Java SSL/TLS Testing Tool: Cipher Suite

Recently I was reading about the TLS/SSL and Ciphers. I was also interested to read about the Ciphers that are provided out of the box with JDK. This looked to me like this is something we take it for granted and do not do our due diligence when talking about the Ciphers. We often times leave those topic to our organization's network and security team. From my experience, it is a topic that all the developers leave it to the Sr. Developers and then the Sr. Developers pass it on to the Management. Guess what? It is not a sweet topic to discussion. To break this kind of symptom, I have choose to make it simple and want everyone to understand the complexity and importance of knowing this.

Lets get started

Before we wet our hands here is some basic information that you will require to know,


Word Meaning
Protocol A defined set of rules and regulations that determine how data is transmitted in telecommunications and computer networking
SSL Secure Sockets Layer (SSL), which is now prohibited from use by the Internet Engineering Task Force (IETF). New Word is TLS
TLS Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which is now prohibited from use by the Internet Engineering Task Force (IETF) – are cryptographic protocols that provide communications security over a computer network.[1] Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice over IP (VoIP). Websites are able to use TLS to secure all communications between their servers and web browsers
TLS Versions
/Protocols
1. SSL 1.0, 2.0 and 3.0
2. TLS 1.0
3. TLS 1.1
4. TLS 1.2
5. TLS 1.3
In simple terms remember more the version increases it is supposed to be more secure or hackers has not yet made significant progress.
Cipher suite A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL).

Basics of networking

When any two devices communicate between each other then it is called network. If we just go by this, that means, when any computer/device talk with each other there is network. This has been formalized as the OSI model and I am not getting deep into that and would strongly recommend you guys get yourself refreshed with the below image.

Source: https://en.wikipedia.org/wiki/OSI_model


This topic is all about the presentation layer. We will be dealing with the network security at the TLS. This does not talk about the application layer security like user credentials, etc. May be later I will write about them when I find time. For now we are talking about the presentation layer security. This is the actual backbone of any secure connection.

This is very important aspect of communication because, it encrypts the data packets while exchanged and anyone sniffing the network only sees encrypted message. With that it gives security, privacy, integrity and many more.

What make them Secure?

Now that the connection between any two device is established and secured at the transport layer, we will see what makes them secure connection. When talking of encryption and decryption it is nothing but algorithms that make them happen. When we say algorithms, it is the sequence of steps that will mask or hide the data and unhide it for the receiver.



How do you think this is happening? The answer is simple, the sender and receiver has a set of standard algorithms called Cipher Suites. Thus, it is clear that the Cipher Suites is nothing but set of algorithms that are used to encode and decode the data exchange is called the Cipher algorithm. The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. A cipher suite is the combination of algorithms used during the following stages:
  • Key Agreement
  • Authentication
  • Symmetric Cipher and Key Size
  • Hash Algorithm for Message Authentication

What is in Java Terms?

Now, talking about things that we assume to be available as out of the box is the rich set of Cipher Suites. Java has a rich ser of Ciphers in every release of JDK and in patches or separate distribution package they keep adding them. There are many ways we can try to find the currently available Ciphers that will make the connection between client JDK and the secure server possible. Most of the times it has been that little thing the networking or the security team will be involved in discussion. Here as a developer, we will be able to tell the strength of the JDK to communicate to the server.

Java TLS Test CLI Tool

To test this and to provide standardized output, I have written a simple java program and bundled with Node JS for distribution. If you have Node JS and JDK installed on your computer we will be able to get this thing into working.

Install

To install the tool just install using the node package manager.

$ npm i -g java-ssltest-cli


Once this is installed you should be able to just type javassltest on your terminal.


$ javassltest                                                                                                                                  1 ↵
Usage: javassltest [opts] host[:port]

Options:
-sslprotocol                 Sets the SSL/TLS protocol to be used (e.g. SSL, TLS, SSLv3, TLSv1.2, etc.)
-enabledprotocols protocols  Sets individual SSL/TLS ptotocols that should be enabled
-ciphers cipherspec          A comma-separated list of SSL/TLS ciphers

-keystore                    Sets the key store for connections (for TLS client certificates)
-keystoretype type           Sets the type for the key store
-keystorepassword pass       Sets the password for the key store
-keystoreprovider provider   Sets the crypto provider for the key store

-truststore                  Sets the trust store for connections
-truststoretype type         Sets the type for the trust store
-truststorepassword pass     Sets the password for the trust store
-truststorealgorithm alg     Sets the algorithm for the trust store
-truststoreprovider provider Sets the crypto provider for the trust store
-crlfilename                 Sets the CRL filename to use for the trust store

-check-certificate           Checks certificate trust (default: false)
-no-check-certificate        Ignores certificate errors (default: true)
-verify-hostname             Verifies certificate hostname (default: false)
-no-verify-hostname          Ignores hostname mismatches (default: true)

-showsslerrors               Show SSL/TLS error details
-showhandshakeerrors         Show SSL/TLS handshake error details
-showerrors                  Show all connection error details
-hiderejects                 Only show protocols/ciphers which were successful
-showcerts                   Shows some basic Certificate details

-h -help --help              Shows this help message

Sample Output


Here is a sample output of ssl test from my JDK to blog.vpv.io.


$ javassltest -hiderejects blog.vpv.io
Host [blog.vpv.io] resolves to address [104.27.185.31], [104.27.184.31]
Auto-detected client-supported protocols: [SSLv3, TLSv1, TLSv1.1, TLSv1.2]
Testing server blog.vpv.io:443
Supported Protocol Cipher
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 Accepted  TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Given this client's capabilities ([SSLv3, TLSv1, TLSv1.1, TLSv1.2]), the server prefers protocol=TLSv1.2, cipher=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Total Execution time:07.793s

Based on the output the above mentioned algorithms are only supported by my JDK while communicating to the server. The pre-shared keys are in the form of certificates and the communication happens securely.


Conclusion



With this, I think, it should help the developers to be able to talk with their network or security team about the TLS and not shy away. In case of any questions, please leave a comment. I will get bas as soon as possible. Lets secure the future.

References

1. https://github.com/reflexdemon/java-ssl-test
2. https://www.npmjs.com/package/java-ssltest-cli
3. https://docs.oracle.com/javase/9/security/toc.htm












Comments

Popular posts from this blog

Developing Spring Boot Application using Docker - Part 1

Undocumented JAVA: Web Application: Deploy to the Cloud – Part 1