Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34...
Transcript of Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34...
![Page 1: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/1.jpg)
1
Automating TLS Configuration Verification
On the Back-End of the Web Application Stack
![Page 2: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/2.jpg)
2
Who Am I? • Steven Danneman
• @sdanndev
• sdanneman [at] securityinnovation.com
• Security Engineer • Security Innovation • Seattle, WA • Storage protocols
• SMB, Samba Team • Server-side
![Page 3: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/3.jpg)
3
Outline 1. Motivation 2. Scope 3. Tool 4. Data 5. Conclusions
![Page 4: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/4.jpg)
4
MOTIVATION
![Page 5: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/5.jpg)
5
The Network Is Hos.le
![Page 6: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/6.jpg)
6
![Page 7: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/7.jpg)
7
Customer Data Is The Target
![Page 8: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/8.jpg)
8
The Simple Web Application
HTTPS
Clients Web Applica;on Servers
Database Servers
DB PROTO
![Page 9: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/9.jpg)
9
![Page 10: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/10.jpg)
10
Proper (current) TLS Configuration 1. TLS is Enabled 2. Protocols
• TLSv1.2 3. Cipher Strength
• Perfect Forward Secrecy • >= AES 128 • GCM
4. Certificate Chain • Signed by a known CA
5. Known Vulnerabilities • Has none
![Page 11: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/11.jpg)
11
The HTTPS Success Story
![Page 12: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/12.jpg)
12 hFps://transparencyreport.google.com/hFps/overview
Google Transparency Report
![Page 13: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/13.jpg)
13 hFps://www.ssllabs.com/ssl-‐pulse/
SSL Pulse
![Page 14: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/14.jpg)
14
![Page 15: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/15.jpg)
15 hFps://mozilla.github.io/server-‐side-‐tls/ssl-‐config-‐generator/
![Page 16: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/16.jpg)
16
SCOPE
![Page 17: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/17.jpg)
17
Most Popular Databases
![Page 18: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/18.jpg)
18 hFps://db-‐engines.com/en/ranking
![Page 19: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/19.jpg)
19
![Page 20: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/20.jpg)
20
Why Are These On The Internet‽
![Page 21: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/21.jpg)
21
My Guess
• Bad configuration • Remote administration • Mix of self-hosted and cloud resources • Two-tier architecture
• Thick client makes direct DB calls • Javascript sends JSON directly to NoSQL
![Page 22: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/22.jpg)
22
Regardless
• There are a LOT of them • LAN / Internal WAN are not safer • We need encryption everywhere
![Page 23: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/23.jpg)
23
TOOL
![Page 24: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/24.jpg)
24
![Page 25: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/25.jpg)
25
![Page 26: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/26.jpg)
26
testssl.sh
![Page 27: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/27.jpg)
27
![Page 28: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/28.jpg)
28
STARTTLS - MySQL Client Server
TCP SYN
TCP SYN/ACK
MySQL Server Gree;ng
MySQL Login Request
TLS Client Hello
TLS Server Hello
Nego;ate TLS
![Page 29: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/29.jpg)
29
testssl.sh 2.9.5 – Released 9/18/2017 $ ./testssl.sh –-openssl ./bin/openssl.Linux.x86_64.static –-starttls mysql <hostname>:3306
$ ./testssl.sh –-openssl ./bin/openssl.Linux.x86_64.static –-starttls postgres <hostname>:5432
$ ./testssl.sh –-openssl ./bin/openssl.Linux.x86_64.static <hostname>:27017
![Page 30: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/30.jpg)
30
testssl.sh 2.9.5 – Custom OpenSSL $ wget https://testssl.sh/openssl-1.0.2k-dev-chacha.pm.ipv6.Linux+FreeBSD.tar.gz$ tar –xvf openssl-1.0.2k-dev-chacha.pm.ipv6.Linux+FreeBSD.tar.gzx bin/openssl.Linux.x86_64.static$
hFps://blog.securityinnova;on.com
![Page 31: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/31.jpg)
31
![Page 32: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/32.jpg)
32
DATA
![Page 33: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/33.jpg)
33
MySQL Editions Community
• Packaged for your favorite Linux distro
• yaSSL library
Enterprise • Distributed directly from Oracle
for paid customers • OpenSSL library
Source Code • Self-compile • Self-initialize • OpenSSL library
![Page 34: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/34.jpg)
34
Server MySQL MySQL PostgreSQL MongoDBVersion 5.7.18 5.7.18 9.5.7 3.4.6TLS,Library yaSSL OpenSSL OpenSSL OpenSSLProtocolSSLv3 Yes No No NoTLSv1.0 Yes Yes Yes YesTLSv1.1 Yes Yes Yes YesTLSv1.2 No Yes Yes YesRequireFTLS No No No Configurable
CiphersDES Yes No No NoRC4 Yes No Yes NoTripleFDES Yes Yes Yes No
Strongest DHEMRSAMAES256MSHA
DHEMRSAMAES256MGCMMSHA384
ECDHEMRSAMAES256MGCMMSHA384
AES256MGCMMSHA384
PFS Yes Yes Yes NoServerFOrder Yes No Yes NoVulnerabilitiesSecureFRenegotiation No^ Yes Yes YesSecureFClientMInitiatedFRenegotiation
No Yes Yes Yes
TLS_FALLBACK_SCSV No Yes Yes ?SWEET32 No No No YesBEAST No No No NoLUCKY13 No No No No
Key: BLOCKER
SHIPPABLE
SECURE
Loca(on: Local Server
Configura(on: Default Install
![Page 35: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/35.jpg)
35
Key: BLOCKER
SHIPPABLE
SECURE
Loca(on: Local Server
Configura(on: Hardened
Server MySQL MySQL PostgreSQL MongoDBVersion 5.7.18 5.7.18 9.5.7 3.4.6TLS,Library yaSSL OpenSSL OpenSSL OpenSSLProtocolSSLv3 No No No NoTLSv1.0 No No No NoTLSv1.1 Yes No No NoTLSv1.2 No Yes Yes YesRequireFTLS Yes Yes Yes YesCiphersDES No No No NoRC4 No No No NoTripleFDES No No No No
Strongest DHEKRSAKAES256KSHA
DHEKRSAKAES256KGCMKSHA384
DHEKRSAKAES256KGCMKSHA384
AES256KGCMKSHA384
PFS Yes Yes Yes NoServerFOrder Yes Yes Yes NoVulnerabilitiesSecureFRenegotiation No^ Yes Yes YesSecureFClientKInitiatedFRenegotiation
No Yes Yes Yes
TLS_FALLBACK_SCSV No Yes Yes YesSWEET32 Yes Yes Yes YesBEAST Yes Yes Yes YesLUCKY13 No Yes Yes No
![Page 36: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/36.jpg)
36
To The Cloud!
![Page 37: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/37.jpg)
37
Key: BLOCKER
SHIPPABLE
SECURE
Loca(on: The Cloud
Configura(on: Default
Server MySQL MySQL MySQL MySQLProvider Cloud+1 Cloud+2 Cloud+3 Cloud+4TLS+Library OpenSSL yaSSL OpenSSL OpenSSLProtocolSSLv3 Yes Yes No NoTLSv1.0 Yes Yes Yes YesTLSv1.1 No Yes Yes YesTLSv1.2 Yes No Yes YesRequire+TLS No No No YesCiphersDES Yes Yes No NoRC4 Yes Yes No NoTriple+DES Yes Yes Yes Yes
Strongest ECDHEERSAEAES256ESHA384
DHEERSAEAES256ESHA
ECDHEERSAEAES256ESHA
ECDHEERSAEAES256ESHA384
PFS Yes Yes Yes YesServer+Order No Yes No YesVulnerabilitiesSecure+ClientEInitiated+Renegotiation
Yes No No No
SWEET32 No No No NoBEAST No No No NoLUCKY13 No No No NoPOODLE Yes No No NoLOGJAM Yes No No No
![Page 38: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/38.jpg)
38
Key: BLOCKER
SHIPPABLE
SECURE
Loca(on: The Cloud
Configura(on: Meta Se`ngs
Server MySQL MySQL MySQL MySQLHost Cloud+1 Cloud+2 Cloud+3 Cloud+4TLS+Library OpenSSL yaSSL OpenSSL OpenSSLDefault+ConfigurationTLS+Available Yes Yes Yes YesTLS+Enabled Yes No Yes YesTLS+Required No No No YesPublic+IP+Connection+Allowed
No TCP No TCP
Certificate+Created Yes No Yes YesOverall+TLS+Strength Low Low Medium StrongCertificateSignature+Algorithm SHA1+with+RSA SHA256+with+RSA SHA1+with+RSA SHA256+with+RSA
Server+key+size RSA+2048+bits RSA+2048+bits RSA+2048+bits RSA+2048+bitsSelf+Signed No No No NoCA Internal Internal Internal PublicConfiguration+OptionsTLS+Configurable No Yes Somewhat SomewhatAvoidable+IssuesRecompiled+With+OpenSSL
Yes No Yes Yes
Severe+Known+Vulnerabilities
Yes No No No
![Page 39: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/39.jpg)
39
CONCLUSIONS
![Page 40: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/40.jpg)
40
The Good
![Page 41: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/41.jpg)
41
PostgreSQL
I CAN BE CONFIGURED
SECURE
![Page 42: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/42.jpg)
42
The Cloud • Autogenerated signed certificate
![Page 43: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/43.jpg)
43
The Cloud If you trusted Cloud Provider 4, you probably would have
gotten a MySQL server configured more securely than you would have done yourself.
![Page 44: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/44.jpg)
44
The Bad
![Page 45: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/45.jpg)
45
The Cloud
If you trusted Cloud Provider 1, you probably would have gotten a MySQL server configured less securely than you
would have done yourself.
![Page 46: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/46.jpg)
46
The Cloud • 2/4: Poor default TLS configuration • 2/4: Autogenerated certs have medium security • 3/4: No way to modify TLS configuration to fix detected issues
• 1/4: No ability to change anything
• 3/4: Do not require TLS, client’s choice
![Page 47: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/47.jpg)
47
On-Premises Database • Poor default TLS configuration • Bugs only just exposed through testing
• MySQL (yaSSL) cipher negotiation • MongoDB server order
• Only newest versions (~2 years) have strong TLS support
![Page 48: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/48.jpg)
48
MySQL Community Edition • Cannot be configured for maximum security
• No TLSv1.2 • TLS Downgrade Attacks
• Mitigation • Compile from source with OpenSSL • Use local transports only
• Unix domain sockets / shared memory
![Page 49: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/49.jpg)
49
The Ugly
![Page 50: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/50.jpg)
50
Internet Survey • I was going to do some mass scans of Internet connected hosts to tabulate real world TLS practices…
• But, since older versions, MySQL Community Edition, and some cloud providers can’t be configured secure, I think we already know the results.
![Page 51: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/51.jpg)
51
Hope
![Page 52: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/52.jpg)
52
Now You Can Measure It And You Can Improve It.
![Page 53: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/53.jpg)
53
Thank You
Dirk WeFer (@drweFer) * Creator of testssl.sh
![Page 54: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/54.jpg)
54
Thank You! www.securityinnovation.com
Thank You! @sdanndev
sdanneman@securityinnova;on.com
![Page 55: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/55.jpg)
55
APPENDIX
![Page 56: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/56.jpg)
56
Future Work • Test if non-TLS DB protocol is enabled • Test proper client TLS configuration • Test proper DB cluster TLS configuration • Survey the Internet: see improvement over time
![Page 57: Automating TLS Configuration Verification - Danneman › presentations › Automating_TLS...34 Server MySQL MySQL PostgreSQL MongoDB Version 5.7.18 5.7.18 9.5.7 3.4.6 TLS,Library yaSSL](https://reader033.fdocuments.us/reader033/viewer/2022052722/5f0ce8e07e708231d437bbce/html5/thumbnails/57.jpg)
57
Bugs • MySQL: TLS cipher negotiation incorrectly matches on last byte only (yaSSL)
• OpenSSL: s_client mysql won’t connect to server with an odd number of chars in version string