CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
-
Upload
nick-sullivan -
Category
Technology
-
view
2.001 -
download
0
Transcript of CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1The evolution of a PKI toolkit
Nick Sullivan @grittygrease August 7, 2015
PEOPLE ARE LAZY
2
PGP is hard
3
PGP is hard
4
5
6
Who was not using HTTPS (December 2014)?
7
Who is not using HTTPS (August 2015)?
🔒 🔒
🔒
8
9
11
12
13
Where are my keys?
14
Railgun
Let’s write a CA server ourselves! — In Go!
16
Why Go?
• Robust X.509 library
• JSON API support
• Fun!
PKI this shiz
18
PKI the whole internal infrastructure
Certificate Errors
20
21
👍
23
Other people started using it!• 750+ stars on Github
• Warning: unconfirmed list
24
Announcing… CFSSL 1.1• New features added since 1.0
• PKCS #11 HSM support
• Multi-root CA
• OCSP Server
• Remote mode with authentication and high availability
• Web UI
25
Full List of changes• ADDED:
• Revocation now checks OCSP status.
• Authenticated endpoints are now supported using HMAC tags.
• Bundle can verify certificates against a domain or IP.
• OCSP subcommand has been added.
• PKCS #11 keys are now supported; this support is now the default.
• OCSP serving is now implemented.
• The multirootca tool is now available for multiple signing keys via an authenticated API.
• A scan utility for checking the quality of a server's TLS configuration.
• The certificate bundler now supports PKCS #7 and PKCS #12.
• An info endpoint has been added to retrieve the signers’ certificates.
• Signers can now use a serial sequence number for certificate serial numbers; the default remains randomised serial numbers.
• CSR whitelisting allows the signer to explicitly distrust certain fields in a CSR.
• Signing profiles can include certificate policies and their qualifiers.
• The multirootca can use Red October-secured private keys.
• The multirootca can whitelist CSRs per-signer based on an IP network whitelist.
• The signer can whitelist SANs and common names via a regular-expression whitelist.
• Multiple fallback remote signers are now supported in the cfssl server.
• A Docker build script has been provided to facilitate building CFSSL for all supported platforms.
• The log package includes a new logging level, fatal, that immediately exits with error after printing the log message.
• CHANGED:
• CLI tool can read from standard input.
• The -f flag has been renamed to -config.
• Signers have been refactored into local and remote signers under a single universal signer abstraction.
• The CLI subcommands have been refactored into separate packages.
• Signing can now extract subject information from a CSR.
• Various improvements to the certificate ubiquity scoring, such as accounting for SHA1 deprecation.
• The bundle CLI tool can set the intermediates directory that newly found intermediates can be stored in.
• The CLI tools return exit code 1 on failure.
26
cfssl.org bundle demo
27
One more thing…
28
CFSSL Scan• Provides a report on your TLS configuration
• Standalone App
• Drive with API or CLI
• Can use domain names, or IPs on any port
• Add your own vulnerability scans
29
cfssl.org scan demo
30
CFSSL
Certificate Authority
Chain builder
TLS Scanner
31
CFSSL Core Team• Nick Sullivan (@grittygrease)
• Kyle Isom (@kyleisom)
• Zi Lin (@lziest)
• Jacob Haven (@jacob_haven)
32
CFSSL 1.1 Contributors• Alice Xia
• Dan Rohr
• Didier Smith
• Dominic Luechinger
• Erik Kristensen
• Fabian Ruff
• George Tankersley
• Harald Wagener
• Harry Harpham
• Jacob H. Haven
• Jacob Hoffman-Andrews
• Joshua Kroll
• Kyle Isom
• Nick Sullivan
• Peter Eckersley
• Richard Barnes
• Steve Rude
• Tara Vancil
• Terin Stock
• Thomaz Leite
• Travis Truman
• Zi Lin
33
CFSSL 1.1The evolution of a PKI toolkit
Nick Sullivan @grittygrease August 7, 2015