Tuesday, March 27, 2012

Checking client-side certificate verification with openssl

So you have some client software that claims it checks server SSL certs are issued by a valid CA, or better, by a specific CA? How do you check its claims? Set up a simple MITM attack (works for OS X and linux):

Create a self-signed cert:
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
Fire up the openssl server (man s_server for more options, including simple webserver functionality):
sudo openssl s_server -debug -cert cert.pem -accept 443
Edit your /etc/hosts file and add the domain you are attacking to resolve to localhost:
127.0.0.1 secure.company.com
Run your client.

No comments: