Andres, please read inline
>>>
>>> * I think this is an info() "v.setName('Invalid SSL
>>> certificate/connection')"
>>
>> We have already discussed that any problem which could cause browser show to
>> the user invalid certificate is vuln with low severity. What was changed?
>
> The problem is that in this case you're creating a vuln() when the
> connection fails, not when there is an old SSL vuln or some problem
> with SSL. I completely agree with vuln() for something that's a
> vulnerability... but not for a SSL connection error that might happen
> because of a timeout.
Ok, agree and will try to "divide" this logic into SSL errors and
connection problems.
>>> * Not sure why we do this?
>>> ssl_sock.write("""GET / HTTP/1.0\r\n\r\n""")
>>> data = ssl_sock.read()
>>
>> What do yo mean here?
>
> My point is that we don't really need to send any information to the
> server because we already have the SSL which is what we needed.
Oh, you're talking about it. Simply in the old version of sslCertificate
was a warning about sending HTTP request. So I decided to transfer it
into new version. But ok, I will remove it if it's not cause any problems.
>> ...
>> Do we need this information? If yes I can try to make some clone of
>> dump_x509 cert function.
>
> Would be good,
Ok!
--
Taras
http://oxdef.info
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
