TLSPretense — SSL/TLS Client Testing Framework
TLSPretense is a framework for testing client-side SSL/TLS certificate validation. Software that uses HTTPS and TLS, such as mobile applications and web service clients, often make mistakes configuring and implementing client-side TLS code. These mistakes are usually severe enough to allow an attacker to intercept the supposedly protected network traffic. iSEC has developed TLSPretense to help with this situation by providing an extensible testing framework to help security teams, QA testers, and developers find these problems before outside parties do.
The test framework is written in Ruby, and it runs on Unix-like systems (Linux, Mac OS X, *BSD) that have a firewall that can intercept network traffic coming from the client being tested.
Certificate tests it can perform include:
- Self-signed certificates
- A valid certificate for the wrong website
- Null byte in hostname
- Intermediate certificate that is not a CA
- Various additional certificate chain issues
Get the source at: