On Tue, 30 Dec 2003, ssg foursixofive wrote: > ssltest.nasl is declaring a hole at the following line > in ssltest.nasl. > > # well, we sent the cert and the server fin'ed or > RST'ed...what to do, what to do...???? > # the cert was, after all, out of line...we should > have gotten an error code 0x0A...so... > security_hole(port); > > I am running apache 1.3.29, mod_ssl 2.8.16, and > openssl 0.9.7c. > > I noticed the section of code: > > # Thanks to Brad Hazledine for submitting report that: > #> By removing weak ciphers from the SSLCipherSuite on > Apache 1.3.29/mod_ssl > #> 2.8.16/Openssl 0.9.7c it reports a false > (vulnerable) version of openssl. > # So, We'll look for error message 0x02 0x28 which > denotes a failed handshake > if ( (ord(r[5]) == 0x02) && (ord(r[6]) == 0x28) ) > exit(0); > > > I am removing weak ciphers from SSLCipherSuite, but I > have different values for r[5] and r[6]. Is there an > openssl reference guide somewhere that I can determine > what exactly my server IS responding with? Or, does > anyone have any suggestions as to how I should > troubleshoot this? > > I have done the exact same setup on a linux box and it > behaves as expected...so it seems to be related to the > xserve. > > any help would be greatly appreciated! > > thanks in advance, > > steve
I'm away from my dev servers right now, but I'll check this out later tonight. btw, there are some good books on SSL protocol...the one that I have is called _SSL and TLS Essentials_ . a few questions: 1) After recompiling new OpenSSL, did you then recompile apps which relied on OpenSSL? 2) from what you've stated above, you are not getting anything on the second recv() call. Can you tell me whether server FIN's, RST's, or just stops communicating on the socket? TIA, John Lampe jwlampe -at- nessus.org http://f00dikator.aceryder.com/ _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
