Andres,
please take into account that it is not final version yet.
> * If we're not going to use openssl anymore, shouldn't we remove it
> from the dependency check file?
Not yet because it is used at least in proxy.py :( We also need to
migrate there to ssl module.
>
> try:
> from OpenSSL import SSL
> except:
> packages.append('pyOpenSSL')
> packages_debian.append('python-pyopenssl')
> packages_mac_ports.extend(['py26-openssl'])
> reasonForExit = True
> #mem_test('after ssl import')
>
> * "class sslCertificate2" , that won't work, the plugin filename and
> the class should have the same name
I have fixed before your sent mail ;)
>
> * I recommend storing ca.pem in plugins/audit/sslCertificate/ca.pem
Agree
>
> * What happens if the remote end uses a different version of SSL in
> the line that says: "ssl_version=ssl.PROTOCOL_SSLv23" ?
See table for such cases [0].
>
> * I think this is an info() "v.setName('Invalid SSL certificate/connection')"
We have already discussed that any problem which could cause browser
show to the user invalid certificate is vuln with low severity. What was
changed? For soon expire certificate I use info object.
> * Not sure why we do this?
> ssl_sock.write("""GET / HTTP/1.0\r\n\r\n""")
> data = ssl_sock.read()
What do yo mean here?
> * We lost some features, right?
Check for SSL version was incorrect. But I think I have found
how we can check it. Give some time :)
>
> 1)
> # Print the SSL information to the log
> desc = 'This is the information about the SSL certificate
> used in the target site:'
...
Do we need this information? If yes I can try to make some clone of
dump_x509 cert function.
>
> 2)
> desc = 'The certificate is using an old version of SSL
See above.
> 3) And some other things that were in the previous version.
All other things like expired certificate or incorrect wildcard domain
now should checks ssl module.
What else?
[0] http://docs.python.org/library/ssl#ssl.wrap_socket
> On Fri, Jun 1, 2012 at 3:00 PM,<ox...@users.sourceforge.net> wrote:
>> Revision: 5038
>> http://w3af.svn.sourceforge.net/w3af/?rev=5038&view=rev
>> Author: oxdef
>> Date: 2012-06-01 11:00:10 +0000 (Fri, 01 Jun 2012)
>> Log Message:
>> -----------
>> migrated to built-in ssl module
>>
>> Modified Paths:
>> --------------
>> branches/ssl/core/controllers/dependency_check/dependency_check.py
>> branches/ssl/plugins/audit/sslCertificate.py
>>
>> Added Paths:
>> -----------
>> branches/ssl/plugins/audit/ca.pem
>>
>> This was sent by the SourceForge.net collaborative development platform, the
>> world's largest Open Source development site.
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> W3af-svn-notify mailing list
>> w3af-svn-not...@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-svn-notify
>
>
>
--
Taras
http://oxdef.info
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
