Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for eTLS detection #353

Open
weddige opened this issue Nov 23, 2018 · 10 comments
Open

Add support for eTLS detection #353

weddige opened this issue Nov 23, 2018 · 10 comments

Comments

@weddige
Copy link

weddige commented Nov 23, 2018

ETSI recently published the TLS 1.3 flavour eTLS: https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.01_60/ts_10352303v010101p.pdf

As eTLS compromises the DH key exchange it would be nice, if sslyze could report if a server supports eTLS.

There are two ways to detect eTLS with pros and cons:

Server certificate
eTLS requres the server to include an otherName in the certificate. This is described in section 4.3.3 of ETSI TS 103 523-3.

DH public key
Annex A of ETSI TS 103 523-3 describes a variant of eTLS that omits the information in the server certificate. This can be detected, if the public DH key does not change for two distinct connections.

The first solution is easier and provides more information, the second solution is more robust. Ideal would be to implement both.

@nabla-c0d3 nabla-c0d3 changed the title eTLS detection Add support for eTLS detection Nov 27, 2018
@nabla-c0d3
Copy link
Owner

Thanks for the heads up. It seems unlikely to me that this standard will ever get any traction (I can’t imagine any of the major browsers implementing eTLS as they’re 100% against traffic interception) but I will leave this open just in case.

@weddige
Copy link
Author

weddige commented Nov 27, 2018

eTLS does not need to be implemented in the browser. From the point of view of the browser eTLS is 100% compatible to TLS 1.3.

But I agree with you to the extent that I don't expect it to be widespread in the near future either. However, it would be nice not to overlook the fact that a server supports eTLS.

@divad
Copy link

divad commented Apr 5, 2019

eTLS is not a 'flavour' of TLS at all, and is snake oil: https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-use-it

@weddige
Copy link
Author

weddige commented Apr 11, 2019

and is snake oil

eTLS (or ETS by now) is not snake oil, but pure poison. That's why I want to recognize it in the scan.

@BerndPfe
Copy link

BerndPfe commented Oct 6, 2019

The only way to actually detect is the way and how it uses the key exchange. To determine "crippled" kex use, it might be necessary to look at recurring patterns for the EC. While standard TLS 1.3 uses random - and there are really many - initial parameters of a curve (mostly x25519) the eTLS should be "easy-to-recognize" by its recurring certain "selections". (this is the approach to just try some of then known params and to easily find out -> eTLS inspection appliances can decode the handshake and then find out about the key and cipher which is being used for the connection). To mark a server as "eTLS-crippled" finally it is first necessary to perform some statistics of its behaviours. It can NOT be found out by just looking into one connection as such.

@BerndPfe
Copy link

BerndPfe commented Oct 6, 2019

Another approach might be to observe a server "avoiding" to use/offer really strongest-possible curves. Or not even offering x25519 along with TLS 1.3. This would look already like a suspicious configuration to me insofar.

@weddige
Copy link
Author

weddige commented Dec 18, 2019

The only way to actually detect is the way and how it uses the key exchange.

A detection via behaviour would be of course ideal. However, eTLS is (in its standard implementation, see annex a) indicated in the certificate. This is something that should be also checked and is easy to implement to start with.

Another approach might be to observe a server "avoiding" to use/offer really strongest-possible curves. Or not even offering x25519 along with TLS 1.3. This would look already like a suspicious configuration to me insofar.

This would look suspicious (and maybe noteworthy), but is not connected to eTLS.

@nabla-c0d3
Copy link
Owner

Are there any servers reachable from the Internet that run eTLS? I could not find one. Otherwise, is there an easy way to run an eTLS server locally?

@weddige
Copy link
Author

weddige commented May 18, 2020

Unfortunately (or fortunately) I do not know of any. I would also rather expect it in an intranet and therefore not accessible from the internet. But so far I haven't encountered any implementation.

I would suggest to start with the otherName specified in the technical specification. The following code is only intended as an example, but you are welcome to use it:

import cryptography.x509
from cryptography.hazmat.backends import default_backend
import cryptography_vectors


with cryptography_vectors.open_vector_file('x509/custom/san_other_name.pem', 'rb') as f:
    cert = cryptography.x509.load_pem_x509_certificate(f.read(), default_backend())


ets_visibility_information_oid = cryptography.x509.ObjectIdentifier("0.4.0.3523.3.1")


def search_ets_visibility_information(cert):
    """Test a certificate for the CVE-2019-9191 vulnerability."""
    try:
        subject_alt_name = cert.extensions.get_extension_for_oid(
            cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME
        ).value
    except cryptography.x509.ExtensionNotFound:
        return
    for other_name in subject_alt_name.get_values_for_type(cryptography.x509.OtherName):
        if other_name.type_id == ets_visibility_information_oid:
            return other_name


search_ets_visibility_information(cert)

If this is an approach you agree with, I could also write a plugin based on it.

@hb9cwp
Copy link

hb9cwp commented Nov 7, 2020

Are there any servers reachable from the Internet that run eTLS? I could not find one. Otherwise, is there an easy way to run an eTLS server locally?

ETSI Tech Committee CYBER publishes kind of "reference implementations" for demo purposes with patched versions of OpenSSL and Apache that provide the toxic extensions for the Transport Layer Middlebox Security Protocol (TLMSP), as required by Extra Terrible Security (ETS, formerly eTLS) which does not provide per-session Forward Secrecy:

see repo "TS 103 523 MSP"
https://forge.etsi.org/rep/cyber/103523_MSP
for example in the subtrees "ETS" and "TLMSP":

MSP-httpd demonstrator
https://forge.etsi.org/rep/cyber/103523_MSP/tlmsp/CYBER.MSP-httpd
This repository contains a HTTP server demonstrator for the mcTLS protocol.
The demonstrator is implemented extending the Apache HTTP server.

TLMSP Apache Httpd
https://forge.etsi.org/rep/cyber/103523_MSP/tlmsp/tlmsp-apache-httpd
Apache HTTPD modified to support TLMSP (ETSI TS 103 523-2)

OpenSSL modified to support TLMSP (ETSI TS 103 523-2)
https://forge.etsi.org/rep/cyber/103523_MSP/tlmsp/tlmsp-openssl
https://forge.etsi.org/rep/cyber/103523_MSP/tlmsp/MSP-OpenSSL/wikis/home

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants