8.15 LEARN TO POKE AROUND
EXERCISE 8.15: LEARN TO POKE AROUND
One of the best things you can do with your newly acquired (or improved) cryptography knowledge is learn to poke around. Most of the example code for this chapter was written as if executed in a Python shell on purpose. Get comfortable using the shell to poke a server or test a connection. There are many tools for testing publicly accessible TLS servers, but what about internal ones? If you find that your company is using poor security for internal TLS connections, let IT know. It’s important to be aware of what’s going on around you.
With that in mind, write a diagnostic program in Python that connects to a given server and looks for weak algorithms or configuration data. For example, you have seen that the
SSLSocketclass has thegetpeercert()method to get the remote certificate. Write a program that, upon connecting to a server, obtains the certificate and reports if the signature on the certificate uses a SHA-1 hash (very broken and unlikely) or still supports RSA encryption (more probable).You can also use the
SSLSocketobject to check the current cipher usingcipher(). Which cipher suite is the server picking out of all the ones proposed? Is that a good choice?Building on this cipher check, change your Python
SSLContextto only support weak ciphers. That is, create a context that disables strong ciphers and re-enables weak ones. You can set a context’s ciphers using theSSLContext.set_ciphers()function. The list of available cipher suites, for each version of TLS, can be found here The goal of this test is to see if a servr is still supporting older, deprecated ciphers.Should your analysis tool uncover any weaknesses, report them to the appropriate IT or administrative staff with recommendations for remediation.