search

F5-Labs / cryptonice

CryptoNice is both a command line tool and library which provides the ability to scan and report on the configuration of SSL/TLS for your internet or internal facing web services. Built using the sslyze API and ssl, http-client and dns libraries, cryptonice collects data on a given domain and performs a series of tests to check TLS configuration and supporting protocols such as HTTP2 and DNS.
https://www.f5.com/labs/cryptonice
GNU General Public License v3.0
101 stars 25 forks source link

CAA records are not properly checked for records at the domain level #11

Closed melcaniac closed 4 years ago

melcaniac commented 4 years ago

We have our CAA records set up for vectorvms.com to allow only Comodo to issue SSL certificates for our domain. When using cryptonice we get the following:

RECOMMENDATIONS

Low - CAA Consider creating DNS CAA records to prevent accidental or malicious certificate issuance.

even though Qualys scans show no issues with our CAA record. https://www.ssllabs.com/ssltest/analyze.html?d=vms.vectorvms.com

warburtr0n commented 4 years ago

Thanks so much for trying out Cryptonice and for taking the time to submit an issue. I'm not able to replicate the issue on my end.

Submitting

cryptonice vectorvms.com

Gives the following results...

CERTIFICATE
Common Name:              www.vectorvms.com
Public Key Algorithm:         RSA
Public Key Size:          2048
Signature Algorithm:          sha256

Certificate is trusted:       True (No errors)
Hostname Validation:          OK - Certificate matches server hostname
Extended Validation:          False
Certificate is in date:       True
Days until expiry:        129
Valid From:           2018-11-30 00:00:00
Valid Until:              2020-11-29 23:59:59

OCSP Response:            Unsuccessful
Must Staple Extension:        False

Subject Alternative Names:
      www.vectorvms.com
      vectorvms.com

Vulnerability Tests:
No vulnerability tests were run

HTTP to HTTPS redirect:       True
HTTP Strict Transport Security:   True (max-age=63072000; includeSubdomains;)
HTTP Public Key Pinning:      False

Secure Cookies:           False

CAA Restrictions:
     0 issue "comodoca.com"

RECOMMENDATIONS
-------------------------------------

Scans complete
-------------------------------------
Total run time: 0:00:09.738364

Can you please detail how you used the tool?

melcaniac commented 4 years ago

Thanks David. The problem is not when we query the top-level domain, but the vms-v1.vectorvms.com. I have recently added HSTS to certain sites and I’m using the cryptonice tool to validate and it is working fine. I just wonder why the CAA record is not found. Below is what I’m seeing from my MAC, and it is not connected to our corporate VPN, so that should not be causing any issues (internal DNS for instance). The Qualys scan (https://www.ssllabs.com/ssltest/analyze.html?d=vms-v1.vectorvms.com) for the same record does detect the CAA record. Thanks for the work on this!

RAL-PF-ML-001:~ matthew.leggett$ cryptonice vms-v1.vectorvms.com http://vms-v1.vectorvms.com

Pre-scan checks

Scanning vms-v1.vectorvms.com http://vms-v1.vectorvms.com on port 443...

Analyzing DNS data for vms-v1.vectorvms.com http://vms-v1.vectorvms.com

Fetching additional records for vms-v1.vectorvms.com http://vms-v1.vectorvms.com

vms-v1.vectorvms.com http://vms-v1.vectorvms.com resolves to 165.193.101.227

165.193.101.227:443 http://165.193.101.227:443 : OPEN

TLS is available: True

Connecting to port 443 using HTTPS

Reading HTTP headers for vms-v1.vectorvms.com http://vms-v1.vectorvms.com

Queueing TLS scans (this might take a little while...)

Looking for HTTP/2

RESULTS

Hostname: vms-v1.vectorvms.com http://vms-v1.vectorvms.com

Selected Cipher Suite: ECDHE-RSA-AES128-GCM-SHA256

Selected TLS Version: TLS_1_2

Supported protocols:

TLS 1.2: Yes

HTTP/2 supported: False

CERTIFICATE

Common Name: *.vectorvms.com http://vectorvms.com

Public Key Algorithm: RSA

Public Key Size: 2048

Signature Algorithm: sha256

Certificate is trusted: True (No errors)

Hostname Validation: OK - Certificate matches server hostname

Extended Validation: False

Certificate is in date: True

Days until expiry: 163

Valid From: 2019-11-19 00:00:00

Valid Until: 2021-01-05 23:59:59

OCSP Response: Unsuccessful

Must Staple Extension: False

Subject Alternative Names:

                      *.vectorvms.com <http://vectorvms.com> 

                      vectorvms.com <http://vectorvms.com>

Vulnerability Tests:

No vulnerability tests were run

HTTP to HTTPS redirect: True

HTTP Strict Transport Security: True (max-age=86400; includeSubDomains)

HTTP Public Key Pinning: False

Secure Cookies: True

None

RECOMMENDATIONS

Low - CAA Consider creating DNS CAA records to prevent accidental or malicious certificate issuance.

Scans complete

Total run time: 0:00:09.790724

Outputting data to ./vms-v1.vectorvms.com.json

From: David Warburton notifications@github.com Sent: Thursday, July 23, 2020 4:17 PM To: F5-Labs/cryptonice cryptonice@noreply.github.com Cc: Matt Leggett leggettm@bellsouth.net; Author author@noreply.github.com Subject: Re: [F5-Labs/cryptonice] CAA records are not properly checked for records at the domain level (#11)

Thanks so much for trying out Cryptonice and for taking the time to submit an issue. I'm not able to replicate the issue on my end.

Submitting

cryptonice vectorvms.com

Gives the following results...

CERTIFICATE Common Name: www.vectorvms.com http://www.vectorvms.com Public Key Algorithm: RSA Public Key Size: 2048 Signature Algorithm: sha256

Certificate is trusted: True (No errors) Hostname Validation: OK - Certificate matches server hostname Extended Validation: False Certificate is in date: True Days until expiry: 129 Valid From: 2018-11-30 00:00:00 Valid Until: 2020-11-29 23:59:59

OCSP Response: Unsuccessful Must Staple Extension: False

Subject Alternative Names: www.vectorvms.com http://www.vectorvms.com vectorvms.com

Vulnerability Tests: No vulnerability tests were run

HTTP to HTTPS redirect: True HTTP Strict Transport Security: True (max-age=63072000; includeSubdomains;) HTTP Public Key Pinning: False

Secure Cookies: False

CAA Restrictions: 0 issue "comodoca.com"

RECOMMENDATIONS

Scans complete

Total run time: 0:00:09.738364

Can you please detail how you used the tool?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/F5-Labs/cryptonice/issues/11#issuecomment-663210889 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AD7ZS3UOCDPDP35EG3XVLX3R5CLDHANCNFSM4PF63N2A . https://github.com/notifications/beacon/AD7ZS3SLZ5KFZQ3DRWOL6XDR5CLDHA5CNFSM4PF63N2KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOE6D4XCI.gif

warburtr0n commented 4 years ago

Thanks for the update. Took a little while to realise that your CAA records have an SOA record that point to your root domain. I've updated the getsdns.py module to follow SOA targets and I believe this is now fixed.

This is only updated in the code, however. I'll continue testing and mark this issue as closed once @knewbold17 has had a chance to update the library on PyPi.

melcaniac commented 4 years ago

Thanks David!

From: David Warburton notifications@github.com Sent: Monday, July 27, 2020 6:52 AM To: F5-Labs/cryptonice cryptonice@noreply.github.com Cc: Matt Leggett leggettm@bellsouth.net; Author author@noreply.github.com Subject: Re: [F5-Labs/cryptonice] CAA records are not properly checked for records at the domain level (#11)

Thanks for the update. Took a little while to realise that your CAA records have an SOA record that point to your root domain. I've updated the getsdns.py module to follow SOA targets and I believe this is now fixed.

This is only updated in the code, however. I'll continue testing and mark this issue as closed once @knewbold17 https://github.com/knewbold17 has had a chance to update the library on PyPi.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/F5-Labs/cryptonice/issues/11#issuecomment-664315431 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AD7ZS3S5M5HA5TRIE2TEOD3R5VL4DANCNFSM4PF63N2A . https://github.com/notifications/beacon/AD7ZS3RQDDLGMPX2AAEAZS3R5VL4DA5CNFSM4PF63N2KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOE6MKMJY.gif

warburtr0n commented 4 years ago

Cryptonice has now been updated to v1.0 (actually I think we're at 1.0.5). Please try to update and see how you get on...

pip install cryptonice --upgrade

melcaniac commented 4 years ago

Thanks David that worked great! I can’t wait to add this to my automation. I really appreciate it!

Matt

From: David Warburton notifications@github.com Sent: Monday, July 27, 2020 2:59 PM To: F5-Labs/cryptonice cryptonice@noreply.github.com Cc: Matt Leggett leggettm@bellsouth.net; Author author@noreply.github.com Subject: Re: [F5-Labs/cryptonice] CAA records are not properly checked for records at the domain level (#11)

Cryptonice has now been updated to v1.0 (actually I think we're at 1.0.5). Please try to update and see how you get on...

pip install cryptonice --upgrade

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/F5-Labs/cryptonice/issues/11#issuecomment-664578919 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AD7ZS3XU5XPO6PNOHIZQMKLR5XFAVANCNFSM4PF63N2A . https://github.com/notifications/beacon/AD7ZS3QBM27VERHKEASD723R5XFAVA5CNFSM4PF63N2KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOE6OKWZY.gif