Blogging Techstacks

Here's a basic OpenSSL version number matrix, which I compiled because I couldn't find it on the 'net earlier. It's displayed here as a simple perl hash and goes back to the May 1999 release of version 0.9.3. Versions prior to 0.9.3 utilized a different versioning scheme. It includes the openssl version number in hex from the crypto/opensslv.h header file and its corresponding version string plus the release date.

#OPENSSL VERSION NUMBER MATRIX

# Format of this hash is:
# version number in hex => Version Number - Release Date
%openssl_versions = (
    '0x00903100' => 'OpenSSL 0.9.3  - May 24 1999',
    '0x00903101' => 'OpenSSL 0.9.3a - May 29 1999', 
    '0x00904100' => 'OpenSSL 0.9.4  - Aug  9 1999',
    '0x00905100' => 'OpenSSL 0.9.5  - Feb 29 2000',
    '0x0090581f' => 'OpenSSL 0.9.5a - Apr  3 2000',
    '0x0090600f' => 'OpenSSL 0.9.6  - Sep 24 2000',
    '0x0090601f' => 'OpenSSL 0.9.6a - Apr  5 2001',
    '0x0090602f' => 'OpenSSL 0.9.6b - Jul  9 2001',
    '0x0090603f' => 'OpenSSL 0.9.6c - Dec 21 2001',
    '0x0090604f' => 'OpenSSL 0.9.6d - May 10 2002',
    '0x0090605f' => 'OpenSSL 0.9.6e - Jul 30 2002',
    '0x0090606f' => 'OpenSSL 0.9.6f - Aug  8 2002',
    '0x0090607f' => 'OpenSSL 0.9.6g - Aug  9 2002',
    '0x0090608f' => 'OpenSSL 0.9.6h - Dec  8 2002',
    '0x0090700f' => 'OpenSSL 0.9.7  - Dec 31 2002',
    '0x0090609f' => 'OpenSSL 0.9.6i - Feb 19 2003',
    '0x0090701f' => 'OpenSSL 0.9.7a - Feb 19 2003',
    '0x0090702f' => 'OpenSSL 0.9.7b - Apr 10 2003',
    '0x009060af' => 'OpenSSL 0.9.6j - Apr 10 2003',
    '0x0090703f' => 'OpenSSL 0.9.7c - Sep 30 2003',
    '0x009060bf' => 'OpenSSL 0.9.6k - Sep 30 2003',
    '0x009060cf' => 'OpenSSL 0.9.6l - Nov  4 2003',
    '0x009060df' => 'OpenSSL 0.9.6m - Mar 17 2004',
    '0x0090704f' => 'OpenSSL 0.9.7d - Mar 17 2004',
    '0x0090705F' => 'OpenSSL 0.9.7e - Oct 25 2004',
    '0x0090706F' => 'OpenSSL 0.9.7f - Mar 22 2005',
    '0x0090707f' => 'OpenSSL 0.9.7g - Apr 11 2005',
    '0x0090800f' => 'OpenSSL 0.9.8  - Jul  5 2005',
    '0x0090708f' => 'OpenSSL 0.9.7h - Oct 11 2005',
    '0x0090801f' => 'OpenSSL 0.9.8a - Oct 11 2005',
    '0x0090709f' => 'OpenSSL 0.9.7i - Oct 15 2005',
    '0x009070af' => 'OpenSSL 0.9.7j - May  4 2006',
    '0x0090802f' => 'OpenSSL 0.9.8b - May  4 2006',
    '0x009070bf' => 'OpenSSL 0.9.7k - Sep  5 2006',
    '0x0090803f' => 'OpenSSL 0.9.8c - Sep  5 2006',
    '0x009070cf' => 'OpenSSL 0.9.7l - Sep 28 2006',
    '0x0090804f' => 'OpenSSL 0.9.8d - Sep 28 2006',
    '0x009070df' => 'OpenSSL 0.9.7m - Feb 23 2007',
    '0x0090805f' => 'OpenSSL 0.9.8e - Feb 23 2007',
    '0x00908070' => 'OpenSSL 0.9.8f - Oct 11 2007',
    '0x0090807f' => 'OpenSSL 0.9.8g - Oct 19 2007',
    '0x0090808f' => 'OpenSSL 0.9.8h - May 28 2008',
    '0x0090809f' => 'OpenSSL 0.9.8i - Sep 15 2008',
    '0x009080af' => 'OpenSSL 0.9.8j - Jan  7 2009',
    '0x009080bf' => 'OpenSSL 0.9.8k - Mar 25 2009',
    '0x10000001' => 'OpenSSL 1.0.0-beta1 - Apr 1 2009',
    '0x10000002' => 'OpenSSL 1.0.0-beta2 - Apr 21 2009',
    '0x10000003' => 'OpenSSL 1.0.0-beta3 - Jul 15 2009',
    '0x009080cf' => 'OpenSSL 0.9.8l - Nov  5 2009',
    '0x10000004' => 'OpenSSL 1.0.0-beta4 - Nov 10 2009',
    '0x10000005' => 'OpenSSL 1.0.0-beta5 - Jan 20 2010',
    '0x009080d1' => 'OpenSSL 0.9.8m-beta1 - Jan 20 2010',
    '0x009080df' => 'OpenSSL 0.9.8m - Feb 25 2010',
    '0x009080ef' => 'OpenSSL 0.9.8n - Mar 24 2010',
    '0x1000000f' => 'OpenSSL 1.0.0  - Mar 29 2010',
    '0x009080ff' => 'OpenSSL 0.9.8o - Jun  1 2010',
    '0x1000001f' => 'OpenSSL 1.0.0a - Jun  1 2010',
    '0x0090810f' => 'OpenSSL 0.9.8p - Nov 16 2010',
    '0x1000002f' => 'OpenSSL 1.0.0b - Nov 16 2010',
    '0x0090811f' => 'OpenSSL 0.9.8q - Dec  2 2010',
    '0x1000003f' => 'OpenSSL 1.0.0c - Dec  2 2010',
    '0x0090812f' => 'OpenSSL 0.9.8r - Feb  8 2011',
    '0x1000004f' => 'OpenSSL 1.0.0d - Feb  8 2011',
    '0x1000005f' => 'OpenSSL 1.0.0e - Sep  6 2011',
    '0x10001001' => 'OpenSSL 1.0.1-beta1 - Jan  3 2012',
    '0x1000006f' => 'OpenSSL 1.0.0f - Jan  4 2012',
    '0x0090813f' => 'OpenSSL 0.9.8s - Jan  4 2012',
    '0x0090814f' => 'OpenSSL 0.9.8t - Jan 18 2012',
    '0x1000007f' => 'OpenSSL 1.0.0g - Jan 18 2012',
    '0x10001002' => 'OpenSSL 1.0.1-beta2 - Jan 19 2012',
    '0x10001003' => 'OpenSSL 1.0.1-beta3 - Feb 24 2012',
    '0x1000008f' => 'OpenSSL 1.0.0h - Mar 12 2012',
    '0x0090815f' => 'OpenSSL 0.9.8u - Mar 12 2012',
    '0x1000100f' => 'OpenSSL 1.0.1  - Mar 14 2012',
    '0x1000009f' => 'OpenSSL 1.0.0i - Apr 19 2012',
    '0x0090816f' => 'OpenSSL 0.9.8v - Apr 19 2012',
    '0x1000101f' => 'OpenSSL 1.0.1a - Apr 19 2012',
    '0x0090817f' => 'OpenSSL 0.9.8w - Apr 23 2012',
    '0x1000102f' => 'OpenSSL 1.0.1b - Apr 26 2012',
    '0x0090818f' => 'OpenSSL 0.9.8x - May 10 2012',
    '0x100000af' => 'OpenSSL 1.0.0j - May 10 2012',
    '0x1000103f' => 'OpenSSL 1.0.1c - May 10 2012',
    '0x0090819f' => 'OpenSSL 0.9.8y - Feb  5 2013',
    '0x100000bf' => 'OpenSSL 1.0.0k - Feb  5 2013',
    '0x1000104f' => 'OpenSSL 1.0.1d - Feb  5 2013',
    '0x1000105f' => 'OpenSSL 1.0.1e - Feb 11 2013'
);

This is the first new release in about 8 months and this version adds one new feature and one bug fix; both involving certificate and host name validation.

Previous versions of CryptoNark, when run with the --insecure switch, would exit if the host name scanned did not match the common name or subject alternative name bound to the certificate. This made it hard to do things like scan an IP address or scan a single host in a farm of servers to see what ciphers were enabled (or if cipher remediation steps were successful). Now, when the --insecure argument is given, cryptonark will not perform any host name or certificate validation at all, (but it will still perform a cipher scan).

New in this version is a cosmetic change. Previous versions of cryptonark would perform certificate and host name validation but would only output the common name of the certificate. This version now outputs the common name and any subject alternative names that are bound to the certificate.

The main cryptonark page has been updated to reflect this change history and you can download a copy from the Techstacks Downloads page. Thanks again for everyone who has given this tool a try! Please let me know of any issues by sending me a mail at techstacks [at] gmail [dot] com or via twitter @techstacks.

Recently, @johngoggan notified me via tweet that (I am paraphrasing here) the insecure argument in cryptonark is still too secure in that cryptonark will still exit if the common name on the certificate does not match the host name that cryptonark is scanning. Although embarrassed that I missed this, I was also quite happy as this was the first bit of direct feedback on functionality that I have had with cryptonark since it was launched back in July, 2009.

insecure initially was set up to disable certificate verification and I was specifically thinking of those use cases where you are scanning a host using a self-signed certificate or when you have an invalid chain. My ultimate goal with it, however, was to emulate the insecure switch in cURL. As John pointed out, cryptonark version 0.4.6 and below will not perform the cipher scan if the hostname doesn't match the common name on the cert. I have addressed this by completely disabling host and certificate validation when insecure is used. While playing around with it though, I have come across some other functionality that I was not thrilled with, which required me slightly overhauling cryptonark's certificate verification functionality.

Typically, when you purchase a CA signed certificate, you specify a Common Name, like "www.somesite.com". Many CA's will automatically attach a Subject Alternative Name of "somesite.com" as part of your purchase, which allows browsers to connect using either the www.somesite.com name or the somesite.com name. In this example, www.somesite.com is the common name and somesite.com is a Subject Alternative Name. Although cryptonark still successfully validated the certificate if you specified the Subject Alternative Name as part of the host argument, if would only display the certificate Common Name in the output with no mention that a Subject Alternative Name of somesite.com exists for this cert. This might be confusing for some people scanning a host secured by an ssl crtificate that has a lot of Subject Alternative Names attached to it.

Below is a new script that you can use that will validate the certificate that secures a host or site and will display the Common Name and any Subject Alternative Names defined on the cert. Validation is performed against Mozilla's certificate store, included in the script using perl module Mozilla::CA. You will not need firefox installed on your machine but you will need to download Mozilla::CA from the CPAN. There is no insecure switch with this script as it's express purpose is to validate certificates but this script will be incorporated into CryptoNark 0.4.7. There are only two arguments, host and port. The script also makes use of my personal favorite module IO::Socket:SSL for connecting to ssl sites, Modern::Perl and Getopt::Long.

#!/usr/bin/env perl

use Modern::Perl;
use IO::Socket::SSL;
use Mozilla::CA;
use Getopt::Long;

my $host;
my $port;
my $verifymode = '0';

sub usage{
    say "Usage: chkcert.pl -h|--host <hostname> -p|--port <port number>";
    exit;
  }

usage() if ( ! GetOptions("h|host=s" => \$host, "p|port=s" => \$port) or ( ! defined $host) or ( ! defined $port) );

# Basic certificate checking
sub cert_info{
say "\nVerifying SSL Certificate...\n";
sleep 2;

my $certclient = IO::Socket::SSL->new(
  PeerHost => "$host:$port",
  SSL_ca_file => Mozilla::CA::SSL_ca_file(),
  SSL_verify_mode => $verifymode,
  SSL_version => 'TLSv1',
  SSL_cipher_list => 'RC4-SHA',
  Proto => 'tcp',
  Timeout => '5',
  ) 
    || die("Certificate Peer Verification Failed\n\nCertificate not trusted. This could be due to:\n  + An invalid certificate chain\n  + A self-signed certificate\n  + You are scanning the IP address and not the DNS hostname\n  + Host $host does not appear to be listening on port $port\n  + You misspelled the intended host to be scanned.\n  + The CA signing this cert is not trusted by your version of Mozilla::CA\n\n");

  $certclient->verify_hostname($host, "http")
    || die("Hostname Verification Failed.\n$host does not match certificate's common name.\n\n");
  say "Certificate appears to be valid.";
  my $cn = $certclient->peer_certificate("cn");
  if ( $cn eq "" ) {
    say "Certificate Common Name: none";
    }
    else {
      say "Certificate Commmon Name: " . $cn;
      }

  my @san = $certclient->peer_certificate("subjectAltNames");
  my $san_names = join(" ", grep { !( $_ eq 2 ) } @san);

  if ( $san_names eq "" ) {
    say "Subject Alternative Names: none";
    }
    else {
  say "Subject Alternative Names: " . $san_names;
  }
}

cert_info();