--- John Lampe <[EMAIL PROTECTED]> wrote: > On Tue, 30 Dec 2003, ssg foursixofive wrote: > > > ssltest.nasl is declaring a hole at the following > line > > in ssltest.nasl. > > > > # well, we sent the cert and the server fin'ed or > > RST'ed...what to do, what to do...???? > > # the cert was, after all, out of line...we > should > > have gotten an error code 0x0A...so... > > security_hole(port); > > > > I am running apache 1.3.29, mod_ssl 2.8.16, and > > openssl 0.9.7c. > > > > I noticed the section of code: > > > > # Thanks to Brad Hazledine for submitting report > that: > > #> By removing weak ciphers from the > SSLCipherSuite on > > Apache 1.3.29/mod_ssl > > #> 2.8.16/Openssl 0.9.7c it reports a false > > (vulnerable) version of openssl. > > # So, We'll look for error message 0x02 0x28 which > > denotes a failed handshake > > if ( (ord(r[5]) == 0x02) && (ord(r[6]) == 0x28) ) > > exit(0); > > > > > > I am removing weak ciphers from SSLCipherSuite, > but I > > have different values for r[5] and r[6]. Is there > an > > openssl reference guide somewhere that I can > determine > > what exactly my server IS responding with? Or, > does > > anyone have any suggestions as to how I should > > troubleshoot this? > > > > I have done the exact same setup on a linux box > and it > > behaves as expected...so it seems to be related to > the > > xserve. > > > > any help would be greatly appreciated! > > > > thanks in advance, > > > > steve > > I'm away from my dev servers right now, but I'll > check this out later > tonight. btw, there are some good books on SSL > protocol...the one that I > have is called _SSL and TLS Essentials_ . > > a few questions: > 1) After recompiling new OpenSSL, did you then > recompile apps which relied on OpenSSL?
I rebuilt openssl as a shared lib, replaced the existing libssl/libcrypto shared lib and stop/started apache. Also, when I look in the apache log it shows openssl 0.9.7c...as well as the HTTP headers do too. > 2) from what you've stated above, you are not > getting anything on the > second recv() call. Can you tell me whether server > FIN's, RST's, or just > stops communicating on the socket? how do I find that out? I set mod_ssl to debug and I got the follow error message: [30/Dec/2003 17:06:18 19329] [info] Connection to child 5 established (server secure.myhost.com:443, client 217.111.111.23) [30/Dec/2003 17:06:18 19329] [info] Seeding PRNG with 1160 bytes of entropy [30/Dec/2003 17:06:18 19329] [debug] OpenSSL: read 11/11 bytes from BIO#00274670 [mem: 001E7000] (BIO dump follows) +-------------------------------------------------------------------------+ | 0000: 80 2e 01 31 35 00 15 00-00 00 10 ...15...... | +-------------------------------------------------------------------------+ [30/Dec/2003 17:06:18 19329] [error] SSL handshake failed (server secure.myhost.com:443, client 217.111.111.23) (OpenSSL library error follows) [30/Dec/2003 17:06:18 19329] [error] OpenSSL: error:140760FC:lib(20):func(118):reason(252) after that I can see the second connection coming in: [30/Dec/2003 17:06:18 19319] [info] Connection to child 1 established (server secure.myhost.com:443, client 217.111.111.23) [30/Dec/2003 17:06:18 19319] [info] Seeding PRNG with 1160 bytes of entropy [30/Dec/2003 17:06:18 19319] [debug] OpenSSL: read 11/11 bytes from BIO#00274670 [mem: 001E7000] (BIO dump follows) +-------------------------------------------------------------------------+ | 0000: 80 2e 01 03 00 00 15 00-00 00 10 ........... | +-------------------------------------------------------------------------+ [30/Dec/2003 17:06:18 19319] [debug] OpenSSL: read 37/37 bytes from BIO#00274670 [mem: 0021700B] (BIO dump follows) +-------------------------------------------------------------------------+ | 0000: 00 00 62 00 00 62 04 00-80 00 00 63 00 00 03 00 ..b..b.....c.... | | 0010: 00 64 02 00 80 4e 45 53-53 55 53 4e 45 53 53 55 .d...NESSUSNESSU | | 0020: 53 4e 45 53 53 SNESS | +-------------------------------------------------------------------------+ [30/Dec/2003 17:06:18 19319] [debug] OpenSSL: write 769/769 bytes to BIO#00274670 [mem: 00220001] (BIO dump follows) then it write the certificate for secure.myhost.com and then goes on to: +-------------------------------------------------------------------------+ [30/Dec/2003 17:06:21 19319] [debug] OpenSSL: read 2/2 bytes from BIO#00274670 [mem: 00217000] (BIO dump follows) +-------------------------------------------------------------------------+ | 0000: 16 03 .. | +-------------------------------------------------------------------------+ [30/Dec/2003 17:06:21 19319] [debug] OpenSSL: read 986/5636 bytes from BIO#00274670 [mem: 00217002] (BIO dump follows) +-------------------------------------------------------------------------+ then it reads the fake certificate (NESSUS) and: +-------------------------------------------------------------------------+ [30/Dec/2003 17:06:26 19319] [debug] OpenSSL: read 0/4650 bytes from BIO#00274670 [mem: 002173DC] (BIO dump follows) +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ [30/Dec/2003 17:06:26 19319] [info] SSL handshake stopped: connection was closed and that's it. I hope I was able to provide you with enough information. thanks again for the help. steve __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
