Java SSL/TLS Testing Tool: Cipher Suite

-
Recently I was reading about the TLS/SSL and Ciphers. I was also interested to read about the Ciphers that are provided out of the box with JDK. This looked to me like this is something we take it for granted and do not do our due diligence when talking about the Ciphers. We often times leave those topic to our organization's network and security team. From my experience, it is a topic that all the developers leave it to the Sr. Developers and then the Sr. Developers pass it on to the Management. Guess what? It is not a sweet topic to discussion. To break this kind of symptom, I have choose to make it simple and want everyone to understand the complexity and importance of knowing this.

Lets get started

Before we wet our hands here is some basic information that you will require to know,


Word Meaning
Protocol A defined set of rules and regulations that determine how data is transmitted in telecommunications and computer networking
SSL Secure Sockets Layer (SSL), which is now prohibited from use by the Internet Engineering Task Force (IETF). New Word is TLS
TLS Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which is now prohibited from use by the Internet Engineering Task Force (IETF) – are cryptographic protocols that provide communications security over a computer network.[1] Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice over IP (VoIP). Websites are able to use TLS to secure all communications between their servers and web browsers
TLS Versions
/Protocols		 1. SSL 1.0, 2.0 and 3.0
2. TLS 1.0
3. TLS 1.1
4. TLS 1.2
5. TLS 1.3
In simple terms remember more the version increases it is supposed to be more secure or hackers has not yet made significant progress.
Cipher suite A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL).

Basics of networking

When any two devices communicate between each other then it is called network. If we just go by this, that means, when any computer/device talk with each other there is network. This has been formalized as the OSI model and I am not getting deep into that and would strongly recommend you guys get yourself refreshed with the below image.

Source: https://en.wikipedia.org/wiki/OSI_model


This topic is all about the presentation layer. We will be dealing with the network security at the TLS. This does not talk about the application layer security like user credentials, etc. May be later I will write about them when I find time. For now we are talking about the presentation layer security. This is the actual backbone of any secure connection.

This is very important aspect of communication because, it encrypts the data packets while exchanged and anyone sniffing the network only sees encrypted message. With that it gives security, privacy, integrity and many more.

What make them Secure?

Now that the connection between any two device is established and secured at the transport layer, we will see what makes them secure connection. When talking of encryption and decryption it is nothing but algorithms that make them happen. When we say algorithms, it is the sequence of steps that will mask or hide the data and unhide it for the receiver.



How do you think this is happening? The answer is simple, the sender and receiver has a set of standard algorithms called Cipher Suites. Thus, it is clear that the Cipher Suites is nothing but set of algorithms that are used to encode and decode the data exchange is called the Cipher algorithm. The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. A cipher suite is the combination of algorithms used during the following stages:
  • Key Agreement
  • Authentication
  • Symmetric Cipher and Key Size
  • Hash Algorithm for Message Authentication

What is in Java Terms?

Now, talking about things that we assume to be available as out of the box is the rich set of Cipher Suites. Java has a rich ser of Ciphers in every release of JDK and in patches or separate distribution package they keep adding them. There are many ways we can try to find the currently available Ciphers that will make the connection between client JDK and the secure server possible. Most of the times it has been that little thing the networking or the security team will be involved in discussion. Here as a developer, we will be able to tell the strength of the JDK to communicate to the server.

Java TLS Test CLI Tool

To test this and to provide standardized output, I have written a simple java program and bundled with Node JS for distribution. If you have Node JS and JDK installed on your computer we will be able to get this thing into working.

Install

To install the tool just install using the node package manager.

$ npm i -g java-ssltest-cli


Once this is installed you should be able to just type javassltest on your terminal.


$ javassltest                                                                                                                                  1 ↵
Usage: javassltest [opts] host[:port]

Options:
-sslprotocol                 Sets the SSL/TLS protocol to be used (e.g. SSL, TLS, SSLv3, TLSv1.2, etc.)
-enabledprotocols protocols  Sets individual SSL/TLS ptotocols that should be enabled
-ciphers cipherspec          A comma-separated list of SSL/TLS ciphers

-keystore                    Sets the key store for connections (for TLS client certificates)
-keystoretype type           Sets the type for the key store
-keystorepassword pass       Sets the password for the key store
-keystoreprovider provider   Sets the crypto provider for the key store

-truststore                  Sets the trust store for connections
-truststoretype type         Sets the type for the trust store
-truststorepassword pass     Sets the password for the trust store
-truststorealgorithm alg     Sets the algorithm for the trust store
-truststoreprovider provider Sets the crypto provider for the trust store
-crlfilename                 Sets the CRL filename to use for the trust store

-check-certificate           Checks certificate trust (default: false)
-no-check-certificate        Ignores certificate errors (default: true)
-verify-hostname             Verifies certificate hostname (default: false)
-no-verify-hostname          Ignores hostname mismatches (default: true)

-showsslerrors               Show SSL/TLS error details
-showhandshakeerrors         Show SSL/TLS handshake error details
-showerrors                  Show all connection error details
-hiderejects                 Only show protocols/ciphers which were successful
-showcerts                   Shows some basic Certificate details

-h -help --help              Shows this help message

Sample Output


Here is a sample output of ssl test from my JDK to blog.vpv.io.


$ javassltest -hiderejects blog.vpv.io
Host [blog.vpv.io] resolves to address [104.27.185.31], [104.27.184.31]
Auto-detected client-supported protocols: [SSLv3, TLSv1, TLSv1.1, TLSv1.2]
Testing server blog.vpv.io:443
Supported Protocol Cipher
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Given this client's capabilities ([SSLv3, TLSv1, TLSv1.1, TLSv1.2]), the server prefers protocol=TLSv1.2, cipher=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Total Execution time:07.793s

Based on the output the above mentioned algorithms are only supported by my JDK while communicating to the server. The pre-shared keys are in the form of certificates and the communication happens securely.


Conclusion



With this, I think, it should help the developers to be able to talk with their network or security team about the TLS and not shy away. In case of any questions, please leave a comment. I will get bas as soon as possible. Lets secure the future.

References

1. https://github.com/reflexdemon/java-ssl-test
2. https://www.npmjs.com/package/java-ssltest-cli
3. https://docs.oracle.com/javase/9/security/toc.htm












Comments

Post a Comment

Popular posts from this blog

PWA: Building and publishing a PWA in 15ish minutes using Angular 5 and Service Worker

-
Image
Introduction Here is an express start to your first PWA with service workers and a 100% score from lighthouse. I have taken it as a challenge to be able to present it to you so that you may be able to put your first pwa "hello world" app in 15ish minutes. What is PWA? Progressive web apps (PWAs) take traditional web sites/applications — with all of the advantages the web brings — and add a number of features that give them many of the user experience advantages of native apps. This set of docs tells you all you need to know. - Source: https://developer.mozilla.org/en-US/Apps/Progressive If the above definition sounds interesting, then this is to get you kickstarted with PWA using Angular 5 and inspire you to build more PWAs. End of this post you should be able to build, host and publish a PWA and get motivated to read more about it. Ever since I read about PWAs It has intrested me like crazy. Before, you get excited about PWA, please look into the supported brow
Read more

Yarn and Angular-CLI

-
Background I have been thinking of a faster package management tool ever since I started using NPM (Node Package Manager). Please don’t mistake me having anything against NPM. I still love this package manager and I very much love the rich command-line that it came with. When it was created, it was really the leader and because of this NPM the whole JS world has seen a revolution. NPM surly was the spark to the revolution in the JS (Java Script) world. To make it clear for everyone why we needed a new package manager is because of the following challenges that we had with NPM, 1.      The Nested dependencies that was sometimes going in infinity loops. At times, it was impossible to delete files on the PC as the paths were too nested. 2.      Everything on the world had to depend on only one registry. https://www.npmjs.com/ 3.      Single threaded installation. The installation of the dependencies are single threaded. 4.      You are always expected to be online even i
Read more