SSL/TLS - Typical problems and how to debug them

- Error messages are missing, are not very specific or even hide the real problem. - There are lots of broken configurations and SSL stacks in the wild. And while browsers try to work around it as much as possible the stacks in applications or scripts are mostly not that tolerant. - There are lots of bad tips out there which often only work around the underlying problem by seriously degrading the security of the protocol. - Deeper knowledge of the protocol and standards is necessary to understand and fix most problems instead of applying some insecure workaround found somewhere on the internet. … - TLS extensions like Server Name Indication (SNI) can only be done with TLS1.x. - SSL 3.0 is considered broken (POODLE) and should no longer be used. - Cipher suites decide about methods for authentication, encryption ... - Cipher suites are mostly independend of the protocol version. The version only specifies when this cipher was introduced: … - Use of insecure protocols or features: - SSL2.0, SSL3.0 are broken and should not be used. - Other attacks are possible by using insecure renegotiation, compression ... . For details see Wikipedia - Use of insecure implementations: - In 2014 all major TLS stacks where affected by serious implementation problems: OpenSSL Heartbleed, Apple Secure Transport goto fail, Microsoft SChannel Winshock, and certificate verification problems with GnuTLS - Insecure certificate checks: - Due to insecure defaults in lots of programming languages (Python, Ruby, PHP, Perl...) or libraries, certificates are either not verfified at all or only the trust chain is verified but not the hostname against the certificate. This gets only slowly fixed because the developers fear to break existing code. - Because proper certificate checking is often in the way of testing, lots of iOS- and Android developers explicitly disable these checks and fail to enable checks in production version. - Lots of applications don't have proper hostname checks, i.e. accept wildcards anywhere or multiple wildcards or even check the subject against a regex. Sometimes these checks are too broad, but in some cases they are too narrow (missing check of subject alterative names) so users disable checks completely. - Use of insecure ciphers - Some application just accept 'ALL', which includes very weak cphers (EXPORT, LOW) and also anonymous cipher suites (with no authentication) which make MITM easy. - Others allow or even require broken ciphers like DES-CBC-SHA or RC4-SHA. … - No SNI support for SSL 3.0, Android (depending on application), MSIE on XP, Java 6 and various other programming languages. This will cause problems , when the server has multiple certificates on the same IP address (like Cloudflare Free SSL). It will usually result in certification errors because the wrong certificate is … ## Common problems caused by misconfiguration - Server allows only allow bad ciphers, like RC4-SHA. Some clients like curl 7.35.0 have disabled these ciphers by default (see workaround) and there are recommendations for others like Microsoft Windows. - Administrators tried to make systems safe against POODLE by disabling all SSL 3.0 ciphers instead of the protocol version. Because these ciphers are needed for TLS1.0 and TLS1.1 clients, at most TLS1.2 clients could connect. … - Self-signed certificates. In this case the trust can not be checked against a local trust anchor and thus the certificate can not be trusted. Browsers allow the user to explicitly trust the certificate. - Certificate contents does not match hostname. There are clear rules how the checks should be done, but some applications are less strict and others implement the checks wrong: … Less common errors are: - Certificate expired or not yet valid. - Insecure certificates with a too small RSA key length or MD5 signatures. Most software does not accept these certificates anymore. - Some (or all?) browser require the extKeyUsage of serverAuth inside the certificate, while most script languages ignore any usage restrictions. … - Python 3 might send a zero-length server name extension (SNI), causing tlsv1 alert decode error. - Cross-Signing of CA certificates can result in multiple possible trust chains, depending on which chain certificates the server is sending. Different SSL stacks behave differently when verifying these chains, which can result in verification errors on Windows or with OpenSSL. … - The needed Root-CA might be known on the system, but maybe not in the trust store used by the specific application. - no shared ciphers - Check support ciphers by client and server. Typical problems are - Misconfiguration because all SSL 3.0 ciphers got removed. - Server uses old ciphers which are no longer supported by client, or the other way.