HVLearn is an open-source tool/framework for analyzing hostname verification in SSL/TLS implementations using automata learning. It is good for finding bugs, vulnerabilities and RFC discrepancies in implementations. The core of this project is written in Java and mainly implemented with LearnLib project. Some parts of the code are written in C, particularly for generating certificate template.
Given a specific pattern of certificate identifier (e.g., common name and subject alternative name fields), HVLearn uses automata learning algorithms to infer a Deterministic Finite Automaton (DFA) that describes the set of all hostnames that match the given certificate identifier. The output inferred DFA can be compared to DFAs from different implementations to find discrepancies or performed an equivalence test against a DFA which is derived from any regular expression as an expected rule.
For more detail about algorithm and evaluation, see our paper:
HVLearn: Automated Black-box Analysis of Hostname Verification in SSL/TLS Implementations [PDF]
Suphannee Sivakorn, George Argyros, Kexin Pei, Angelos D. Keromytis and Suman Jana
HVLearn is developed at Columbia University, New York, NY, USA in 2016-2017.
HVLearn is developed and maintained by (alphabetically): Developers/Maintainers
Found a bug? Please open a new issue!