Howto filter unsecured TLS1.1 and below connections on the Load Balancer

Howto filter unsecured TLS1.1 and below connections on the Load Balancer

Intro #

SSL services are more and more critical and we need to ensure that we’re using newer TLS protocol versions and secured ciphers. But, in the real life, where our services have different types of clients with different kinds of devices, we need to ensure connectivity to our secured services.

So, it could be useful to identify which clients are connecting (or trying to connect) to our SSL services. In that case, you can use the tool tcpdump for a load balancer or any Linux server.

Executing tcpdump with SSL filter #

The command tcpdump in the load balancer or Linux server allows to filter by TCP fields, so we’ve to match the bytes according to the version number of the SSL packets found in the 12th position. Also, as different positions could be found for SSLv2, SSLv3, TLS1.0 or TLS1.1, a composition of several filters should be used:

root@noid-ee-01:~$ tcpdump -i any -n "(((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03)))   ||   (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03)    ||    (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] = 0x02))"

The command will be waiting until the manual cancellation of the command with Crtl+C.

Testing the SSL filter #

To test the SSL connection against a server with a certain SSL protocol, you can use openssl in the client side, like it is shown below with a successful connection.

client:~$ openssl s_client -connect 192.168.56.10:443 -tls1
CONNECTED(00000003)
[...]
---
Certificate chain
[...]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIJAJ22cPNVcSZYMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
VQQGEwJFUzEOMAwGA1UECAwFU3BhaW4xDjAMBgNVBAcMBVNwYWluMRMwEQYDVQQK
DApaZXZlbmV0IFNMMRswGQYDVQQLDBJUZWxlY29tbXVuaWNhdGlvbnMxCjAIBgNV
[...]

Having to change the server and port desired. Also, you can change the parameter -tls1 for the desired protocol to be used.

Interpreting the results #

In the server side, you’ll see something like this:

root@noid-ee-01:~$ tcpdump [...]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
12:20:46.984131 IP 192.168.56.1.58286 > 192.168.56.10.444: Flags [P.], seq 1580373103:1580373207, ack 4195613909, win 502, length 104
12:20:46.988648 IP 192.168.56.10.444 > 192.168.56.1.58286: Flags [P.], seq 1:1414, ack 104, win 29, length 1413
[...]

The IP address 192.168.56.1 is detected as unsecure connection to the service 192.168.56.10.444 in the server.

SHARE ON:

Powered by BetterDocs