Hi,
I'm was reading through the w3af sources :) and found that the sslCertificate
plugin only reports problems if the certificate supports ssl v1, but as the
comment indicates, it should report problem if v2 is used.
Is there any reason for this to be like that?
My opinion is that you should report problems for certificates supporting SSL
version below 3. The attack on SSLv2 (the handshake downgrade attack) is pretty
nasty.
# Check for SSL version
# TODO why not '... < 3:'?
if cert.get_version() < 2:
i = info.info()
i.setName('Insecure SSL version' )
Tiago Mendo
[email protected]
+351 215000959
Portugal Telecom / SAPO / DTS / Equipa de Segurança
http://www.sapo.pt
PGP: 0xF962B36970A3DF1D
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
