Saturday, January 9, 2010

Testing for TLS1/SSLv3 Renegotiation Vulnerability

I noticed that eEye's Retina Network Scanner and Tenable's Nessus added the check for TLS1/SSLv3 Renegotiation Vulnerability in December. During my research, I came across the excellent whitepaper by Thierry Zoller from G-SEC titled "TLS/SSLv3 renegotiation vulnerability explained":

To help sysadmins who needs to find out if their own webservers are vulnerable, I'm going to demonstrate how to test for the vulnerability using the OpenSSL toolkit (http://www.openssl.org). I'm not going to discuss the details of the vulnerabilty as that can be found in the Zollor whitepaper. If your target is Internet-accessible, Nasko provided a great online "TLS Renegotiation Test" at:

In a nutshell, we can test the issue by running the following command:
$ openssl s_client -connect targetserver:443
then adding:
GET / HTTP/1.0
R
<CRLF>

* Please note that <CRLF> means hitting the Enter/Return key.

If the target is vulnerable, the server will return a renegotiation message. After receiving the renegotiation message, the server will return the content of the page if another <CRLF> is sent.

Since a picture paints a thousand words, the following two examples illustrates the SSL transactions of a non-vulnerable and a vulnerable server using OpenSSL.


OpenSSL transaction of a non-vulnerable server:
$ openssl s_client -connect good-server.org:443
CONNECTED(00000003)
depth=0 /OU=SAMPLE ONLY/O=<DELETED>
A 1024 Server Certificate/C=CA
verify error:num=20:unable to get local issuer certificate
verify return:1
<DELETED>
---
Certificate chain
 0 s:/OU=SAMPLE ONLY/O=<DELETED>
---
Server certificate
-----BEGIN CERTIFICATE-----
<DELETED>
-----END CERTIFICATE-----
subject=/OU=SAMPLE ONLY/O=<DELETED>
---
No client certificate CA names sent
---
SSL handshake has read 1421 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: D37DC0B86A49D57900149FF75419F31221E862FFB18A38CA9ABDE165D6DC3A32

    Session-ID-ctx:
    Master-Key: 801C70181E7597FB2355FC842D35ED741236E148E17002498C1CA85D287FF64B
5AB2FC0C9653977C7B6621DCF249C325
    Key-Arg   : None
    Start Time: 1263012957
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
GET / HTTP/1.0
R
<CRLF>
RENEGOTIATING
5648:error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record:s3_pkt.c:1210:

$

OpenSSL transaction of a vulnerable server:
$ openssl s_client -connect bad-server.org:443
CONNECTED(00000003)
depth=0 /CN=<DELETED>
verify error:num=20:unable to get local issuer certificate
<DELETED>
---
Certificate chain
 0 s:/CN=<DELETED>
---
Server certificate
-----BEGIN CERTIFICATE-----
<DELETED>
-----END CERTIFICATE-----
subject=/CN=<DELETED>
---
No client certificate CA names sent
---
SSL handshake has read 1620 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 100B637C67A441127FEE9836EDB8364D7F3D78280D1C991AF59AF7D6F09960A6

    Session-ID-ctx:
    Master-Key: 86E28EB111FDF81ED9970D05769582ED2AE217E1C992DDA3CB36DD2F5AA2570B
258F5C44C2CBAB95D3145C124AC3B7F7
    Key-Arg   : None
    Start Time: 1263013004
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
GET / HTTP/1.0
R
<CRLF>
RENEGOTIATING
depth=0 /CN=bad-server.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=bad-server.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=bad-server.org
verify error:num=21:unable to verify the first certificate
verify return:1
<CRLF>
HTTP/1.1 200 OK
Date: Sat, 09 Jan 2010 04:56:52 GMT
Server: Apache
Last-Modified: Mon, 13 Apr 2009 06:12:41 GMT
ETag: "758012-fe3-467699a12e840"
Accept-Ranges: bytes
Content-Length: 4067
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<DELETED>

</HTML>
closed

$


For this vulnerablity, there's no known generic fix yet. Let's hope something comes along soon.