Steve, On Tue, Dec 23, 2008 at 1:00 PM, Steve Pinkham <[email protected]> wrote: > Andres Riancho wrote: >> List, >> >> I'm looking for a contributor to finish up a small section of the >> audit.sslCertificate plugin. >> >> I've been coding this plugin and I've got to a section where my >> knowledge is scarce and my research time is *so* limited that I won't >> be able to do it by myself. My problem is in the "def >> _analyze_cert(self, cert, ssl_conn):" method of the >> audit.sslCertificate plugin, where tests related to the SSL >> certificate of the remote website should be implemented. I've been >> doing some google searches and I found these links that might help: >> >> - http://www.nessus.org/plugins/index.php?view=single&id=26928 >> - http://www.nessus.org/plugins/index.php?view=single&id=31705 > > Other recommended resources(AKA what I use in my day job): > > Source available: > > nmap's SSLv2-support.nse > Tests for insecure SSLv2 and its ciphers > http://nmap.org/download.html > > No source available, but good for double checking your implementation: > > Foundstone's ssldigger > Tests which SSLv3/TLS ciphers are enabled, but not SSLv2 > http://www.foundstone.com/us/resources/proddesc/ssldigger.htm > > http://clez.net/net.ssl > Tests both SSLv2 and SSLv3/TLS ciphers(JavaScript required) > > Here's the OpenVAS plugin to do the same thing, open source, but I've > never tried it: > > http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/plugins/ssl_ciphers/ssl_ciphers.c?rev=1852&root=openvas&view=markup
Thanks for the info, I'm sure Taras is going to find this really interesting. Cheers, > Steve > > >> The idea is to check if the ciphers used are safe, if the SSL >> version is ok, if the certificate has expired or not, if it's self >> signed, and other security related things about the cert. If you want >> to help, just download the latest w3af version from the SVN in order >> to get the latest plugin version, answer this email to the mailing >> list and just start working =) >> >> Thanks in advance! >> >> Cheers, > > > -- > | Steven E. Pinkham | > | GPG public key ID CD31CAFB | > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------------ _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
