Taras, On Wed, May 23, 2012 at 6:09 PM, Taras <ox...@oxdef.info> wrote: > Andres, > > I have removed incorrect SSLv2 check and added > subjectAltName extension support.
Perfect! > >> There are ways to verify a certificate from Python (seems that with >> m2crypt is easier?): >> - >> http://stackoverflow.com/questions/4403012/how-do-i-verify-an-ssl-certificate-in-python >> >> @Taras: Got enough information to work on this feature? > > > > Currently what we at least need in ssl plugin: > 1. full chain verification > 2. correct SSLv2 checking > 3. weak ciphers checking > > I'm reviewing m2crypto...but it looks like PyOpenSSL which we already use > can do the same [0] That's great, saw the commit on the ssl branch. Could you please tell me a couple of target sites where I could test the plugin and the expected results? (will only run that plugin against the targets so no worry if they are yours). > [0] http://wiki.python.org/moin/SSL > > >> On Sun, May 20, 2012 at 6:47 PM, Stephen Breen<breen.mach...@gmail.com> >> wrote: >>> >>> Try this: >>> ls /usr/lib/ssl/certs >>> >>> I get the same error as you for "openssl ca" on Ubuntu and a different >>> error >>> on CentOS5 and RedHat5. >>> >>> On Sun, May 20, 2012 at 11:38 AM, Andres >>> Riancho<andres.rian...@gmail.com> >>> wrote: >>>> >>>> >>>> Achim, Taras, >>>> >>>> On Sun, May 20, 2012 at 5:12 PM, Achim Hoffmann<webse...@sic-sec.org> >>>> wrote: >>>>> >>>>> Am 19.05.2012 17:20, schrieb Andres Riancho: >>>>>> >>>>>> Taras, >>>>>> >>>>>> On Sat, May 19, 2012 at 2:52 PM, Taras<ox...@oxdef.info> wrote: >>>>>>> >>>>>>> Andres, >>>>>>> >>>>>>> >>>>>>>> - Just to make things clear regarding the static nature of it, I >>>>>>>> would >>>>>>>> move self._min_expire_days to the module level and call it >>>>>>>> MIN_EXPIRE_DAYS >>>>>>> >>>>>>> >>>>>>> Hmm, I want to make possible to setup it as option. It can help >>>>>>> users to force their PKI policy for scanning. >>>>>>> >>>>>>> >>>>>>>> - After reading "issuer = cert.get_issuer()" I thought... maybe we >>>>>>>> could dump the cert authority list from a browser (firefox?) and add >>>>>>>> a >>>>>>>> simple check to verify that the cert.get_issuer() is in that list? >>>>>>> >>>>>>> >>>>>>> It will be better if openssl wrapper could do it internally but yes, >>>>>>> if there is no another way, we will need to have our own CA list. >>>>>> >>>>>> >>>>>> Totally agree with you again :) Do you know if openssl has an internal >>>>>> CA list? >>>>> >>>>> >>>>> openssl uses CA from directory ssl/certs, which depends on the system >>>>> you started openssl (most likely /etc/ssl/certs on *ix) >>>>> you may try >>>>> openssl ca >>>>> to get an idea >>>>> >>>>> Note that you OS may do house keeping for these CAs, hence some may >>>>> miss or some are there even if revoked. >>>> >>>> >>>> Without knowing much about what "openssl ca" does, I run it and got >>>> errors: >>>> >>>> dz0@dz0-laptop:~$ openssl ca >>>> Using configuration from /usr/lib/ssl/openssl.cnf >>>> Error opening CA private key ./demoCA/private/cakey.pem >>>> 3769:error:02001002:system library:fopen:No such file or >>>> directory:bss_file.c:356:fopen('./demoCA/private/cakey.pem','r') >>>> 3769:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358: >>>> unable to load CA private key >>>> unable to write 'random state' >>>> dz0@dz0-laptop:~$ >>>> >>>> Looks like my default ubuntu configuration did not like that command. >>>> Based on our discussion thread I was expecting it to return a list of >>>> all trusted CA's, shouldn't it do that Achim? >>>> >>>>> Hope this helps >>>>> Achim >>>>> >>>> >>>> >>>> >>>> -- >>>> Andrés Riancho >>>> Project Leader at w3af - http://w3af.org/ >>>> Web Application Attack and Audit Framework >>>> Twitter: @w3af >>>> GPG: 0x93C344F3 >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Live Security Virtual Conference >>>> Exclusive live event will cover all the ways today's security and >>>> threat landscape has changed and how IT managers can respond. >>>> Discussions >>>> will include endpoint security, mobile security and the latest in >>>> malware >>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> _______________________________________________ >>>> W3af-develop mailing list >>>> W3af-develop@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>> >>> >>> >> >> >> > > > -- > Taras > http://oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
