Skip to content

olivierh59500/tlsfuzzer

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

196 Commits

docs

docs

 
 

scripts

scripts

 
 

tests

tests

 
 

tlsfuzzer

tlsfuzzer

 
 

.checkignore

.checkignore

 
 

.codeclimate.yml

.codeclimate.yml

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

.landscape.yaml

.landscape.yaml

 
 

.pep257

.pep257

 
 

.travis.yml

.travis.yml

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

build-requirements.txt

build-requirements.txt

 
 

requirements.txt

requirements.txt

 
 

setup.py

setup.py

 
 

Repository files navigation

Build Status Coverage Status Code Health Code Climate Code Issues

tlsfuzzer

Fuzzer and test suite for TLS (v1.0, v1.1, v1.2) implementations. Early alpha version - thus no API stability guarantees.

Dependencies

You'll need:

  • Python 2.6 or later or Python 3.2 or later
  • tlslite-ng 0.6.0-alpha5 or later (note that tlslite will not work and they conflict with eachother)
  • ecdsa python module (dependency of tlslite-ng, should get installed automatically with it)

Optionally, to make some calculations faster, you may want to install the following libraries (see tlslite-ng README for details):

  • m2crypto
  • pycrypto
  • gmp

To get pip (if your python installation doesn't already have it) download get-pip.py and run:

python get-pip.py

Then install tlslite-ng:

pip install --pre tlslite-ng

(Use --upgrade if you did install it before)

Download the tlsfuzzer:

git clone https://github.com/tomato42/tlsfuzzer.git

Usage

After all dependencies are installed, make sure:

  • you're in the directory of the project (after git clone just cd tlsfuzzer)
  • the server you want to test is running on the same computer (localhost)
  • the server is listening on port 4433
  • and the server will answer with data to HTTP queries (answer with valid HTTP responses is optional)

Then you can just run one of the tests in scripts directory, as such:

PYTHONPATH=. python scripts/test-invalid-compression-methods.py

If test has additional requirements, it will output them to console. No errors printed means that all expecations were met (so for tests with bad data the server rejected our messages).

Server under test configuration

In general, the server under test requires just a RSA certificate, you can create it using the following OpenSSL command:

openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj \
/CN=localhost -nodes -batch

OpenSSL

To test OpenSSL, it's sufficient to pass an extra -www option to a typical s_server command line:

openssl s_server -key localhost.key -cert localhost.crt -www

GnuTLS

To test GnuTLS server, you need to tell it to behave as an HTTP server and additionally, to not ask for client certificates:

gnutls-serv --http -p 4433 --x509keyfile localhost.key --x509certfile \
localhost.crt --disable-client-cert

NSS

To test the Mozilla NSS library server, you first need to create a database with server certificate:

mkdir nssdb
certutil -N -d sql:nssdb --empty-password
openssl pkcs12 -export -passout pass: -out localhost.p12 -inkey localhost.key \
-in localhost.crt -name localhost
pk12util -i localhost.p12 -d sql:nssdb -W ''

Finally, start the server with support for TLSv1.0 and later protocols, DHE ciphers and with the above certificate:

selfserv -d sql:./nssdb -p 4433 -V tls1.0: -H 1 -n localhost

About

TLS test suite and fuzzer

Resources

Readme

License

GPL-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 99.9%
  • Makefile 0.1%