Does ​your​ library check TLS certificates properly?
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
backends
cases
doc
others/ST
runners
shootout
stubs
.gitignore
CONTRIBUTING.md
LICENSE
README.md
appveyor.yml
circle.yml
setup.py
tox.ini

README.md

TryTLS CircleCI Build status

Does your TLS/SSL library check certificates properly? Broken certificate checks seems to be an overlooked issue. Handling certificates is surprisingly complex, and calls for extra attention.

TryTLS is a tool for the software and library developers, vulnerability researchers, and end-users, who want to use TLS safely.

We hope to help you to test certificate handling easily. We support systematic and readily planned tests and try make integrating your favorite language and library easy.

How Does It Work

Architecture

  • Backends (servers) provide TLS/SSL tests for stubs (clients).
  • Stubs attempt to establish secure TLS/SSL connections to backends.
  • Runners run the stubs against backends and provide the results of the tests.

I you prefer watching over reading, take a look at TryTLS training under 4 minutes! and What exactly does TryTLS test? on YouTube.

Runners

Installation

pip install trytls

In case you don't have pip installed, please refer to these instructions.

Usage

$ git clone https://github.com/ouspg/trytls.git
$ trytls https python trytls/stubs/python-urllib2/run.py
platform: OS X 10.11.5
runner: trytls 0.2.0 (CPython 2.7.10, OpenSSL 0.9.8zh)
stub: python 'run.py'
 PASS support for TLS server name indication (SNI) [accept badssl.com:443]
 PASS expired certificate [reject expired.badssl.com:443]
 PASS wrong hostname in certificate [reject wrong.host.badssl.com:443]
  ...

Stubs

Stubs and their documentation can be found from the stubs/ directory.

Backends

We are currently working to support the following backends:

Test runners allow user to test against all or any of these backends.

What TryTLS Is Not

  • We do not address possible client certificate check problems in server code
  • We do not do or require a man-in-the-middle tools
  • We do not support smart TVs, IoT toasters and other such devices that can't run any of the runners

Found issues

We have tested some of our releases against popular software. Results and repro instructions of these tests are collected in the shootout documentation.

We have also collected links to other TryTLS inspired findings:

Contributors

We invite people to contribute.

Contact us

  • Preferred: public tweet
    • Use #trytls and point it to @oupsg
  • Less public alternative: direct twitter-message to @ouspg