide outputs: display all ciphers tested -- not only succeeded ones --mapping <openssl| openssl: use the OpenSSL cipher suite name as the primary name cipher suite name form (default) iana|rfc -> use the IANA/(RFC) cipher suite name as the primary name cipher suite name form no-openssl| -> dont display the OpenSSL cipher suite name, display IANA/(RFC) names only no-iana|no-rfc> -> dont display the IANA/(RFC) cipher suite name, display OpenSSL names only --color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers) --colorblind swap green and blue in the output --debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 ^DEBUG= testssl.sh" --disable-rating Explicitly disables the rating output file output options (can also be preset via environment variables) --log, --logging logs stdout to ${NODE}-p${port}${YYYYMMDD-HHMM}.log in current working directory (cwd) --logfile|-oL <logfile> logs stdout to dir/${NODE}-p${port}${YYYYMMDD-HHMM}.log. If logfile is a dir or to a specified logfile --json additional output of findings to flat JSON file ${NODE}-p${port}${YYYYMMDD-HHMM}.json in cwd --jsonfile|-oj <jsonfile> additional output to the specified flat JSON file or directory, similar to --logfile --json-pretty additional JSON structured output of findings to a file ${NODE}-p${port}${YYYYMMDD-HHMM}.json in cwd --jsonfile-pretty|-oJ <jsonfile> additional JSON structured output to the specified file or directory, similar to --logfile --csv additional output of findings to CSV file ${NODE}-p${port}${YYYYMMDD-HHMM}.csv in cwd or directory --csvfile|-oC <csvfile> additional output as CSV to the specified file or directory, similar to --logfile --html additional output as HTML to file ${NODE}-p${port}${YYYYMMDD-HHMM}.html --htmlfile|-oH <htmlfile> additional output as HTML to the specified file or directory, similar to --logfile --out(f,F)ile|-oa/-oA <fname> log to a LOG,JSON,CSV,HTML file (see nmap). -oA/-oa: pretty/flat JSON. "auto" uses ${NODE}-p${port}${YYYYMMDD-HHMM}. If fname if a dir uses dir/${NODE}-p${port}${YYYYMMDD-HHMM} --hints additional hints to findings --severity <severity> severities with lower level will be filtered for CSV+JSON, possible values <LOW|MEDIUM|HIGH|CRITICAL> --append if (non-empty) <logfile>, <csvfile>, <jsonfile> or <htmlfile> exists, append to file. Omits any header --overwrite if <logfile>, <csvfile>, <jsonfile> or <htmlfile> exists it overwrites it without any warning --outprefix <fname_prefix> before ${NODE}. above prepend <fname_prefix> Options requiring a value can also be called with = e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>. <URI> always needs to be the last parameter.
パラメータのURIについては、「example.com:8080」みたいにすればポート指定が可能。
この辺りを使用して、こんな感じで実行してみる。
./testssl.sh --html example.com:8080 ./testssl.sh --log example.com:8080
htmlオプションは結果をHTMLで記録してくれるので、Linuxで実行した結果をWindowsで見たいといった場合に使いやすい。
logオプションは結果をbashの装飾機能を使って色付けしてくれるので、bashコンソール上で再確認するといった場合は使いやすい。
ただし、Windowsでログファイルを見る場合は、タグに制御コードを使用しているため、見辛くくなってしまう。
なお、htmlオプションやlogオプションの有無に関わらず実行結果はコンソールに標準出力される。
実行結果
やってみた結果はこんな感じ(一部抜粋)
########################################################### testssl.sh 3.1dev from [https://testssl.sh/dev/](https://testssl.sh/dev/) (895a6b9 2021-03-11 10:42:52 -- ) This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ [https://testssl.sh/bugs/](https://testssl.sh/bugs/) ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" \[~183 ciphers\] on ik1-419-41682:./bin/openssl.Linux.x86\_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86\_64") Start 2021-03-20 22:07:04 -->> 100.100.100.100:8080 (example.com) <<-- rDNS (100.100.100.100): example.com. Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC\[2,4\], MD5 (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsoleted CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) with no FS offered (OK) Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Testing server's cipher preferences Has server cipher order? no (NOT ok) Negotiated protocol TLSv1.2 Negotiated cipher AES128-GCM-SHA256 -- inconclusive test, matching cipher in list missing, better see below Cipher per protocol Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- SSLv2 - SSLv3 - TLSv1 - TLSv1.1 - TLSv1.2 (no server order, thus listed by strength) xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 521 AES 256 TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 521 Camellia 256 TLS\_ECDHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA384 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat (6 attempts) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS\_FALLBACK\_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=2DA7122DD4B5E469076E1331612447F67B73AA399AA7388775C717ED5BD07725 could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches Winshock (CVE-2014-6321), experimental not vulnerable (OK) - ARIA, CHACHA or CCM ciphers found RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Running client simulations (HTTP) via sockets Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) Specification documentation [https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide](https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide) Protocol Support (weighted) 100 (30) Key Exchange (weighted) 90 (27) Cipher Strength (weighted) 90 (36) Final Score 93 Overall Grade A Grade cap reasons Grade capped to A. HSTS is not offered Done 2021-03-20 22:09:14 \[ 132s\] -->> 100.100.100.100:8080 (example.com) <<--
testssl結果
Overall GradeはAだったので、概ねは問題ないのだが、以下の点が気になった。
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat (6 attempts)
Qiita # testssl.sh の Secure Client-Initiated Renegotiation チェック
ここを見てみると、CVE-2011-1473の対応が出来ていないということらしい。
stone修正
脆弱性に対応するには、自分のサーバ構成上どうしてもstoneを修正する必要がある。
現在の設定オプションを見てみると、SSLフラグに関する設定は後付けできないので、ソースを修正することにする。
stoneでCTXオプションを設定している箇所があるので、そこに1行追加する。
SSL_CTX_set_options(ss->ctx, opts->off); ↓ SSL_CTX_set_options(ss->ctx, opts->off); SSL_CTX_set_options(ss->ctx, SSL_OP_NO_RENEGOTIATION);
SSL_CTX_set_optionsではビットマスクを使用してオプションを追加して、複数セットしたとしてもクリアされない。
ということで、修正したソースを使用してmakeしたものに入れ替えて改めてtestssl.shを実行すると、Secure Client-Initiated Renegotiationの部分が「not vulnerable (OK)」となったので、対応は完了。