[guardian-dev] Using tlspretense to test NetCipher's TLS verification

Lee Azzarello lee at rockingtiger.com
Fri May 31 22:35:15 EDT 2013


This is a cool project! What is it actually testing and why would this
effect different applications differently? Isn't openssl the only
library used for verifying TLS certificates in all our apps?

-lee

On Fri, May 31, 2013 at 4:05 PM, Abel Luck <abel at guardianproject.info> wrote:
> Hey folks,
>
> A few months ago Tom Ritter pointed me to tlspretense [1], a ruby app to
> test TLS verifiers in a blackbox manner.
>
> Think of it is as unit tests for your TLS verification algorithm.
>
> --- How it works
>
> You install a trusted CA on the device, and then it generates a whole
> slew of good and bad certificates signed with the trusted CA.
>
> Then, you make sure the box running tlspretense can MITM all traffic to
> the device so these certs can be served up.
>
> --- Results
>
> I finally got around to setting tlspretense up and battering
> NetCipher/OnionKit on Android against it.
>
> We consistently fail 4 out of 25 tests. We've work to do!
>
> The results are available here https://gist.github.com/abeluck/5686495
>
> --- Reproducing
>
> The setup is as follows.
>
> tlspretense expects the traffic from the device on a particular network
> interface, so we will configure the server to run an ipsec VPN and MITM
> all traffic on the ppp0 iface.
>
> We then connect the Android device to the VPN (requires 4.0 or higher)
> so all traffic is tunneled to the man-in-the-middling VPN.
>
> Next, we configure tlspretense to generate our certs for the domain of
> our choice, and we install the CA cert on the android phone.
>
> Finally, we start tlspretense and initiate the test from the device.
>
> --- Detailed instructions
>
> You will need:
>
> 1) One VM or VPS running Ubuntu >= 12.04 that is publicly accessible
>
> WARNING: Use a throwaway server for this. I recommend an EC2 instance
>
> 2) One device running Android >= 4.0
> 3) A terminal and some Linux foo
>
> Edit the variables in tlspretense-vpn.sh [2] and then run it on your
> server to setup the VPN server.
>
> Install tlspretense on the server with:
>         apt-get install ruby1.9.1 ruby1.9.1-dev build-essential vim
>         umask 0022 ; sudo gem install tlspretense
>
> Create a tlspretense project:
>         cd /root
>         tlspretense init testproj
>         cd testproj
>
> Config the project, edit config.yml. Edit the following variables:
> hostname: duckduckgo.com
> packettheief's in_interface: ppp0
>
> Run tlspretense:
>         tlspretense run
>
> Build and install the netciphertest Android application in the OnionKit
> repo [3].
>
> NOTE: This application already includes the default tlspretense ca
> certificate, so you don't need to copy the CA cert.
>
> Connect your device to the L2TP/IPSEC PSK VPN using the settings you
> configured.
>
> Run the application (TLS Pretense Client) and click "Start Tests"
>
> See Attached Screenshots for visualization.
>
> ---- Future Work & Ideas
>
> Test Automation
>
> It would be great if we could run this locally on a VM in our build
> server and somehow tunnel an emulator to it to get these test results as
> part of our continuous integration system.
>
> Proxy Support
>
> It would be so much nicer if tlspretense could run as a proxy server
> (SOCKS?) instead of requiring a network interface to MITM.
>
> Root
>
> Making it not require root would be awesome.
>
> ~abel
>
>
> [1]: https://github.com/iSECPartners/tlspretense
> [2]: https://gist.github.com/abeluck/5687507
> [3]: https://github.com/abeluck/OnionKit
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>
> You are subscribed as: lee at guardianproject.info
>


More information about the Guardian-dev mailing list