Test SSL/TLS clients for resistance against MITM attacks

sslcaudit – automates the testing process of SSL/TLS clients for resistance against MITM attacks. It is useful for testing thick clients, mobile applications, appliances, pretty much anything communicating over SSL/TLS over TCP.

A correctly implemented SSL/TLS client exhibits the following testable behavior:
1> Rejects self-signed certificates, certificates not signed by a trusted CA.
2> Validates basic constraints of intermediate CAs.
3> Only accepts server certificate with CN matching the intended destination.
4> Does not accept expired certificates.
5> Does not accept revoked certificates.
6> Do not be fooled by NUL-character in CN.

Testable behavior related to SSL/TLS protocol support:
1> Do not support SSLv2.
2> Do not support SSL and TLS 1.0.
3> Do not support weak key exchange protocols, low key lengths, low ciphers strengths.

How to use it

Test if client trusts an arbitrary selfsigned certificate:
> Open two terminals
> In one of them run

sslcaudit

> In the other run

openssl s_client -connect localhost:8443

> In the first terminal you wiil see the results of the test.

Test if client trusts an arbitrary selfsigned certificate:
> Open two terminals
> In one of them run

sslcaudit

> In the other run

socat - OPENSSL:localhost:8443

> In the first terminal you wiil see the results of the test.

Point sslcaudit towards a real server and let it mimic server’s certificate:
> Open two terminals
> In one of them run

sslcaudit --server server.ip.address:443

> In the other run

while true ; do socat - OPENSSL:localhost:8443; sleep .5; done

> In the first terminal you wiil see the results of the test.

For more info and examples, please read sslcaudit user guide:
sslcaudit user guide (PDF)

%d bloggers like this: