Taras, On Mon, Jan 12, 2009 at 6:51 PM, Taras P. Ivashchenko <[email protected]> wrote: > Andres, > >> I saw that you modified the plugin and that it's working almost as >> expected. > Yes, I modified it, but not finished yet. > I had implemented: > - Check that the name of the site and the name reported in the > certificate match. > - Check that the certificate is self issued > But at the moment I can not check: self signed certificate and signature > algorithm (MD5 check as in Metasploit) because of simply there is no > such functionality in PyOpenSSL module [0]. For example, we can't access > to X509v3 extensions of certificate to check if certificate is self > signed :( > I also post to OpenSSL maillist [1]
Oh, that sucks! > So at the moment I'm thinking about how to implement these features in > w3af. For example, we can hack pyopenssl module (it will be needed to > write some C code) and provide it with w3af. We can also write wrapper > to openssl binary but it's not good idea, isn't it? Just like you say... it's a bad idea, the guys from openssl / pyopenssl should modify the code in order to add those features. That could take years, and it may never be done but... I don't want to maintain a "hacked up version of openssl+pyopenssl" inside w3af!!! > [0] > https://sourceforge.net/mailarchive/forum.php?thread_name=20090103005245.3d6894d7.naplanetu%40gmail.com&forum_name=pyopenssl-list > [1] http://marc.info/?l=python-list&m=123110463503599&w=2 > >> I just wanted to let you know that there is a problem with >> the plugin! Try to enable the sslCertificate and a >> discovery.webSpider, and you'll see how the info objects in the kb are >> created more than one time (actually, one time for every >> fuzzableRequest that's created by the discovery plugins). I think that >> you should perform all the checks only one time for each new >> certificate that is sent to by the remote web server. > > Yes, of course you are right and we should check certificate once per > target host. I will implement it in the nearest time. As usual... excellent! Cheers, > -- > Тарас Иващенко (Taras Ivashchenko), OSCP > www.securityaudit.ru > ---- > "Software is like sex: it's better when it's free." - Linus Torvalds > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
