THE SORRY STATE OF ССЛ
Hynek Schlawack
@hynek https://hynek.me
https://github.com/hynek
Привет!
https://www.variomedia.de
ONLY LINK
ox.cx/t
WTF
WTFSSL
WTFSSL
& TLS
TIMELINE
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
1996: SSL 3.0, still Netscape
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
1996: SSL 3.0, still Netscape
1999: Transport Layer Security 1.0, IETF
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
1996: SSL 3.0, still Netscape
1999: Transport Layer Security 1.0, IETF
2006: TLS 1.1
TIMELINE1995: Secure Sockets Layer 2.0, Netscape
1996: SSL 3.0, still Netscape
1999: Transport Layer Security 1.0, IETF
2006: TLS 1.1
2008: TLS 1.2
2013
2013• newfound scrutiny
2013• newfound scrutiny
• browsers add TLS 1.2
2013• newfound scrutiny
• browsers add TLS 1.2
• just using TLS not enough
TLS
TLS• identity
TLS• identity
• confidentiality
TLS• identity
• confidentiality
• integrity
TLS HYGIENE
SERVERS
BE UP-TO-DATE
• OpenSSL >= 1.0.1c
• Apache >= 2.4.0
• nginx >= 1.0.6 or 1.1.0
BE UP-TO-DATE
• OpenSSL >= 1.0.1c
• Apache >= 2.4.0
• nginx >= 1.0.6 or 1.1.0
g
CERTIFICATES
• identity• validity
CERTIFICATES
• identity• validity• CA sig
CERTIFICATES
• identity• validity• CA sig
CERTIFICATES
• identity• validity• CA sig
CERTIFICATES
• identity• validity• CA sig
CERTIFICATES
• identity• validity• CA sig
EXTENDED VALIDATION CERTIFICATES
EXTENDED VALIDATION CERTIFICATES
TRUST CHAIN
TRUST CHAIN
TRUST CHAIN
CERTIFICATES
• trust chain
CERTIFICATES
• trust chain
• host name/service
CERTIFICATES
• trust chain
• host name/service
• already/still valid?
DISABLE
• SSL 2.0
DISABLE
• SSL 2.0
• SSL 3.0 (if you can)
DISABLE
• SSL 2.0
• SSL 3.0 (if you can)
• TLS compression
CIPHER SUITES
CIPHER
CIPHER
Cipher
CIPHER
CipherPlaintext
CIPHER
CipherPlaintext
CIPHER
Cipher CiphertextPlaintext
Ciphertext
CIPHER
Cipher Plaintext
CIPHER: MODE
CIPHER: MODE
• CBC
CIPHER: MODE
• CBC
• stream ciphers
CIPHER: MODE
• CBC
• stream ciphers
• GCM
ENCRYPTION: PREFER THIS
ENCRYPTION: PREFER THIS
AES128-GCM&
ENCRYPTION: PREFER THIS
AES128-GCM&
ChaCha20
ENCRYPTION: FALL BACK TO
AES128-CBC
ENCRYPTION: IF LIFE IS CRUEL TO YOU
3DES-CBC
ENCRYPTION: EOL
ENCRYPTION: DANGEROUS
• EXP-*
ENCRYPTION: DANGEROUS
• EXP-*
• DES
ENCRYPTION: DANGEROUS
• EXP-*
• DES
• RC4
ENCRYPTION: DANGEROUS
• EXP-*
• DES
• RC4
KEY EXCHANGE
KEY EXCHANGEfast PFS
RSA ✔️ ❌
KEY EXCHANGEfast PFS
RSA ✔️ ❌
DHE ❌ ✔️
KEY EXCHANGEfast PFS
RSA ✔️ ❌
DHE ❌ ✔️
ECDHE ✔️ ✔️
KEY EXCHANGEfast PFS
RSA ✔️ ❌
DHE ❌ ✔️
ECDHE ✔️ ✔️
INTEGRITY: MACS
• Message Authentication Code
INTEGRITY: MACS
• Message Authentication Code
• HMAC
INTEGRITY: MACS
• Message Authentication Code
• HMAC
• GCM
HAVE THE LAST WORD
YOU’RE DONE!
YOU’RE DONE!
(but test your results!)
CERTIFICATE
CERTIFICATE
CERTIFICATE
CERTIFICATE
CERTIFICATE
CERTIFICATE
CERTIFICATE
PROTOCOLS
PROTOCOLS
PROTOCOLS
PROTOCOLS
CIPHER SUITES
CIPHER SUITES
CIPHER SUITES
CIPHER SUITES
CIPHER SUITES
CIPHER SUITES
CIPHER SUITES
CIPHER SUITES
CLIENTS
YOU HAD ONE JOB!
YOU HAD ONE JOB!
VERIFY!
VERIFY THE CERTIFICATE!
• valid?
VERIFY THE CERTIFICATE!
• valid?
• trustworthy chain?
VERIFY THE CERTIFICATE!
• valid?
• trustworthy chain?
• correct hostname/service?
TRUST CHAIN
TRUST CHAIN• VERIFY_PEER
TRUST CHAIN• VERIFY_PEER
• trust stores OS dependent
TRUST CHAIN• VERIFY_PEER
• trust stores OS dependent
• SSL_CTX_set_default_verify_paths
SYSTEM CA• FreeBSD: ca_root_nss
SYSTEM CA• FreeBSD: ca_root_nss
• debian/Red Hat: ca-certificates
SYSTEM CA• FreeBSD: ca_root_nss
• debian/Red Hat: ca-certificates
• OS X: TEA or homebrew
SYSTEM CA• FreeBSD: ca_root_nss
• debian/Red Hat: ca-certificates
• OS X: TEA or homebrew
• Windows: wincertstore
SYSTEM CA• FreeBSD: ca_root_nss
• debian/Red Hat: ca-certificates
• OS X: TEA or homebrew
• Windows: wincertstore
• or: Mozilla/certifi
HOSTNAME VERIFICATION
OpenSSL to developers:
HOSTNAME VERIFICATION
OpenSSL to developers:
LOL
DON’T VERIFY TRUST CHAIN
I can pretend to be Google with any self-signed
certificate.
DON’T VERIFY HOSTNAME
I can pretend to be Google with any valid certificate.
SET SOME OPTIONS
• acceptable ciphers
• disable SSL 2.0
THAT’S ALL!
USERS
FUNDAMENTAL MISCONCEPTIONS
FUNDAMENTAL MISCONCEPTIONS
• no end-to-end security
FUNDAMENTAL MISCONCEPTIONS
• no end-to-end security
• metadata
VPN?
VPN?
• sees all your traffic
VPN?
• sees all your traffic
• same for CDN
CERTIFICATE WARNINIGS
CERTIFICATE WARNINIGS
ROOT CERTIFICATE POISONING
TRUST ISSUES
TRUST ISSUES
TRUST ISSUES
TRUST ISSUES
TRUST ISSUES• hacked
TRUST ISSUES• hacked
• screw up
TRUST ISSUES• hacked
• screw up
• court orders
TRUST ISSUES• hacked
• screw up
• court orders
• big corp
DON’T DO IT YOURSELF IF YOU CAN HELP IT.
Rule of Thumb
STANDARD LIBRARY VS.
PYOPENSSL
STANDARD LIBRARY
STANDARD LIBRARY• terrible pre-3.3
STANDARD LIBRARY• terrible pre-3.3
• very incomplete in 2.7
STANDARD LIBRARY• terrible pre-3.3
• very incomplete in 2.7
• PFS impossible
STANDARD LIBRARY• terrible pre-3.3
• very incomplete in 2.7
• PFS impossible
• missing options
STANDARD LIBRARY• terrible pre-3.3
• very incomplete in 2.7
• PFS impossible
• missing options
• bound to Python’s OpenSSL
HOSTNAME VERIFICATION
3.2– from ssl import match_hostname
2.4–2.7 pip install backports.ssl_match_hostname
PYOPENSSL
PYOPENSSL
• Python 2.6+, 3.2+, and PyPy
PYOPENSSL
• Python 2.6+, 3.2+, and PyPy
• more complete API coverage
PYOPENSSL
• Python 2.6+, 3.2+, and PyPy
• more complete API coverage
• PyCA cryptography!
CRYPTOGRAPHY.IO
CRYPTOGRAPHY.IO• Python crypto w/o footguns
CRYPTOGRAPHY.IO• Python crypto w/o footguns
• PyCA
CRYPTOGRAPHY.IO• Python crypto w/o footguns
• PyCA
• PyPy ♥ CFFI
CRYPTOGRAPHY.IO• Python crypto w/o footguns
• PyCA
• PyPy ♥ CFFI
• gives pyOpenSSL momentum
HOSTNAME VERIFICATION
service_identity
LIBRARIES &
FRAMEWORKS
SERVERSlib PFS good defaults configurable
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
gunicorn depends ❌ ❌ ❌
Tornado stdlib ❌ ❌ ❌
SERVERSlib PFS good defaults configurable
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
gunicorn depends ❌ ❌ ❌
Tornado stdlib ❌ ❌ ❌
Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
SERVERSlib PFS good defaults configurable
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
gunicorn depends ❌ ❌ ❌
Tornado stdlib ❌ ❌ ❌
Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
uWSGI own C code ✔️ ❌ ✔️
SERVERSlib PFS good defaults configurable
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
gunicorn depends ❌ ❌ ❌
Tornado stdlib ❌ ❌ ❌
Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
uWSGI own C code ✔️ ❌ ✔️
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
Tornado stdlib ✔️ ✔️ ❌
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
Tornado stdlib ✔️ ✔️ ❌
Twisted 14.0 pyOpenSSL depends depends ✔️
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
Tornado stdlib ✔️ ✔️ ❌
Twisted 14.0 pyOpenSSL depends depends ✔️
urllib2 stdlib ❌ ❌ ❌
CLIENTSlib verifies
certificatesverifies
hostnames good defaults
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
Tornado stdlib ✔️ ✔️ ❌
Twisted 14.0 pyOpenSSL depends depends ✔️
urllib2 stdlib ❌ ❌ ❌
urllib3/requests hybrid ✔️ ✔️ ✔️
SUMMARY
SUMMARY
• keep TLS out of Python if you can
SUMMARY
• keep TLS out of Python if you can
• use pyOpenSSL-powered requests for HTTPS
SUMMARY
• keep TLS out of Python if you can
• use pyOpenSSL-powered requests for HTTPS
• write servers in Twisted
SUMMARY
• keep TLS out of Python if you can
• use pyOpenSSL-powered requests for HTTPS
• write servers in Twisted
• use pyOpenSSL
SUMMARY
• keep TLS out of Python if you can
• use pyOpenSSL-powered requests for HTTPS
• write servers in Twisted
• use pyOpenSSL
• use Python 2 stdlib only for clients
WHY SORRY?
IMPLEMENTATIONS
IMPLEMENTATIONS
USERS
USERS
• run outdated software
USERS
• run outdated software
• click certificate warnings away
USERS
• run outdated software
• click certificate warnings away
• are at the mercy of 3rd parties
SERVERS
SERVERS
CLIENTS
PYTHON
Is at the forefront of terrible.
HOPE
HOPE
• people care again
HOPE
• people care again
• stdlib
HOPE
• people care again
• stdlib
• PyCA
CALLS TO ACTION
CALLS TO ACTION
CALLS TO ACTION
CALLS TO ACTION
CALLS TO ACTION
ox.cx/t@hynek
vrmd.de