Code Monkey home page Code Monkey logo

rfc5077's Introduction

Various tools for testing RFC 5077

RFC 5077 is a session resumption mechanism for TLS without server-side state. You'll find here various tools related to testing availability of RFC 5077.

This mechanism is an extension for TLS. If a client or a server does not support TLS, it does not support RFC 5077.

Clients

The following clients are implemented:

  • openssl-client
  • gnutls-client
  • nss-client

They all take an host and a port as argument. You need to use -r flag to really test reconnection. You can also add -T to disable ticket supports (RFC 5077) and -S to disable session ID support. However, disabling session ID may be difficult, therefore, it may not really have the expected effect.

Only OpenSSL client is complete enough. GNU TLS does not allow easy display of session contents and NSS does not allow to check if a session was resumed.

Additionally, rfc5077-client proposes some more advanced tests against a server or a pool of servers. It will try to reuse sessions with and without tickets and will query several time each IP of a pool of servers. Use this if you want to check support of SSL session resume of a server or a pool of servers.

It is possible that those clients may fail if you don't have a working IPv6 connectivity. Get an IPv6 connectivity. ;-)

Servers

rfc5077-server allows you to test support of RFC 5077 in the client of your choice. It will returns an HTML page containing some Javascript code to test browsers. You need to specify 4 ports. They will respectively behave as follow:

  1. No session cache, no ticket support
  2. Session cache, no ticket support
  3. Session cache, ticket support
  4. No session cache, ticket support

While this server has some shortcoming, it should be relatively performant and you can try to bench it. It should also be secure enough to be put on the Internet.

Misc

rfc5077-pcap will analyze SSL handshakes contained in PCAP files. It will try to detect "Client Hello". It will extract IP addresses, protocol version, Session ID, cipher suites, compression methods and detect the use of SNI extension and ticket extension. It should be used to determine how many clients support one cipher suite or how many clients support ticket extension.

The CSV file generated by this program can then be used with rfc5077-stats.py that will produce some graphics (and also build a SQLite database that you can use to make queries).

Getting Started

If you've just cloned this from git, run the following to ensure that the submodules http-parser and httpagentparser are installed:

  • git submodule init
  • git submodule update

Then run make to build the executables. This currently needs OpenSSL 1.1. If you have an older version, go back to branch openssl-1.0:

  • git checkout openssl-1.0

Dependencies

To compile these you will need a few dependencies that are the nss, openssl, gnutls, libpcap, libev and nspr headers and libraries:

On Fedora the dependencies are:

  • openssl-devel
  • gnutls-devel
  • nss-devel
  • libpcap-devel
  • libev-devel
  • nspr-devel
  • pkgconfig

On Debian, the dependencies can be installed with the following command:

apt-get install libssl-dev gnutls-dev libnss3-dev libpcap-dev libev-dev libnspr4-dev pkg-config

On Osx the dependencies are: (which can be installed via homebrew)

# install dependencies
brew install [email protected] gnutls nss libpcap libev pkg-config

# [email protected], nss, libpcap are keg-only we should export some env before make
export PATH=$(brew --prefix)/opt/nss/bin:$PATH
export PATH=$(brew --prefix)/opt/libpcap/bin:$PATH
export PKG_CONFIG_PATH=$(brew --prefix)/opt/[email protected]/lib/pkgconfig:$PKG_CONFIG_PATH
export PKG_CONFIG_PATH=$(brew --prefix)/opt/nss/lib/pkgconfig:$PKG_CONFIG_PATH
export PKG_CONFIG_PATH=$(brew --prefix)/opt/libpcap/lib/pkgconfig:$PKG_CONFIG_PATH

# compile
make

rfc5077's People

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

rfc5077's Issues

compiling issues at 3c37c33b46e0

rfc5077 git:(3c37c33) make
+omz_termsupport_preexec:1> emulate -L zsh
+omz_termsupport_preexec:2> setopt extended_glob
+omz_termsupport_preexec:4> [[ '' == true ]]
+omz_termsupport_preexec:9> local CMD=make
+omz_termsupport_preexec:10> local LINE=make
+omz_termsupport_preexec:12> title '$CMD' '%100>...>$LINE%<<'
+title:1> emulate -L zsh
+title:2> setopt prompt_subst
+title:4> [[ '' == term ]]
+title:8> : '%100>...>$LINE%<<'
+title:10> case xterm-256color (cygwin | xterm*)
+title:12> print -Pn '\e]2;%100>...>$LINE%<<\a'
+title:13> print -Pn '\e]1;$CMD\a'
+-zsh:116> make
cc -g -Werror -Wall -ansi -std=c99 -D_POSIX_SOURCE -D_BSD_SOURCE -D_GNU_SOURCE -I/usr/local/opt/openssl/include/ -I/usr/local/include -I/usr/local/opt/expat/include -c -o rfc5077-client.o rfc5077-client.c
rfc5077-client.c:79:32: error: the value of the size argument in 'strncat' is too large, might lead to a buffer overflow [-Werror,-Wstrncat-size]
strncat(name, "\n[...]", sizeof(name));
^~~~~~~~~~~~
rfc5077-client.c:79:32: note: change the argument to be the free space in the destination buffer minus the terminating null byte
strncat(name, "\n[...]", sizeof(name));
^~~~~~~~~~~~
sizeof(name) - strlen(name) - 1
rfc5077-client.c:80:7: warning: array index 184 is past the end of the array (which contains 184 elements) [-Warray-bounds]
name[sizeof(name)] = '\0';
^ ~~~~~~~~~~~~
rfc5077-client.c:50:3: note: array 'name' declared here
char name[INET6_ADDRSTRLEN*4];
^
rfc5077-client.c:287:17: error: implicit declaration of function 'strdup' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
r->host = strdup(name);
^
rfc5077-client.c:287:15: error: incompatible integer to pointer conversion assigning to 'char *' from 'int' [-Werror,-Wint-conversion]
r->host = strdup(name);
^ ~~~~~~~~~~~~
rfc5077-client.c:297:11: error: implicitly declaring library function 'snprintf' with type 'int (char *, unsigned long, const char *, ...)' [-Werror,-Wimplicit-function-declaration]
n = snprintf(buffer, sizeof(buffer),
^
rfc5077-client.c:297:11: note: include the header <stdio.h> or explicitly provide a declaration for 'snprintf'
rfc5077-client.c:315:17: error: incompatible integer to pointer conversion assigning to 'char *' from 'int' [-Werror,-Wint-conversion]
r->answer = strdup(buffer);
^ ~~~~~~~~~~~~~~
rfc5077-client.c:247:5: warning: array index 46 is past the end of the array (which contains 46 elements) [-Warray-bounds]
name[sizeof(name)] = '\0';
^ ~~~~~~~~~~~~
rfc5077-client.c:226:3: note: array 'name' declared here
char name[INET6_ADDRSTRLEN];
^
rfc5077-client.c:335:17: error: implicit declaration of function 'getopt' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
while ((opt = getopt(argc, argv, "s:p:4")) != -1) {
^
rfc5077-client.c:338:18: error: use of undeclared identifier 'optarg'
sni_name = optarg;
^
rfc5077-client.c:341:14: error: use of undeclared identifier 'optarg'
port = optarg;
^
rfc5077-client.c:351:15: error: use of undeclared identifier 'optind'
if (argc <= optind) usage(argv[0]);
^
rfc5077-client.c:357:12: error: use of undeclared identifier 'optind'
for (i = optind; i < argc; i++) {
^
2 warnings and 10 errors generated.
make: *** [rfc5077-client.o] Error 1

missing http-parser/http_parser.h

Hey,

Thanks for the great bit of code and blog article. I've learned a lot and I though I almost had a good grasp on session ticket and I hadn't even looked at session identifiers yet.

I'm in the middle of writing a proper implementation of rfc5077 tickets for nginx and was looking at your code base for testing.

Noticed that http-parser/http_parser.h is missing from the repository. Do you have it around?

I'll probably add a bit of build documentation here once I've done.

Thanks again. Good to see the weeks of standards development translate into implementations.

testing virtual hosts

Is it possible to test, i.e. run client against Virtual Hosts that do not have a cert for ''?

[✘] Run tests without use of tickets:
│ Unable to start TLS renegotiation with ‘myip’:
│ error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

make problems

When I have tried to install this software, a problem accurs....

cc -o rfc5077-client rfc5077-client.o common.o -lssl -lcrypto
rfc5077-client.o: In function resultinfo_display': /usr/local/src/rfc5077/rfc5077-client.c:131: undefined reference to SSL_SESSION_get0_cipher'
/usr/local/src/rfc5077/rfc5077-client.c:153: undefined reference to SSL_SESSION_get_master_key' /usr/local/src/rfc5077/rfc5077-client.c:160: undefined reference to SSL_SESSION_get_master_key'
/usr/local/src/rfc5077/rfc5077-client.c:169: undefined reference to SSL_SESSION_has_ticket' rfc5077-client.o: In function resultinfo_write':
/usr/local/src/rfc5077/rfc5077-client.c:204: undefined reference to SSL_SESSION_get0_cipher' /usr/local/src/rfc5077/rfc5077-client.c:216: undefined reference to SSL_SESSION_get_master_key'
/usr/local/src/rfc5077/rfc5077-client.c:219: undefined reference to SSL_SESSION_get_master_key' /usr/local/src/rfc5077/rfc5077-client.c:223: undefined reference to SSL_SESSION_has_ticket'
rfc5077-client.o: In function tests': /usr/local/src/rfc5077/rfc5077-client.c:278: undefined reference to SSL_set_options'
/usr/local/src/rfc5077/rfc5077-client.c:297: undefined reference to SSL_session_reused' rfc5077-client.o: In function main':
/usr/local/src/rfc5077/rfc5077-client.c:378: undefined reference to OPENSSL_init_ssl' /usr/local/src/rfc5077/rfc5077-client.c:379: undefined reference to OPENSSL_init_ssl'
/usr/local/src/rfc5077/rfc5077-client.c:380: undefined reference to `TLS_client_method'
collect2: ld returned 1 exit status
make: *** [rfc5077-client] Error 1

Problems when I try to compile

When I wanted to compile this soft, a problem occurred, can anyone help?

Hereafter is the problem details

cc -g -Werror -Wall -ansi -std=c99 -D_DEFAULT_SOURCE -D_GNU_SOURCE -c -o rfc5077-client.o rfc5077-client.c
cc -g -Werror -Wall -ansi -std=c99 -D_DEFAULT_SOURCE -D_GNU_SOURCE -c -o common.o common.c
cc -o rfc5077-client rfc5077-client.o common.o -lssl -lcrypto
rfc5077-client.o: In function resultinfo_display': /usr/local/src/rfc5077/rfc5077-client.c:131: undefined reference to SSL_SESSION_get0_cipher'
/usr/local/src/rfc5077/rfc5077-client.c:153: undefined reference to SSL_SESSION_get_master_key' /usr/local/src/rfc5077/rfc5077-client.c:160: undefined reference to SSL_SESSION_get_master_key'
/usr/local/src/rfc5077/rfc5077-client.c:169: undefined reference to SSL_SESSION_has_ticket' rfc5077-client.o: In function resultinfo_write':
/usr/local/src/rfc5077/rfc5077-client.c:204: undefined reference to SSL_SESSION_get0_cipher' /usr/local/src/rfc5077/rfc5077-client.c:216: undefined reference to SSL_SESSION_get_master_key'
/usr/local/src/rfc5077/rfc5077-client.c:219: undefined reference to SSL_SESSION_get_master_key' /usr/local/src/rfc5077/rfc5077-client.c:223: undefined reference to SSL_SESSION_has_ticket'
rfc5077-client.o: In function tests': /usr/local/src/rfc5077/rfc5077-client.c:278: undefined reference to SSL_set_options'
/usr/local/src/rfc5077/rfc5077-client.c:297: undefined reference to SSL_session_reused' rfc5077-client.o: In function main':
/usr/local/src/rfc5077/rfc5077-client.c:378: undefined reference to OPENSSL_init_ssl' /usr/local/src/rfc5077/rfc5077-client.c:379: undefined reference to OPENSSL_init_ssl'
/usr/local/src/rfc5077/rfc5077-client.c:380: undefined reference to `TLS_client_method'
collect2: ld returned 1 exit status
make: *** [rfc5077-client] Error 1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.