ねじまきまきまき -Random Note-

やったこと忘れないための雑記

サーバーのSSL/TSLテストをやってみる

サーバーのSSL/TLSテストについて

CMAN

CMAN SSLチェック【証明書・プロトコル・暗号スイート確認】

日本語で使えるので、いろいろ使いやすいが、TLS1.3に対応していない。

SSL Server Test

Qualys SSL Server Test

サーバーのSSLテストでよく使われるらしい。

ただし、有料プランでなければ標準ポート(443)以外のチェックが行えないため、標準ポート以外でチェックしたい場合はできない。

testssl.sh

tsetss testssl(git)

WebサーバーのSSL/TLSの対応状況とか、使用可能な証明書アルゴリズムとか脆弱性の対応状況を一括で確認できるbashスクリプト

拡張子が「sh」となっているが、中身を見てみるとどうやら「bash」っぽい。

bashが使用できるシステムであればたぶん汎用的に使用できる。

ポートについても443以外のカスタムポートをチェックすることも可能。

testssl.shでやってみる

wgetでもgitでもいいので、とりあえずダウンロードして動かしてみるといろいろわかる。

usageはこんな感じ。

もちろん、オプションなしでtestssl.shを実行すれば同じものが見ることができる。

$ ./testssl.sh

     "testssl.sh [options] <URI>"    or    "testssl.sh <options>"

"testssl.sh <option>", where <option> is mostly standalone and one of:

     --help                        what youre looking at
     -b, --banner                  displays banner + version of testssl.sh
     -v, --version                 same as previous
     -V, --local [pattern]         pretty print all local ciphers (of openssl only). If search pattern supplied: it is an
                                   an ignore case word pattern of cipher hexcode or any other string in its name, kx or bits

"testssl.sh [options] <URI>", where <URI> is:

     <URI>                         host|host:port|URL|URL:port   port 443 is default, URL can only contain HTTPS as a protocol

  and [options] is/are:

     -t, --starttls <protocol>     Does a run against a STARTTLS enabled service which is one of ftp, smtp, lmtp, pop3, imap,
                                   xmpp, xmpp-server, telnet, ldap, nntp, postgres, mysql
     --xmpphost <to_domain>        For STARTTLS xmpp or xmpp-server checks it supplies the domainname (like SNI)
     --mx <domain/host>            Tests MX records from high to low priority (STARTTLS, port 25)
     --file/-iL <fname>            Mass testing option: Reads one testssl.sh command line per line from <fname>.
                                   Can be combined with --serial or --parallel. Implicitly turns on "--warnings batch".
                                   Text format 1: Comments via # allowed, EOF signals end of <fname>
                                   Text format 2: nmap output in greppable format (-oG), 1 port per line allowed
     --mode <serial|parallel>      Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter)
     --warnings <batch|off>        "batch" doesnt continue when a testing error is encountered, off continues and skips warnings
     --connect-timeout <seconds>   useful to avoid hangers. Max <seconds> to wait for the TCP socket connect to return
     --openssl-timeout <seconds>   useful to avoid hangers. Max <seconds> to wait before openssl connect will be terminated

single check as <options>  ("testssl.sh URI" does everything except -E and -g):
     -e, --each-cipher             checks each local cipher remotely
     -E, --cipher-per-proto        checks those per protocol
     -s, --std, --standard         tests certain lists of cipher suites by strength
     -f, --fs, --nsa               checks forward secrecy settings
     -p, --protocols               checks TLS/SSL protocols (including SPDY/HTTP2)
     -g, --grease                  tests several server implementation bugs like GREASE and size limitations
     -S, --server-defaults         displays the servers default picks and certificate info
     -P, --server-preference       displays the servers picks: protocol+cipher
     -x, --single-cipher <pattern> tests matched <pattern> of ciphers
                                   (if <pattern> not a number: word match)
     -c, --client-simulation       test client simulations, see which client negotiates with cipher and protocol
     -h, --header, --headers       tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address

     -U, --vulnerable              tests all (of the following) vulnerabilities (if applicable)
     -H, --heartbleed              tests for Heartbleed vulnerability
     -I, --ccs, --ccs-injection    tests for CCS injection vulnerability
     -T, --ticketbleed             tests for Ticketbleed vulnerability in BigIP loadbalancers
     --BB, --robot                 tests for Return of Bleichenbachers Oracle Threat (ROBOT) vulnerability
     --SI, --starttls-injection    tests for STARTTLS injection issues
     -R, --renegotiation           tests for renegotiation vulnerabilities
     -C, --compression, --crime    tests for CRIME vulnerability (TLS compression issue)
     -B, --breach                  tests for BREACH vulnerability (HTTP compression issue)
     -O, --poodle                  tests for POODLE (SSL) vulnerability
     -Z, --tls-fallback            checks TLS_FALLBACK_SCSV mitigation
     -W, --sweet32                 tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability
     -A, --beast                   tests for BEAST vulnerability
     -L, --lucky13                 tests for LUCKY13
     -WS, --winshock               tests for winshock vulnerability
     -F, --freak                   tests for FREAK vulnerability
     -J, --logjam                  tests for LOGJAM vulnerability
     -D, --drown                   tests for DROWN vulnerability
     -4, --rc4, --appelbaum        which RC4 ciphers are being offered?

tuning / connect options (most also can be preset via environment variables):
     --fast                        omits some checks: using openssl for all ciphers (-e), show only first preferred cipher.
     -9, --full                    includes tests for implementation bugs and cipher per protocol (could disappear)
     --bugs                        enables the "-bugs" option of s_client, needed e.g. for some buggy F5s
     --assume-http                 if protocol check fails it assumes HTTP protocol and enforces HTTP checks
     --ssl-native                  fallback to checks with OpenSSL where sockets are normally used
     --openssl <PATH>              use this openssl binary (default: look in $PATH, $RUN_DIR of testssl.sh)
     --proxy <host:port|auto>      (experimental) proxy connects via <host:port>, auto: values from $env ($http(s)_proxy)
     -6                            also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
     --ip <ip>                     a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
                                   b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
     -n, --nodns <min|none>        if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
     --sneaky                      leave less traces in target logs: user agent, referer
     --user-agent <user agent>     set a custom user agent instead of the standard user agent
     --ids-friendly                skips a few vulnerability checks which may cause IDSs to block the scanning IP
     --phone-out                   allow to contact external servers for CRL download and querying OCSP responder
     --add-ca <CA files|CA dir>    path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check
     --basicauth <user:pass>       provide HTTP basic auth information.
     --reqheader <header>          add custom http request headers

output options (can also be preset via environment variables):
     --quiet                       dont output the banner. By doing this you acknowledge usage terms normally appearing in the banner
     --wide                        wide output for tests like RC4, BEAST. FS also with hexcode, kx, strength, RFC name
     --show-each                   for wide outputs: display all ciphers tested -- not only succeeded ones
     --mapping <openssl|           openssl: use the OpenSSL cipher suite name as the primary name cipher suite name form (default)
                iana|rfc             -> use the IANA/(RFC) cipher suite name as the primary name cipher suite name form
                no-openssl|          -> dont display the OpenSSL cipher suite name, display IANA/(RFC) names only
                no-iana|no-rfc>      -> dont display the IANA/(RFC) cipher suite name, display OpenSSL names only
     --color <0|1|2|3>             0: no escape or other codes,  1: b/w escape codes,  2: color (default), 3: extra color (color all ciphers)
     --colorblind                  swap green and blue in the output
     --debug <0-6>                 1: screen output normal but keeps debug output in /tmp/.  2-6: see "grep -A 5 ^DEBUG= testssl.sh"
     --disable-rating              Explicitly disables the rating output

file output options (can also be preset via environment variables)
     --log, --logging              logs stdout to ${NODE}-p${port}${YYYYMMDD-HHMM}.log in current working directory (cwd)
     --logfile|-oL <logfile>       logs stdout to dir/${NODE}-p${port}${YYYYMMDD-HHMM}.log. If logfile is a dir or to a specified logfile
     --json                        additional output of findings to flat JSON file ${NODE}-p${port}${YYYYMMDD-HHMM}.json in cwd
     --jsonfile|-oj <jsonfile>     additional output to the specified flat JSON file or directory, similar to --logfile
     --json-pretty                 additional JSON structured output of findings to a file ${NODE}-p${port}${YYYYMMDD-HHMM}.json in cwd
     --jsonfile-pretty|-oJ <jsonfile>  additional JSON structured output to the specified file or directory, similar to --logfile
     --csv                         additional output of findings to CSV file ${NODE}-p${port}${YYYYMMDD-HHMM}.csv in cwd or directory
     --csvfile|-oC <csvfile>       additional output as CSV to the specified file or directory, similar to --logfile
     --html                        additional output as HTML to file ${NODE}-p${port}${YYYYMMDD-HHMM}.html
     --htmlfile|-oH <htmlfile>     additional output as HTML to the specified file or directory, similar to --logfile
     --out(f,F)ile|-oa/-oA <fname> log to a LOG,JSON,CSV,HTML file (see nmap). -oA/-oa: pretty/flat JSON.
                                   "auto" uses ${NODE}-p${port}${YYYYMMDD-HHMM}. If fname if a dir uses dir/${NODE}-p${port}${YYYYMMDD-HHMM}
     --hints                       additional hints to findings
     --severity <severity>         severities with lower level will be filtered for CSV+JSON, possible values <LOW|MEDIUM|HIGH|CRITICAL>
     --append                      if (non-empty) <logfile>, <csvfile>, <jsonfile> or <htmlfile> exists, append to file. Omits any header
     --overwrite                   if <logfile>, <csvfile>, <jsonfile> or <htmlfile> exists it overwrites it without any warning
     --outprefix <fname_prefix>    before  ${NODE}. above prepend <fname_prefix>


Options requiring a value can also be called with = e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
<URI> always needs to be the last parameter.

パラメータのURIについては、「example.com:8080」みたいにすればポート指定が可能。

この辺りを使用して、こんな感じで実行してみる。

./testssl.sh --html example.com:8080
./testssl.sh --log example.com:8080

htmlオプションは結果をHTMLで記録してくれるので、Linuxで実行した結果をWindowsで見たいといった場合に使いやすい。

logオプションは結果をbashの装飾機能を使って色付けしてくれるので、bashコンソール上で再確認するといった場合は使いやすい。

ただし、Windowsでログファイルを見る場合は、タグに制御コードを使用しているため、見辛くくなってしまう。

なお、htmlオプションやlogオプションの有無に関わらず実行結果はコンソールに標準出力される。

実行結果

やってみた結果はこんな感じ(一部抜粋)

###########################################################
    testssl.sh       3.1dev from [https://testssl.sh/dev/](https://testssl.sh/dev/)
 (895a6b9 2021-03-11 10:42:52 -- )
 This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ [https://testssl.sh/bugs/](https://testssl.sh/bugs/)
 ###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" \[~183 ciphers\]
 on ik1-419-41682:./bin/openssl.Linux.x86\_64
 (built: "Jan 18 17:12:17 2019", platform: "linux-x86\_64")

 Start 2021-03-20 22:07:04        -->> 100.100.100.100:8080 (example.com) <<--

 rDNS (100.100.100.100):  example.com.
 Service detected:       HTTP

 Testing protocols via sockets except NPN+ALPN 

 SSLv2 not offered (OK)
 SSLv3 not offered (OK)
 TLS 1 not offered
 TLS 1.1 not offered
 TLS 1.2 offered (OK)
 TLS 1.3 not offered and downgraded to a weaker protocol
 NPN/SPDY not offered
 ALPN/HTTP2 not offered

 Testing cipher categories 

 NULL ciphers (no encryption) not offered (OK)
 Anonymous NULL Ciphers (no authentication) not offered (OK)
 Export ciphers (w/o ADH+NULL) not offered (OK)
 LOW: 64 Bit + DES, RC\[2,4\], MD5 (w/o export) not offered (OK)
 Triple DES Ciphers / IDEA not offered
 Obsoleted CBC ciphers (AES, ARIA etc.) offered
 Strong encryption (AEAD ciphers) with no FS offered (OK)
 Forward Secrecy strong encryption (AEAD ciphers) offered (OK)

 Testing server's cipher preferences 

 Has server cipher order? no (NOT ok)
 Negotiated protocol TLSv1.2
 Negotiated cipher AES128-GCM-SHA256 -- inconclusive test, matching cipher in list missing, better see below
 Cipher per protocol

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 - 
SSLv3
 - 
TLSv1
 - 
TLSv1.1
 - 
TLSv1.2 (no server order, thus listed by strength)
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM      256      TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 521   AES         256      TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 521   AES         256      TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA                 
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 521   ChaCha20    256      TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256        
 xc077   ECDHE-RSA-CAMELLIA256-SHA384      ECDH 521   Camellia    256      TLS\_ECDHE\_RSA\_WITH\_CAMELLIA\_256\_CBC\_SHA384         
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384                    

 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 ROBOT not vulnerable (OK)
 Secure Renegotiation (RFC 5746) supported (OK)
 Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat (6 attempts)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS\_FALLBACK\_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=2DA7122DD4B5E469076E1331612447F67B73AA399AA7388775C717ED5BD07725 could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK) - ARIA, CHACHA or CCM ciphers found
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

 Running client simulations (HTTP) via sockets 

 Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
 Specification documentation [https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide](https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide)
 Protocol Support (weighted)  100 (30)
 Key Exchange    (weighted)  90 (27)
 Cipher Strength (weighted)  90 (36)
 Final Score 93
 Overall Grade A
 Grade cap reasons Grade capped to A. HSTS is not offered

 Done 2021-03-20 22:09:14 \[ 132s\] -->> 100.100.100.100:8080 (example.com) <<--

testssl結果

Overall GradeはAだったので、概ねは問題ないのだが、以下の点が気になった。

Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat (6 attempts)

Qiita # testssl.sh の Secure Client-Initiated Renegotiation チェック

ここを見てみると、CVE-2011-1473の対応が出来ていないということらしい。

stone修正

脆弱性に対応するには、自分のサーバ構成上どうしてもstoneを修正する必要がある。

現在の設定オプションを見てみると、SSLフラグに関する設定は後付けできないので、ソースを修正することにする。

stoneでCTXオプションを設定している箇所があるので、そこに1行追加する。

    SSL_CTX_set_options(ss->ctx, opts->off);
    ↓
    SSL_CTX_set_options(ss->ctx, opts->off);
    SSL_CTX_set_options(ss->ctx, SSL_OP_NO_RENEGOTIATION);

SSL_CTX_set_optionsではビットマスクを使用してオプションを追加して、複数セットしたとしてもクリアされない。

ということで、修正したソースを使用してmakeしたものに入れ替えて改めてtestssl.shを実行すると、Secure Client-Initiated Renegotiationの部分が「not vulnerable (OK)」となったので、対応は完了。