SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.
This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.
Topics The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.
The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.
Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:
checking for special SSL settings
check multiple servers at a time
customizing the results
using private SSL-libraries
customizing o-saft itself
- or simple debugging of various SSL connection problems.
The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.
The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way.
Technical Requirements The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:
openssl (1.0.1e or newer)
perl (5.8 or newer), on windows system Strawberry perl is recommended
Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)
python (2.7) optional
Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.
Others All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool.