Re: [W3af-users] ssl v2 verification

Tue, 23 Mar 2010 12:03:22 -0700 

Tiago,

On Tue, Mar 23, 2010 at 1:47 PM, Tiago Mendo <[email protected]> wrote:
> Hi,
> I'm was reading through the w3af sources :)

    Oh no! ;)

> and found that
> the sslCertificate plugin only reports problems if the certificate supports
> ssl v1, but as the comment indicates, it should report problem if v2 is
> used.
> Is there any reason for this to be like that?

    I was not the plugin developer, so I can't say. Maybe something to
do with TLS versioning? Just guessing...

> My opinion is that you should report problems for certificates supporting
> SSL version below 3. The attack on SSLv2 (the handshake downgrade attack) is
> pretty nasty.

    I agree,

> # Check for SSL version
>        # TODO why not '... < 3:'?
>        if cert.get_version() < 2:
>            i = info.info()
>            i.setName('Insecure SSL version' )

    Just commited a change to the SVN to reflect this.
    http://w3af.svn.sourceforge.net/w3af/?rev=3434&view=rev

>
>
> Tiago Mendo
> [email protected]
> +351 215000959
> Portugal Telecom / SAPO / DTS / Equipa de Segurança
> http://www.sapo.pt
> PGP: 0xF962B36970A3DF1D
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>



-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to