Taras,
On Fri, Jun 1, 2012 at 1:41 PM, Taras <ox...@oxdef.info> wrote:
> Andres,
>
> please take into account that it is not final version yet.
>
>
>> * If we're not going to use openssl anymore, shouldn't we remove it
>> from the dependency check file?
>
> Not yet because it is used at least in proxy.py :( We also need to migrate
> there to ssl module.
Ahhh, understood!
>>
>> try:
>> from OpenSSL import SSL
>> except:
>> packages.append('pyOpenSSL')
>> packages_debian.append('python-pyopenssl')
>> packages_mac_ports.extend(['py26-openssl'])
>> reasonForExit = True
>> #mem_test('after ssl import')
>>
>> * "class sslCertificate2" , that won't work, the plugin filename and
>> the class should have the same name
>
> I have fixed before your sent mail ;)
Great,
>>
>> * I recommend storing ca.pem in plugins/audit/sslCertificate/ca.pem
>
> Agree
>
>>
>> * What happens if the remote end uses a different version of SSL in
>> the line that says: "ssl_version=ssl.PROTOCOL_SSLv23" ?
>
> See table for such cases [0].
>
>>
>> * I think this is an info() "v.setName('Invalid SSL
>> certificate/connection')"
>
> We have already discussed that any problem which could cause browser show to
> the user invalid certificate is vuln with low severity. What was changed?
The problem is that in this case you're creating a vuln() when the
connection fails, not when there is an old SSL vuln or some problem
with SSL. I completely agree with vuln() for something that's a
vulnerability... but not for a SSL connection error that might happen
because of a timeout.
> For soon expire certificate I use info object.
Agreed,
>
>> * Not sure why we do this?
>> ssl_sock.write("""GET / HTTP/1.0\r\n\r\n""")
>> data = ssl_sock.read()
>
> What do yo mean here?
My point is that we don't really need to send any information to the
server because we already have the SSL which is what we needed.
>
>> * We lost some features, right?
>
> Check for SSL version was incorrect. But I think I have found
> how we can check it. Give some time :)
>
>>
>> 1)
>> # Print the SSL information to the log
>> desc = 'This is the information about the SSL certificate
>> used in the target site:'
>
> ...
> Do we need this information? If yes I can try to make some clone of
> dump_x509 cert function.
Would be good,
>>
>> 2)
>> desc = 'The certificate is using an old version of SSL
>
> See above.
That's a vuln() , we need it.
>> 3) And some other things that were in the previous version.
>
> All other things like expired certificate or incorrect wildcard domain now
> should checks ssl module.
> What else?
I just want to make sure we're not loosing things we already had !
> [0] http://docs.python.org/library/ssl#ssl.wrap_socket
>
>
>> On Fri, Jun 1, 2012 at 3:00 PM,<ox...@users.sourceforge.net> wrote:
>>>
>>> Revision: 5038
>>> http://w3af.svn.sourceforge.net/w3af/?rev=5038&view=rev
>>> Author: oxdef
>>> Date: 2012-06-01 11:00:10 +0000 (Fri, 01 Jun 2012)
>>> Log Message:
>>> -----------
>>> migrated to built-in ssl module
>>>
>>> Modified Paths:
>>> --------------
>>> branches/ssl/core/controllers/dependency_check/dependency_check.py
>>> branches/ssl/plugins/audit/sslCertificate.py
>>>
>>> Added Paths:
>>> -----------
>>> branches/ssl/plugins/audit/ca.pem
>>>
>>> This was sent by the SourceForge.net collaborative development platform,
>>> the world's largest Open Source development site.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> W3af-svn-notify mailing list
>>> w3af-svn-not...@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-svn-notify
>>
>>
>>
>>
>
>
> --
> Taras
> http://oxdef.info
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
