Skip to main content

Simulate a TLS client and scan a TLS server

Project description

Build Status Coverage License Black

tlsmate

Overview

This project provides a python framework for simulating TLS endpoints. It provides a comfortable way of creating arbitrary TLS handshake scenarios and executes the scenarios against TLS servers or clients (well, at the current state of the project only client simulations are supported).

A plugin is provided which scans a TLS server for its configurations (i.e., support of TLS protocol versions, cipher suites, and much more) as well as for some commonly known TLS vulnerabilities.

A word of warning

This package is intended for test purposes only. Never ever use it to transmit sensitive data! Here are some reasons:

  • secret keying material isn’t appropriately protected, e.g., it is not deleted when not used anymore. Such sensitive data are even logged for debugging purpose.

  • quite a lot of checks are missing which are essential for productive use cases.

  • random values are not always random

  • Side channels? Definitely. Constant time implementation? No.

  • Extensive tests and proven in practice? No!

  • etc.

Features

tlsmate comes with its own TLS protocol stack implementation. For a list of supported TLS protocol elements refer to TLS features .

The following basic features are supported:

  • TLS versions: SSLv2 (rudimentary only), SSLv3, TLS1.0, TLS1.1, TLS1.2, TLS1.3

  • arbitrary L4-ports are supported

  • customized trust store for root certificates

  • client authentication

  • certificate revocation check by CRL and via OCSP

  • scan result is provided as JSON/Yaml format to simplify tool-based post-processing

  • plugin concept for either proprietary test cases or for extending the scanner plugin

  • writing keying material to a key logging file to allow wireshark to decode encrypted packets

  • configuration of tlsmate through an ini-file or through environment variables

  • slowing down a scan to circumvent rate limitings

  • several logging levels

  • HTTP-proxy support

  • Docker image provided

For creating customized handshake scenarios the following features are provided:

  • TLS messages can be sent/received in any arbitrary order

  • all TLS message parameters can be set to any arbitrary value

  • sending and receiving application data

  • predefined client profiles (legacy, interoperability, modern, TLS1.3-only)

  • basic settings (version, ciphersuites, etc.) can be taken from the server profile to minimize interoperability issues with the server

  • different levels for defining a handshake: from a one liner for the complete handshake to defining the deepest bit in a message

  • various conditions when waiting for a message (timeout, optional message)

  • background handling of some messages (e.g., NewSessionTicket)

  • simple python API to use tlsmate from other python applications

The following features are currently not yet supported but will likely be added in the future:

  • simulating a TLS server (thus allowing to test TLS clients)

Installation

This package requires Python3.6 or higher. The recommended way installing tlsmate is using pip:

$ pip install tlsmate

In case this does not work, check if the problem is caused by the cryptographic library cryptography, and refer to Installation of cryptography.

Minimal configuration

By default tlsmate comes with an empty trust store, and thus all certificate chain validations will fail.

There are two different ways recommended to configure the trust store.

Using the system’s set of root certificates

In case the root CA certificates are installed on the system, their location depend on the OS. If openssl is installed on the system, use the following command:

$ openssl version -d

This will print the openssl directory, e.g. /usr/lib/ssl. The certificates are located in the subdirectory certs, and there typically a file is provided which contains all certificates concatenated. On Ubuntu, this file is named ca-certificates.crt, on CentOS the name is ca-bundle.crt.

This file needs to be configured in the tlsmate-ini file, see below.

Download the Mozilla root CA certificates

As an alternative the root CA certificates used by Mozilla can be used. Download the file and calculate its SHA256 checksum:

$ curl -s -o cacert.pem https://curl.se/ca/cacert.pem && sha256sum cacert.pem

Compare the SHA256 hash value with the value provided at https://curl.se/ca/cacert.pem.sha256.

If the value matches, configure the downloaded file in the tlsmate-ini file, see below.

Configuring the trust store in the .tlsmate.ini file

Let’s assume the name of the trust store file is /usr/lib/ssl/certs/ca-certificates.crt. Now create a new ini file in your home directory:

$ echo -e "[tlsmate]\nca_certs = /usr/lib/ssl/certs/ca-certificates.crt" > ~/.tlsmate.ini
$ cat ~/.tlsmate.ini
[tlsmate]
ca_certs = /usr/lib/ssl/certs/ca-certificates.crt

More information on the use of ini-files is provided here.

Basic usage

For a full documentation of the tlsmate command refer to the documentation here. There you will find a detailed description how to use the package directly from other python applications.

In the following only some basic examples for using the CLI are given. Use the tlsmate --help command to get all supported subcommands.

$ tlsmate scan --progress mytlsmatedomain.net

This command will perform a TLS scan against the domain mytlsmatedomain.net, and the result will be displayed as colored console output. For an example refer to the output of the scan command.

If you want to use the provided Docker container instead, use the following command:

$ docker run -it guballa/tlsmate tlsmate scan --progress mytlsmatedomain.net

Using the tlsmate library from other python applications is described in the Python API documentation.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tlsmate-1.2.2.tar.gz (5.0 MB view details)

Uploaded Source

Built Distribution

tlsmate-1.2.2-py3-none-any.whl (183.9 kB view details)

Uploaded Python 3

File details

Details for the file tlsmate-1.2.2.tar.gz.

File metadata

  • Download URL: tlsmate-1.2.2.tar.gz
  • Upload date:
  • Size: 5.0 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10

File hashes

Hashes for tlsmate-1.2.2.tar.gz
Algorithm Hash digest
SHA256 63a7388ac0fe1aaeeec1811697b45780d88fe3d6f282d7b066761d637318fa70
MD5 e3f587c2622e942515f4228b48dc2f38
BLAKE2b-256 a43388531f8a2586c2a022ce34bba3601563ce060e697ab6195399120cee08f7

See more details on using hashes here.

File details

Details for the file tlsmate-1.2.2-py3-none-any.whl.

File metadata

  • Download URL: tlsmate-1.2.2-py3-none-any.whl
  • Upload date:
  • Size: 183.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10

File hashes

Hashes for tlsmate-1.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 a7f25417d0432d1a6aec14b308b8f4a7b2558e293dd1bf5e1c8684f2cec4276f
MD5 de13d09cd36eaa422f4102b328bc57e5
BLAKE2b-256 548c41c5a721e451c0c735674f8865ee8c389760cd3ca48c83a7de3ea3991638

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page