The. NET Core TLS protocol specification was exploited by me~~~

Keywords: ASP.NET .NET tls

[guide] previously, the test partners scanned through tools. The platform TLS SSL protocol supports TLS v1.1, which is not safe. The TLS SSL protocol should be at least v1.2 or above. It is thought that we have only supported v1.3, which should not be the problem of our platform.

Recently, the third-party partner mentioned this high-risk security problem again. I still confidently explained that it has nothing to do with our platform and should be related to openssl's own configuration support v1.1, but this problem must be solved. With a skeptical attitude, is it a code problem? Therefore, we began to explore the road. This paper takes ASP.NET Core 3.1.20 as an example

Verify TLS SSL protocol issues

Because there are too many platform related configurations enabled to eliminate the impact, I wrote a clean web api separately. The code is as follows.

webBuilder.UseStartup<Startup>();
webBuilder.UseKestrel(options => 
{
    var sslCertPath = Path.Combine(AppContext.BaseDirectory, "ssl.pfx");

    options.Listen(IPAddress.Any, 5000,
        listenOption =>
        {
            listenOption.UseHttps(sslCertPath, "KSnRJkGPf@OVA8uDsY*D5EP4kd!AagLS84uNS~5@@u#dKrNxHC");
        });

    options.ConfigureHttpsDefaults(co =>
    {
      co.SslProtocols = SslProtocols.Tls13;
    });

});

Then we publish it to linux and run it, as follows:

Next, we scan the port with the help of nmap tool, as follows:

Wait patiently for a while. The final scan output is as follows. I was stunned

The. NET Core TLS SSL protocol is enabled by default to support v1.1 and v1.2. It is clearly set to support only v1.3. Isn't this the same as not set?

webBuilder.UseStartup<Startup>();
webBuilder.UseKestrel(options => 
{
    var sslCertPath = Path.Combine(AppContext.BaseDirectory, "ssl.pfx");

    options.ConfigureHttpsDefaults(co =>
    {
        co.SslProtocols = SslProtocols.Tls12;
    });

    options.Listen(IPAddress.Any, 5000,
        listenOption =>
        {
            listenOption.UseHttps(sslCertPath, "KSnRJkGPf@OVA8uDsY*D5EP4kd!AagLS84uNS~5@@u#dKrNxHC");
        });

});

That only means that there is a problem with the code. Since it has been set but has not taken effect, so, it means that there is a problem with the release order. What will happen if I put the above setting protocol before listening to HTTPS? As mentioned above, first of all, we configure that only v1.2 is supported. Will v1.1 be scanned?

It seems that the guess is good. It has something to do with the configuration order. The v1.1 protocol does not support it. Similarly, for the configuration of v1.3, the output results are as follows

So far, the TLS SSL protocol specification has been solved. It is normal to think about it. A connection must be established before listening to the port, so the protocol configuration must be specified before listening to the port

At this point, let's further understand the principle and the whole process of protocol and port monitoring

Let's first look at the general implementation of HTTPS built-in by specifying SSL certificate path and password listening

There are multiple overloads listening to HTTPS. It seems that X509Certificate2 is used to load certificates, verify certificates, and so on

The built-in assignment class loads the certificate, and then applies various options in the following extension methods. The following notes are the options for connection by reference

Since we configured SSL v1.3 protocol to listen to HTTPS at the beginning, the default protocols 1.1 and 1.2 are used when executing here

At the same time, it should be noted that in. Net core version 3. X, the certificate password must be provided, but in this case, I check the source code. If I remember correctly, it should be in 5.x, and the certificate password can be empty

In fact, the monitoring HTTPS extension method provides the overload of the TLS SSL protocol used to connect. At that time, I didn't think so much about the configuration, because the previous configuration has been written, and the platform can turn on HTTP or HTTPS according to the actual situation, so I directly call the default HTTPS option configuration, and the result is careless

Of course, if it is clear that it must be HTTPS protocol, we can also modify it based on the default configuration, as follows:

webBuilder.UseStartup<Startup>();
webBuilder.UseKestrel(options =>
{
    var sslCertPath = Path.Combine(AppContext.BaseDirectory, "ssl.pfx");

    options.ConfigureHttpsDefaults(co =>
    {
        co.SslProtocols = SslProtocols.Tls13;
        co.ServerCertificate = new X509Certificate2(sslCertPath, "KSnRJkGPf@OVA8uDsY*D5EP4kd!AagLS84uNS~5@@u#dKrNxHC");
    });

    options.Listen(IPAddress.Any, 5000);

});

There's nothing to summarize

, I was careless about Jingzhou. I once suspected that v1.3 was configured, but the tool scanning supported 1.1 and 1.2. I thought that the problem was the openssl configuration support. I didn't think about it for a moment. If I was careless and didn't consider the connection process, the corresponding configuration sequence should also be consistent. NET Core provides a variety of configurations, but I just got stuck in the middle and drilled my own loophole

Posted by lance1208 on Thu, 04 Nov 2021 17:32:36 -0700