Join Log in
Score:3
songoku711 avatar Crypto

Is there open-source test tool that operate TLS server/client with unexpected behaviors

by flag
songoku711

I'm working in an embedded system that uses TLS v1.2 protocol for network security and it acts as a client.

Now I want to test some TLS security functions that require connecting with a TLS server and see how a client interacts if the server tries to perform unexpected behaviors that can be configured by me. Some of behaviors are like below:

  1. The server tries to send Server Hello with cipher suites different from the client site provided through the Client Hello message.
  2. The server tries to use a downgrade TLS version (v1.0, v1.1) which is not supported by the client.
  3. The server tries to send a corrupted certificate (flip bytes, lost data etc.) to the client

Is there any Windows/Linux open-source software tool that can manipulate TLS message data for testing purposes like the above examples?

102
1 + 1
dave_thompson_085 avatar
cn flag
dave_thompson_085
#2 is normal negotiation -- if a server supports e.g. only 1.0 and client offers higher, it is standard for that server to respond 1.0 and let client decide whether to abort. And there are certainly opensource tools that (still) can be configured as 1.0-only or 1.1-only or 1.1-max. Cases that violate protocol are harder; the ['SMACK' (state-machine attack) researchers in 2015](https://mitls.org/pages/attacks/SMACK) used and released a 'mitls-flex' tool which is at least in the vicinity of what you want.
1
Reply
Score:0
Marc Ilunga avatar Crypto
tr flag
Marc Ilunga

A tool that might be useful is TLS-Attacker. It was introduced to test the security of TLS libraries. It does so by creating custom protocol flows that users can specify. The paper indicates that the tool has been successful at finding many issues (with assigned CVEs) in libraries. (Disclaimer: I haven't used it myself, so I cannot tell how suitable it is for your use case).

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.