Tlsassistant
An open-source modular framework capable of identifying a wide range of TLS vulnerabilities and assessing compliance with multiple guidelines. Its actionable report can assist the user in correctly and easily fixing their configurations.
Install / Use
/learn @stfbk/TlsassistantREADME
TLSAssistant v3
TLSAssistant v3.1 is the latest version of TLSAssistant, a modular state-of-the-art TLS analyzer, extensible with new features and thus capable of streamlining the mitigation process of known and newly discovered TLS attacks even for non-expert users. The companion page, containing additional details can be found here.
The latest release introduces a redesigned PDF report, a novel module able to perform compliance analyses against five agency-issued technical guidelines:
- AgID ver.2020-01
- ANSSI v1.2
- BSI TR-02102-2 and TR-03116-4
- Mozilla v5.7
- NIST SP 800-52 Rev. 2 (and related)
and the integration of a new state-of-the-art static and extensible app security testing tool called SEBASTiAn. Its presence enhanced existing Android analyses and introduces the possiblity to analyze iOS applications.
Features
<details> <summary>Vulnerability analysis</summary>
Vulnerability analysis report
TLSAssistant is capable of identifying a wide range of TLS vulnerabilities and generating actionable reports that can assist the system administrators in correctly and easily fixing their configurations.
The list of detectable issues is:
- Android applications (.apk)
- Accepting all SSL certificates
- Allow all hostname
- Certificate or keyStore disclosure
- Crypto ECB ciphers
- Debuggable application
- Default HTTP scheme
- Insecure connection
- Insecure HostnameVerifier
- Insecure SocketFactory
- Insecure Socket
- Invalid server certificate
- Obfuscated Code
- SSL GetInsecure Method
- Weak Algorithms
- WebView SSL Errors
- iOS applications (.ipa)
- Allow HTTP Plist
- Insecure connection Plist
- Insecure TLS version Plist
- No forward secrecy Plist
- Weak crypto
- Webservers
- 3SHAKE
- ALPACA
- BEAST
- BREACH
- CCS Injection
- Certificate Transparency
- CRIME
- DROWN
- FREAK
- Heartbleed
- HSTS preloading
- HSTS set
- HTTPS enforced
- LOGJAM
- LUCKY13
- BAR MITZVAH
- RC4 NOMORE
- Padding oracle (SSL and TLS POODLE)
- Perfect Forward Secrecy
- RACCOON
- SSL RENEGOTIATION
- ROBOT
- SLOTH
- SWEET32
- TICKETBLEED
Compliance analysis report
TLSAssistant is able to perform an automated compliance analysis against fivefive agency-issued technical guidelines:
- AgID ver.2020-01
- ANSSI v1.2
- BSI TR-02102-2 and TR-03116-4
- Mozilla v5.7
- NIST SP 800-52 Rev. 2 (and related)
It supports the following use-cases:
- compare-to-one - compare an already existing configuration against a single guideline. The output consists of a report that highlights the differences between the current and the target configuration and guides the system administrator towards closing the gap;
- compare-to-many - similar to the compare-to-one but considering multiple guidelines;
- generate-after-one - generate a working configuration compliant with a single guideline, taking into account any additional narrowing set by the user;
- generate-after-many - similar to the generate-after-one but considering multiple guidelines.
Download
[!TIP] We suggest to download the pre-built Docker provided by GitHub by fetching it with.
docker pull ghcr.io/stfbk/tlsassistant:v3.1and running it with
docker run --rm -v ${PWD}/results:/tlsassistant/results -t ghcr.io/stfbk/tlsassistant:v3.1 -s www.fbk.eu
However, if you want to install the dependencies on the system, you can use the following building methods:
One Liner
To install the tool (in a virtual environment), execute the following command:
sudo apt update && sudo apt install git python3-dev python3-pip python3-venv -y && git clone https://github.com/stfbk/tlsassistant.git && cd tlsassistant && python3 -m venv venv && source venv/bin/activate && pip3 install -r requirements.txt && python3 install.py -v
Step by Step
If you want to download and install by executing every step:
<details> <summary>Show single steps</summary>- Install git
sudo apt update && sudo apt-get install git -y
- Download the tool by running
git clone https://github.com/stfbk/tlsassistant.git && cd tlsassistant
- Install python
sudo apt update && sudo apt-get install python3-dev python3-pip python3-venv -y
- Optional but recommended: Create a virtual environment
python3 -m venv venv
and activate the virtual environment
source venv/bin/activate
- Install the requirements
pip3 install -r requirements.txt
- Run the installer
python3 install.py
Docker
Recommended for non-Ubuntu users:
Since it does use APT and install dependencies, we can use the Dockerfile to build the image and contain the installation process.
<details> <summary>Docker build and run tutorial</summary>clone the repository:
git clone https://github.com/stfbk/tlsassistant.git && cd tlsassistant
Build the docker image:
docker build -t tlsassistant .
Run the docker image:
docker run --rm -v ${PWD}/results:/tlsassistant/results -t tlsassistant -s www.fbk.eu
add all the args that we want to pass after the tlsassistant keyword.
We can use the -v flag to mount directories with the TLS configuration files.
docker run --rm -v ${PWD}/results:/tlsassistant/results -v ${PWD}/configurations_to_mount:/tlsassistant/config_mounted -t tlsassistant -f config_mounted/apache.conf
Usage
python3 run.py -h
usage: TLSAssistant [-h] [--version] [-v] [--openssl OPENSSL | --ignore-openssl] [-ot {pdf,html}] [-o OUTPUT] [--group-by {host,module}] (-s SERVER | -f FILE | -d DOMAIN_FILE | -l [LIST] | -a APK) [--apply-fix [APPLY_FIX]]
[-c CONFIGURATION | -m CONFIGURATION [CONFIGURATION ...]] [-e EXCLUDE [EXCLUDE ...]] [--stix] [--webhook [WEBHOOK]] [--prometheus [PROMETHEUS]] [--config_type {apache,nginx,auto}] [--guidelines COMPLIANCE_ARGS]
[--apache] [--security COMPLIANCE_ARGS] [--output_config COMPLIANCE_ARGS] [--certificate_index COMPLIANCE_ARGS] [--custom_guidelines COMPLIANCE_ARGS] [--use_cache] [--clean] [--no_psk]
TLSAssistant Help
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
-v, --verbosity increase output verbosity
--openssl OPENSSL, --openssl-version OPENSSL
Add openSSL version to consider if configuration analysis is asked.
--ignore-openssl During configuration analysis, ignore openssl version completely.
-ot {pdf,html}, --output-type {pdf,html}
The type of the report output.
Output type can be omitted and can be obtained by --output extension.
-o OUTPUT, --output OUTPUT
Set report path.
--group-by {host,module}
Choose how to group results by.
-s SERVER, --server SERVER
The hostname, target of the analysis.
-f FILE, --file FILE The configuration to analyze.
-d DOMAIN_FILE, --domain_file DOMAIN_FILE
The file path which has the hostname to analyze.
-l [LIST], --list [LIST]
List all modules or print an help of a module.
For Example
-l freak
-a APP, --app APP The apk/ipa path, target of the analysis.
--apply-fix [APPLY_FIX]
Apply fix in the current configuration.
Give a path if using -s.
i.e.
python3 run.py -s fbk.eu --apply-fix myconf.conf
-c CONFIGURATION, --conf CONFIGURATION, --configuration CONFIGURATION
Configuration path.
-m CONFIGURATION [CONFIGURATION ...], --modules CONFIGURATION [CONFIGURATION ...]
List of modules to run
For example
-m breach crime freak
-e EXCLUDE [EXCLUDE ...], --exclude EXCLUDE [EXCLUDE ...]
List of modules to exclude
For example
-e breach crime
--stix Generate STIX2 compliant output.
--webhook [WEBHOOK] Add a webhook url to send the results.
--prometheus [PROMETHEUS]
Generate the prometheus output in
