On 2010/03/23, at 18:59, Andres Riancho wrote:
> Tiago, > > On Tue, Mar 23, 2010 at 1:47 PM, Tiago Mendo <[email protected]> wrote: >> Hi, >> I'm was reading through the w3af sources :) > > Oh no! ;) :) > >> and found that >> the sslCertificate plugin only reports problems if the certificate supports >> ssl v1, but as the comment indicates, it should report problem if v2 is >> used. >> Is there any reason for this to be like that? > > I was not the plugin developer, so I can't say. Maybe something to > do with TLS versioning? Just guessing... Ok, I did some investigation and my conclusions are that we are confusing things. SSL/TLS versioning is different from certificate (X.509) versioning. They refer to different things. SSL should indeed be used at version 3, but this is independent (don't know to which extension) from the X.509 version. The code from the plugin mentions that it is checking from the SSL version, but in fact it is checking the certificate version. The different certificate versions differ mostly in the number of fields, such as extensions which are supported in X.509 version 3. The question now is: X.509 is currently at version 3, but since the field in the certificate starts at zero, version 3 will be coded as 2 :). So the check might have been correct from the beginning, it all depends on whether the function get_version returns the decimal value or the hex :) Hope someone corrects me if I'm wrong. > >> My opinion is that you should report problems for certificates supporting >> SSL version below 3. The attack on SSLv2 (the handshake downgrade attack) is >> pretty nasty. > > I agree, > >> # Check for SSL version >> # TODO why not '... < 3:'? >> if cert.get_version() < 2: >> i = info.info() >> i.setName('Insecure SSL version' ) > > Just commited a change to the SVN to reflect this. > http://w3af.svn.sourceforge.net/w3af/?rev=3434&view=rev > >> >> >> Tiago Mendo >> [email protected] >> +351 215000959 >> Portugal Telecom / SAPO / DTS / Equipa de Segurança >> http://www.sapo.pt >> PGP: 0xF962B36970A3DF1D >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > > Tiago Mendo [email protected] +351 215000959 Portugal Telecom / SAPO / DTS / Equipa de Segurança http://www.sapo.pt PGP: 0xF962B36970A3DF1D ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
