Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fingerprint enhancements and new fingerprints #35

Merged
merged 28 commits into from
Nov 8, 2016
Merged

Fingerprint enhancements and new fingerprints #35

merged 28 commits into from
Nov 8, 2016

Conversation

tomato42
Copy link
Collaborator

@tomato42 tomato42 commented Aug 31, 2016
edited
Loading

  • make servers that support ALPN not crash tls_prober (update to pytls version that supports ALPN alerts)
  • make writing fingerprints to files deterministic, ease future fingerprints updates by sorting probe results by name
  • sort all existing results in fingerprint files by name (will make reading diffs for fingerprints much easier)
  • suggestion on how to setup GnuTLS, NSS and OpenSSL for testing (so that most settings are enabled to provide most unique fingerprint possible)
  • add fingerprint for new botan (fixes Fingerprints for botan missing #28)
  • add fingerprints for few recent versions of NSS (fixes Fingerprints for NSS missing #27)
  • update few OpenSSL fingerprints, add new ones (should fix Mis-fingerprinting with certain OpenSSL configurations #10)
  • add fingerprints from RHEL 4, RHEL 5 and RHEL 6's version of GnuTLS, NSS and OpenSSL
  • add fingerprints for IIS, RDP and LDAP running on Windows 2008R2 SP1 and 2012R2 in default configuration (together with the above should fix Servers that only support DH/ECDH #14)

@tomato42 tomato42 changed the title Fingerprint enhancements and new fingerprints WIP - Fingerprint enhancements and new fingerprints Sep 1, 2016
@tomato42 tomato42 changed the title WIP - Fingerprint enhancements and new fingerprints Fingerprint enhancements and new fingerprints Sep 1, 2016
@tomato42 tomato42 mentioned this pull request Sep 2, 2016
Merged
@tomato42
checkout newer pytls to support ALPN alerts
fd55222
@tomato42
fix the typo from pytls
f810b95 
s/UnexpectedMesage/UnexpectedMessage/
@tomato42
sort probes when writing to file
0ee153b 
to make diff-ing fingerprints in future easy, it's good to keep the
order of probe results deterministic, so sort them alphabetically by
name
@tomato42
sort existing fingerprints alphabetically
6755e5c 
to make creating easily diffable extensions of existing fingerprints
sort the results of particular probes in existing figerprints

command used to modify files:
for file in *; do
 tmp="$(mktemp)"
 (head -n 2 "$file" && tail -n +3 "$file" | LANG=C sort -d ) > "$tmp"
 mv "$tmp" "$file"
done
@tomato42
how to set up some servers for testing
53607d1
@tomato42
unify fingerprint naming
d6561e8 
make all the fingerprints have a format of
<name of the library><space><version of the library>
@tomato42
add fingerprints of few recent NSS versions
786243b
@tomato42
add fingerprint of botan library
d5911c2
@tomato42
Update OpenSSL 1.0.1 fingerprint
4fc4dd4 
Change in SNIWrongName result is caused by server having a SNI
host configured

Note that the server was running without SRP as SRP limits the
server to TLSv1.0 (see next commit)
@tomato42
OpenSSL 1.0.1 default source build with SRP enabled
cc98862 
there seems to be a serious bug in OpenSSL in this version
causing it to disable TLSv1.1 and TLSv1.2 support if SRP is enabled

since this causes creation of completely different probe results,
create a separate fingerprint
@tomato42
update OpenSSL 1.0.2 fingerprint
000755e 
I don't know where the differences in Heartbea and Heartbleed come from

SNIWrongName is different because SNI was configured on the server

note that SRP was disabled as it causes TLS1.1 and TLS1.2 to not work
@tomato42
add OpenSSL 1.0.2 fingerprint with SRP enabled
25e6677 
1.0.2 seems to have a bug that disables TLSv1.1 and TLSv1.2 when
SRP is enabled, creating completely different fingerprints for many
probes
@tomato42
add OpenSSL 1.1.0 fingerprint
9408bf4
@tomato42
add fingerprints from RHEL 4
ed4f58b
@tomato42
add RHEL 5.6 fingerprints
69e866f
@tomato42
add RHEL 5.9 fingerprints
913daaa
@tomato42
add fingerprints from current RHEL 5
11fcd36
@tomato42
Add fingerprints from RHEL 6.2.
9dad9d2
@tomato42
add RHEL 6.4.AUS fingerprints
1a9abb2
@tomato42
add RHEL 6.5.AUS fingerprints
0c59dae
@tomato42
add fingerprints from RHEL 6.6.AUS
85a22f3
@tomato42
add probes from RHEL 6.7.z
cc5f4d6
@tomato42
add current RHEL 6 fingerprints
f042122
@tomato42
add fingerprints for common services from Win2k8R2 SP1
2d2bb5d
@tomato42
add fingerprints for common services from Win 2012R2
32590a9
@tomato42
Copy link
Collaborator Author

@richmoore I will be adding more fingerprints later, but you can merge this branch at time.
There are few bug fixes and enhancements that would definitely be useful to others, like fd55222, f810b95, 0ee153b, 6755e5c, d6561e8 and 53607d1

@tomato42
add Windows 2008 SP2 fingerprints
ebf84a4
@tomato42
updated 2008 fingerprints
462f088
@tomato42
fingerprints for IBM DB2
24ccc9e 
default configuration, TLSv1.2 only configuration and TLS1.0-TLS1.2
configuration
@richmoore richmoore merged commit d56de68 into WestpointLtd:master Nov 8, 2016
@tomato42
Copy link
Collaborator Author

tomato42 commented Nov 9, 2016

Thank you!

@tomato42 tomato42 deleted the fingerprints branch November 9, 2016 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@tomato42 @richmoore