chr4

Devops. I've never asked for this.

sslsecure.vim - Highlight insecure SSL/TLS cipher suites and protocols as errors in your editor

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.

Edward Snowden

When configuring or programming SSL/TLS servers, at some point a SSL/TLS cipher suite and a list of supported protocols have to be chosen. Unfortunately, not all configuration options are safe. :(

Meet sslsecure.vim! A plugin for the Vim editor, that marks insecure SSL/TLS cipher suites and protocols as errors. See all potentially insecure options right in your editor!

Features

  • Mark insecure SSL ciphers as errors
  • Mark insecure SSL protocols as errors
  • Works with all configuration files (web servers, mail servers, …)
  • Works with all source code (independently on the used programming language)
  • Works on top of regular syntax highlighting

Screenshots

Enough words, see sslsecure.vim in action!

Web Servers

nginx:
nginx
Apache2:
Apache2
Lighttpd:
Lighttpd

Mail Servers

Postfix:
Postfix
Exim:
Exim
Dovecot:
Dovecot

Load Balancers

HAProxy:
HAProxy

FTP Servers

ProFTPd:
ProFTPd

Databases

PostgreSQL:
PostgreSQL
MariaDB/ MySQL:
MySQL

Programming languages

C (OpenSSL):
C
Go:
Go
Java:
Java

Additional notes on runtime cipher expanding

Cipher suites are expanded upon runtime. This is especially important when using +CHIPER statements in your suite, as insecure ciphers might be included upon runtime.

Example: The following (suggested by Cipherli.st) cipher suite doesn’t seem to contain any insecure ciphers when specifying:

1
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

However, depending on your OpenSSL/ LibreSSL version, this suite expands upon runtime to the following (note the insecure DSS and SHA ciphers!):

1
$ openssl chipers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH' |vim
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA

The plugin currently doesn’t save you from this pitfall. It’s therefore recommended, not to use the + statement in your cipher suite. There’s an issue that discusses whether this plugin should also highlight all + statements.

Feedback

I’m neither a mathematician, nor a cryptographer. If you are one and you have feedback to this plugin, find a flaw, please open an issue or contact me.

Installation

Just plug it into your favorite Vim package manager:

1
2
3
4
5
6
7
8
" Plug
Plug 'chr4/sslsecure.vim

" Dein.vim
call dein#add('chr4/sslsecure.vim')

" Vundle
Plugin 'chr4/sslsecure.vim'

Using sslsecure.vim and nginx.vim together

sslsecure.vim was inspired by my other plugin nginx.vim, which also automatically tries to detect insecure settings, but is nginx specific. Both plugins can be used alongside – nginx.vim automatically detects when sslsecure.vim is installed, so errors are not highlighted twice.

Edit: Gracias a Redeszone por un revisión muy bien sobre esta extensión!

Edit: Christian Rebischke packaged this plugin for Archlinux users in the Archlinux User Repository (AUR)

Edit: Auch ein Danke an Heise für den Artikel über dieses Plugin!