testssl.sh short explanation in german · 2018-11-18 · | 2018 | © dirk wetter, see 1st slide...
TRANSCRIPT
![Page 1: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/1.jpg)
Dirk Wetter
Licence: http://creativecommons.org/licenses/by-nc-sa/4.0/
testssl.shtestssl.sh
![Page 2: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/2.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Wann kann’s
(Aktive) Überprüfung serverseitiger Verschlüsselung
● Plain TLS/SSL-verschlüsselte TCP-Ports● HTTPS● SMTP/587, RDP/3389, IMAPS/993, POP3D/995,…
● (agnostisch f. darunter liegende Protokolle)● Tunneln über Proxy (CONNECT)
● Diverse STARTTLS-Protokolle →Plaintext-Handshake vor Verschlüsselung
● FTP, IMAP, POP, SMTP, LMTP, XMPP,● PostgreSQL, MySQL, LDAP.
![Page 3: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/3.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Aktive Überprüfung serverseitiger Verschlüsselung
● IPv4, IPv6 (switch -6 erforderlich)● Protokolle: SSLv2 - TLS 1.3 (Drafts ab 18 bis Final)● Cipher: 370
● (eingetragen als Hexcode in externer Datei) ● Kurven (DH, ECDHE, x448, x25519)● Verwundbarkeiten
● Sockets: Heartbleed, Ticketbleed, ROBOT, CCS, …● Cipher u.a: POODLE (SSL), Renegotiation, BEAST
BREACH, LOGJAM, DROWN, …● TLS Extensions
Wann kann’s
![Page 4: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/4.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Protokolle
HTTP2
![Page 5: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/5.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)
![Page 6: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/6.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Schlüsselaustausch(Elliptische Kurven und Diffie-Hellman)
![Page 7: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/7.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Aktive Überprüfung serverseitiger Verschlüsselung
● Server- oder Client-Cipher-Order?● Bestimmung Cipher-Reihenfolge Server
Wann kann’s
![Page 8: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/8.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Server-Order, gut:
![Page 9: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/9.jpg)
Server-Order, gut (anderer Ansatz):
![Page 10: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/10.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Server-Order, nicht. so. gut.
![Page 11: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/11.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Aktive Überprüfung serverseitiger Verschlüsselung
● Client-Simulation: Welcher Client vereinbart welchen Cipher und welche Kurve?
● Clients: viele Browser, OpenSSL, Java● Mail-Clients z.B. fehlen
● Daten (mit Erlaubnis) von SSLlabs API● Leider ohne Android >7, iOS >10, Edge >15
Wann kann’s
![Page 12: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/12.jpg)
Client Simulation (default nur letzte Versionen)
![Page 13: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/13.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Serverzertifikat
● Trust● Expiration● Match: SAN (CN), auch Wildcards● Stores:
● Apple, Linux, Windows, Mozilla● Eigene Root-CAs● ToDo: Symantec-Rauswurf
● Revocation Checks: OCSP, CRL (extra Flag: --phone-out)● DNS: CAA ● CT
Wann kann’s
![Page 14: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/14.jpg)
Alles rund ums Serverzertifikat (und TLS Extensions)
![Page 15: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/15.jpg)
testssl.sh -q --server-defaults --phone-out web.de
Alles rund ums Serverzertifikat (und TLS Extensions)
Alles rund ums Serverzertifikat (und TLS Extensions)
![Page 16: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/16.jpg)
Alles rund ums Serverzertifikat (und TLS Extensions)
![Page 17: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/17.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Bonus
● HTTP HEADER● Server-Banner (App, Proxy)● CSP, HPKP, HSTS● Weitere Security Header ● Cookies
● Goodie: F5 cookie decoder, außer AES ;-)
Wann kann’s
![Page 18: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/18.jpg)
HTTP Header
![Page 19: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/19.jpg)
HTTP Header (F5 BigIP)
![Page 20: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/20.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Ausgaben
● Mensch: Farbe ● ANSI: Color-based rating
● Auch Farbenblinde● HTML
● Maschine● CSV● JSON (flach, nicht flach)● Ausgabe nur maximaler „severities“
Wann kann’s
![Page 21: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/21.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Mehr
● Datei als Input● Kommandos, Kommentare erlaubt● Parser für NMAP-Ausgabe
● Mass Testing● Seriell● Parallel (mit Bildschirmausgabe)
Wann kann’s
![Page 22: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/22.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Einstieg
● testssl.sh (mit oder ohne –help)● testssl.sh <host> oder <host:port>
macht Default-Lauf, ohne Logging, nur Bildschirm
Wann kann’s
![Page 23: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/23.jpg)
| 2018 | © Dirk Wetter, see 1st slide
● Voraussetzungen● /bin/bash ● Basis-Tools Linux (GNU) oder BSD ● OpenSSL nur als Helfer● Servertests: Sockets
→ läuft ohne weitere Installation● nativ unter Linux, BSDs, Mac OSX● WSL, Cygwin, MSYS2 (langsamer)● docker pull drwetter/testssl.sh
Was brauche ich?
![Page 24: testssl.sh short explanation in German · 2018-11-18 · | 2018 | © Dirk Wetter, see 1st slide Protokolle in schlecht+Verwundbarkeiten (STARTTLS SMTP)](https://reader033.vdocument.in/reader033/viewer/2022050304/5f6ceeb5f3e3d61bfb484dbb/html5/thumbnails/24.jpg)
| 2018 | © Dirk Wetter, see 1st slide
Dirk Wetter
Initiator, Maintainer, Contributor
David Cooper (NIST)Sockets ausgebaut, parallel mass testing, ROBOT, ..
Weitere JSON, CSV, Client Handshakes, Unit tests, ..
Wer?