3

I'm working in an embedded system that uses TLS v1.2 protocol for network security and it acts as a client.

Now I want to test some TLS security functions that require connecting with a TLS server and see how a client interacts if the server tries to perform unexpected behaviors that can be configured by me. Some of behaviors are like below:

  1. The server tries to send Server Hello with cipher suites different from the client site provided through the Client Hello message.
  2. The server tries to use a downgrade TLS version (v1.0, v1.1) which is not supported by the client.
  3. The server tries to send a corrupted certificate (flip bytes, lost data etc.) to the client

Is there any Windows/Linux open-source software tool that can manipulate TLS message data for testing purposes like the above examples?

Rohit Gupta
  • 489
  • 2
  • 5
  • 10
songoku711
  • 31
  • 1

1 Answers1

3

A tool that might be useful is TLS-Attacker. It was introduced to test the security of TLS libraries. It does so by creating custom protocol flows that users can specify. The paper indicates that the tool has been successful at finding many issues (with assigned CVEs) in libraries. (Disclaimer: I haven't used it myself, so I cannot tell how suitable it is for your use case).

Marc Ilunga
  • 4,042
  • 1
  • 13
  • 24