Simulate a TLS client and scan a TLS server
Project description
tlsmate
Overview
This project provides a python framework for simulating TLS endpoints. It provides a comfortable way of creating arbitrary TLS handshake scenarios and executes the scenarios against TLS servers or clients (well, at the current state of the project only client simulations are supported).
A plugin is provided which scans a TLS server for its configurations (i.e., support of TLS protocol versions, cipher suites, and much more) as well as for some commonly known TLS vulnerabilities.
A word of warning
This package is intended for test purposes only. Never ever use it to transmit sensitive data! Here are some reasons:
secret keying material isn’t appropriately protected, e.g., it is not deleted when not used anymore. Such sensitive data are even logged for debugging purpose.
quite a lot of checks are missing which are essential for productive use cases.
random values are not always random
Side channels? Definitely. Constant time implementation? No.
Extensive tests and proven in practice? No!
etc.
Features
tlsmate comes with its own TLS protocol stack implementation. For a list of supported TLS protocol elements refer to TLS features .
The following basic features are supported:
TLS versions: SSLv2 (rudimentary only), SSLv3, TLS1.0, TLS1.1, TLS1.2, TLS1.3
arbitrary L4-ports are supported
customized trust store for root certificates
client authentication
certificate revocation check by CRL and via OCSP
scan result is provided as JSON/Yaml format to simplify tool-based post-processing
plugin concept for either proprietary test cases or for extending the scanner plugin
writing keying material to a key logging file to allow wireshark to decode encrypted packets
configuration of tlsmate through an ini-file or through environment variables
slowing down a scan to circumvent rate limitings
several logging levels
For creating customized handshake scenarios the following features are provided:
TLS messages can be sent/received in any arbitrary order
all TLS message parameters can be set to any arbitrary value
sending and receiving application data
predefined client profiles (legacy, interoperability, modern, TLS1.3-only)
basic settings (version, ciphersuites, etc.) can be taken from the server profile to minimize interoperability issues with the server
different levels for defining a handshake: from a one liner for the complete handshake to defining the deepest bit in a message
various conditions when waiting for a message (timeout, optional message)
background handling of some messages (e.g., NewSessionTicket)
simple python API to use tlsmate from other python applications
The following features are currently not yet supported but will likely be added in the future:
proxy support
simulating a TLS server (thus allowing to test TLS clients)
Installation
This package requires Python3.6 or higher. The recommended way installing tlsmate is using pip:
$ pip install tlsmate
Basic usage
For a full documentation of the tlsmate command refer to the documentation here. There you will find a detailed description how to use the package directly from other python applications.
In the following only some basic examples for using the CLI are given. Use the tlsmate --help command to get all supported subcommands.
$ tlsmate scan --progress mytlsmatedomain.net
This command will perform a TLS scan against the domain mytlsmatedomain.net, and the result will be displayed as colored console output. For an example refer to the output of the scan command.
Using the tlsmate library from other python applications is described in the Python API documentation.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file tlsmate-1.1.0.tar.gz
.
File metadata
- Download URL: tlsmate-1.1.0.tar.gz
- Upload date:
- Size: 4.9 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.6.0 importlib_metadata/4.8.2 pkginfo/1.8.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.12
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4a55292c28887d8d3fc64a10933fbe70f25fbc579cf23ad4830fa215f64d39c6 |
|
MD5 | a7f4bfeefff1a57d475c6b14678193d3 |
|
BLAKE2b-256 | 9c55bc1dc6a619ac462e0b6d0f9f4f3202fee2a472d0f93df27ce235dd52335f |
File details
Details for the file tlsmate-1.1.0-py3-none-any.whl
.
File metadata
- Download URL: tlsmate-1.1.0-py3-none-any.whl
- Upload date:
- Size: 174.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.6.0 importlib_metadata/4.8.2 pkginfo/1.8.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.12
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 30a40aea0e36c4eb660150e19c4e9bc07b5e537eb055240b253f9569af58e2cd |
|
MD5 | 7220ffa8e902baca4480fd666df06b9b |
|
BLAKE2b-256 | 51796a69fae24065332696da599818645e301248cf421e0a6ccb25cad273129d |