Hello, > I tried with "openssl s_client" but i cant get any OpenSSL version > information back. Is there some easy ways of determine if the remote > service is vulnerable or can you ensure that the versions which is > older than 0.9.6k or 0.9.7c are not vulnerable. SSL server do not send back version information.
> I am running the following version: > > OpenSSL> version > OpenSSL 0.9.7e-p1 25 Oct 2004 > OpenSSL> exit > > It might be that the application that we have testing is using > statically linked libraries and i need to investigate that, i just > wanted to check with you guys if there where a way of checking this > remotely. Yes, but this vulnerability can be check if server requests client authentication (client sends his certificate which is parsed by server). Simple "blinking bit" test is enough to check this. You may write simple program which will sequentially connect to your server and in each connection, at SSL Record Layer, you modify one bit of client Certificate packet send to server. After few connection you will get server core dump for OpenSSL 0.9.7b (but not for OpenSSL 0.9.7c). Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
