TLS Certificate Validation

Network Security Spring 2021

The goals of this lab are to:

  1. Familiarize yourself with standard TLS tools
  2. Gain experience in TLS certificate validation

TLS security depends on properly validating certificates presented by a peer during session establishment. In this lab, you are presented with a set of TLS servers. You will use TLS tools to determine whether each server should be trusted by a client.

You have been provided a container image containing these servers. You can load and execute it as follows:

$ docker load -i netsec-lab-tls.img
$ docker run -it --rm netsec-lab-tls

The servers run on ports 5000-5005/tcp. You can connect to them either directly via the container’s IP address, or by exposing the ports on the host’s loopback interface via -p or --network host.

The most straightforward way to carry out this lab is to use the openssl program. However, if you choose, you can write your own code against a TLS library such as OpenSSL – this is more labor-intensive, but instructive.

Assuming you will use openssl, you will retrieve the certificate for each server using a command like:

$ openssl s_client -connect ${address}:${port}

This should output, amongst other information, a PEM-encoded server certificate. Copy this to a file. Then, you can pretty-print this file, for instance with:

$ openssl x509 -in ${cert} -text

You should then examine the certificate’s subject, issuer, validity window, and other attributes to determine whether the certificate should be accepted.

You may find the output of openssl s_client in conjunction with some of its options helpful in performing certificate validation. See the output of openssl s_client -help for more information.

Lab Objectives

  1. Write a short document indicating whether each of the servers (identified by its TCP port) should be trusted or not. If not, give a reason why the server should not be trusted.

Submission Instructions

Submit your report to Canvas.