Nytro Posted October 6, 2014 Report Posted October 6, 2014 [h=1]x509test[/h]If you have any questions, suggestions, comments, concerns, or interesting stories, please email x509test@gmail.com. Description: x509test is a software written in Python 3 that test the x509 certificate verification process of the target SSL/TLS client. The inspiration of this software comes from multiple reports on the insecurity of a SSL/TLS client due to incorrect verification of x509 certificate chain. This phenomenon is caused by many factors. One of which is the lack of negative feedback from over-acceptance of invalid certificates. This software is an attempt to increase the security of a client-side SSL/TLS software by providing negative feedbacks to the developers. Test Procedure:The software takes in a user-supplied fqdn, where the fqdn is the destination of the client connectionThe software reads the certificate and key of the root CA. If no root CA is specified, the software generate a self-signed certificate that acts as the root CA. (NOTE: the root certificate must be trusted by the client software; either by including it to the OS’s trust store or manually configure the client software to trust the certificate.)The software generates a set of test certificates. Some are signed directly by the root CA while others are chained with other intermediate CAs. The majority of the test certificates contain flaws.The software starts a SSL/TLS server and waits for a client to connect. Each session corresponds to a single test certificate chain. If the client completes the handshake procedure with an invalid certificate chain, or terminates the handshake procedure with a valid certificate chain, then the software will denote such behavior as a potential violation. Regardless of the outcome, the software always terminates the connection once result is obtained and starts a new session with a different test certificate chain. (NOTE: some ports require root privilege, so it is recommended to run this software in root.)Results will be printed to the terminal, or a file if specified, as the test progresses. There are only three possible results from a given test. Pass means no non-compliance behavior is observed; fail means non-compliance behavior encountered; unsupported means the underlying system in which x509test is running on does not support the particular test.Sursa: https://github.com/yymax/x509test 1 Quote
