PCI DIY - Checking for Weak SSL Encryption with OpenSSL
April 3rd, 2007 Posted in PCI DIY, PCI DSS
This is the first of what will — hopefully — be many posts that will deal with the technical aspects of PCI compliance. The intention is to provide substantive information for validating commonly encountered vulnerabilities — which is also useful for comparing ASVs — with a quick-start guide style of presentation. In keeping with the spirit of my previous post, we’ll take a look at checking for weak SSL encryption using OpenSSL.
The OpenSSL command-line tool has many useful features. It comes installed by default in most Linux distributions, though it can be had on Windows as well. Rather than installing OpenSSL on an existing system, an easy alternative would be to boot-up any of the popular LiveCD Linux distributions. Now, on to the fun!
PCI DSS requirement 4.1 states “Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks“. One common issue that merchants face in this regard is that SSLv2 — which is universally considered to be insecure — comes enabled by default in most web-servers.
The first check is to see if SSLv2 is enabled:
openssl s_client -connect IPADDR:PORT -ssl2
A server that doesn’t support SSLv2 will come back with a write-error, whereas one that does support SSLv2 will come back with something like the following:
[chris@toxic ~]$ openssl s_client -connect google.com:443 -ssl2
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify error:num=21:unable to verify the first certificate
verify return:1
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIDYzCCAsygAwIBAgIQYFbAC3yUC8RFj9MS7lfBkzANBgkqhkiG9w0BAQQFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA2MDQyMTAxMDc0NVoXDTA3MDQyMTAxMDc0NVow
aDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxFzAVBgNVBAMTDnd3dy5n
b29nbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/e2Vs8U33fRDk
5NNpNgkB1zKw4rqTozmfwty7eTEI8PVH1Bf6nthocQ9d9SgJAI2WOBP4grPj7MqO
dXMTFWGDfiTnwes16G7NZlyh6peT68r7ifrwSsVLisJp6pUf31M5Z3D88b+Yy4PE
D7BJaTxq6NNmP1vYUJeXsGSGrV6FUQIDAQABo4GmMIGjMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnRo
YXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNlcnZlckNBLmNybDAyBggrBgEFBQcBAQQm
MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wDAYDVR0TAQH/
BAIwADANBgkqhkiG9w0BAQQFAAOBgQADlTbBdVY6LD1nHWkhTadmzuWq2rWE0KO3
Ay+7EleYWPOo+EST315QLpU6pQgblgobGoI5x/fUg2U8WiYj1I1cbavhX2h1hda3
FJWnB3SiXaiuDTsGxQ267EwCVWD5bCrSWa64ilSJTgiUmzAv0a2W8YHXdG08+nYc
X/dVk5WRTw==
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
—
No client certificate CA names sent
—
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
—
SSL handshake has read 1004 bytes and written 239 bytes
—
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: DBDEE2C376B3558FCFBD80F6B5C03973
Session-ID-ctx:
Master-Key: 4C049A470A30277D7B3A00E662CC2F5034A16FCAB3BD6A63
Key-Arg : E20F5A1477892F50
Krb5 Principal: None
Start Time: 1175614353
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
—
SSL protected mail-servers may be checked in the same manner, though one must add the starttls switch:
openssl s_client -connect IPADDR:25 -ssl2 -starttls smtp
openssl s_client -connect IPADDR:110 -ssl2 -starttls pop3
Ciphers of less than 128 bits should also be disabled. Luckily, OpenSSL has a built-in switch that makes testing easy:
openssl s_client -connect IPADDR:PORT -cipher LOW:EXP
Similarly — and relatively common — null ciphers (i.e. plaintext) should be disabled:
openssl s_client -connect IPADDR:PORT -cipher NULL
As well as ciphers that provide no authentication:
openssl s_client -connect IPADDR:PORT -cipher aNULL
Another issue that I see periodically is when the server certificate is valid, but another cert in the certificate chain is expired. To locate the offender, we must first pull down all certs in the chain:
openssl s_client -connect IPADDR:PORT -showcerts
Next, copy each certificate, paste it into a text file, and save it. It is important to get the whole cert:
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQS6WuWd7dHMeAfIkikfDiQzANBgkqhkiG9w0BAQQFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNjA1MTUyMzE4MTFaFw0w
NzA1MTUyMzE4MTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcw
FQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA5sXGjc0LowME3K7MyUa+vcydvHM0SP7TdWTQycl2J3IPqZYaO4HzFPaukFbn
GdJzaKeFpK7KJBQwALroNl2BczpxBY+xrxGH2lzxPr9TUYRvRA636CbXL7Jv8vJd
36fPjKXpHm8wSJQhCwGtug5xAQ0Q77/uLNON/lSo/tOXj8sCAwEAAaOB5zCB5DAo
BgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEATA2BgNVHR8E
LzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU0dDQ0EuY3Js
MHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3Rl
LmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRv
cnkvVGhhd3RlX1NHQ19DQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQBXS7ykQ+fgAZKgljX5GAiIHXtwGY/5NrIFOgXKFFlNJA7liq9Oh1r3HCqW
j8thQJ7StDhAISTBTx/LE0qPlQLfkT3WQOsRb5sQoW/OkV4w9m0TXhWkLsIYngDD
2DJnR/y4HprZmo7M/3wStwO/UiDPIfTzd90SFfCU+pDV41logQ==
-----END CERTIFICATE-----
Finally, check each cert:
openssl x509 -noout -in cert.txt -enddate
If you want to check other details of the cert (e.g. issuer, subject, etc.):
openssl x509 -text -noout -in cert.txt
So there you have it. Please note that this is protocol-level testing and that mitigation could exist elsewhere in the connection establishment process.
If you’d like to see specific topics covered along these lines, please feel free to e-mail us.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
2 Responses to “PCI DIY - Checking for Weak SSL Encryption with OpenSSL”
By lyalc on Apr 3, 2007
Actually, you’d be surpirsed at the number of sites that still have export encrytion enabled (40, 56 bit etc), even is SSL2 is disabled.
Foundstones SSLDigger is a neat tool in Windows, or use OpenSSL and manually specify cipher options with the -cipher parameter, using the title of ciphers named by the strings from “openssl -ciphers”.
Cheers
Lyal
By Andy on Apr 4, 2007
I’ve traditionally used Foundstone’s SSLDigger for this, but its a Windows only tool.
Went searching and found a post:
http://seclists.org/pen-test/2006/Apr/0016.html
and shows several other options including a nice openssl gnutls testing tool for internet accessible hosts and their SSL capabilities…
http://www.serversniff.net/content.php?do=ssl
Just tested it out and it appears to work well.