Does your TLS/SSL library check certificates properly? Broken certificate checks seems to be an overlooked issue. Handling certificates is surprisingly complex, and calls for extra attention.
TryTLS is a tool for the software and library developers, vulnerability researchers, and end-users, who want to use TLS safely.
We hope to help you to test certificate handling easily. We support systematic and readily planned tests and try make integrating your favorite language and library easy.
How Does It Work
- Backends (servers) provide TLS/SSL tests for stubs (clients).
- Stubs attempt to establish secure TLS/SSL connections to backends.
- Runners run the stubs against backends and provide the results of the tests.
pip install trytls
$ git clone https://github.com/ouspg/trytls.git $ trytls https python trytls/stubs/python-urllib2/run.py platform: OS X 10.11.5 runner: trytls 0.2.0 (CPython 2.7.10, OpenSSL 0.9.8zh) stub: python 'run.py' PASS support for TLS server name indication (SNI) [accept badssl.com:443] PASS expired certificate [reject expired.badssl.com:443] PASS wrong hostname in certificate [reject wrong.host.badssl.com:443] ...
Stubs and their documentation can be found from the stubs/ directory.
We are currently working to support the following backends:
- BadSSL - we have cherry picked the relevant tests
- Local backend in the test runner itself (aka
- SSLLabs - protection against certain attacks
- Trytls backend both as docker based "run-it-yourself" packaging and as a hosted service provided by us [WIP]
Test runners allow user to test against all or any of these backends.
What TryTLS Is Not
- We do not address possible client certificate check problems in server code
- We do not do or require a man-in-the-middle tools
- We do not support smart TVs, IoT toasters and other such devices that can't run any of the runners
We have tested some of our releases against popular software. Results and repro instructions of these tests are collected in the shootout documentation.
We have also collected links to other TryTLS inspired findings:
- Wreq connection to HTTPS site with invalid hostname · Issue #84 · bos/wreq
- http-client-tls vulnerable to Logjam? · Issue #215 · snoyberg/http-client
- RFC7465: Prohibiting RC4 Cipher Suites · Issue #153 · vincenthz/hs-tls
- Invoke-Webrequest accepts bad TLS certificates / crypto on MacOS · #1942 · PowerShell/PowerShell
- badtls.io certificates created with an old version of asn1crypto? · #1 · wbond/badtls.io
- crypto/x509: bad error message · #16834 · golang/go
- crypto/x509: Certs with odd RDN layouts not handled, cause confusing errors · #16836 · golang/go
- httpc:request("https://ssllabs:com:10444") not working correctly · #ERL-232 · Erlang/OTP 19
- Mauri Miettinen (@Mamietti)
- Aleksi Klasila (@aleksiklasila)
- Jani Kenttälä (@evilon)
- Ossi Herrala (@oherrala)
- Joachim Viide (@jviide)
- Marko Laakso (@ikisusi)
- Pekka Pietikäinen (@ppietikainen)
- Joonas Kuorilehto (@joneskoo)
- Kasper Kyllönen (@nkapu)
- Timo Mattila (@timattil)
- Low Kian Seong (@lowks)
- Mikko Yliniemi (@mikessu)
- Christian Wieser
- Jakub Wilk (@jwilk)
- Juho Myllylahti (@mutjake)
We invite people to contribute.
- Preferred: public tweet
- Use #trytls and point it to @oupsg
- Less public alternative: direct twitter-message to @ouspg