But thinking a little about it...makes sense to have the certificate with the same number as the SSL used.... So they should be directly related.
On 2010/03/24, at 14:53, Tiago Mendo wrote: > > > On 2010/03/23, at 18:59, Andres Riancho wrote: > >> Tiago, >> >> On Tue, Mar 23, 2010 at 1:47 PM, Tiago Mendo <[email protected]> wrote: >>> Hi, >>> I'm was reading through the w3af sources :) >> >> Oh no! ;) > > :) > >> >>> and found that >>> the sslCertificate plugin only reports problems if the certificate supports >>> ssl v1, but as the comment indicates, it should report problem if v2 is >>> used. >>> Is there any reason for this to be like that? >> >> I was not the plugin developer, so I can't say. Maybe something to >> do with TLS versioning? Just guessing... > > Ok, I did some investigation and my conclusions are that we are confusing > things. > > SSL/TLS versioning is different from certificate (X.509) versioning. They > refer to different things. > > SSL should indeed be used at version 3, but this is independent (don't know > to which extension) from the X.509 version. The code from the plugin mentions > that it is checking from the SSL version, but in fact it is checking the > certificate version. The different certificate versions differ mostly in the > number of fields, such as extensions which are supported in X.509 version 3. > > The question now is: X.509 is currently at version 3, but since the field in > the certificate starts at zero, version 3 will be coded as 2 :). So the check > might have been correct from the beginning, it all depends on whether the > function get_version returns the decimal value or the hex :) > > Hope someone corrects me if I'm wrong. > >> >>> My opinion is that you should report problems for certificates supporting >>> SSL version below 3. The attack on SSLv2 (the handshake downgrade attack) is >>> pretty nasty. >> >> I agree, >> >>> # Check for SSL version >>> # TODO why not '... < 3:'? >>> if cert.get_version() < 2: >>> i = info.info() >>> i.setName('Insecure SSL version' ) >> >> Just commited a change to the SVN to reflect this. >> http://w3af.svn.sourceforge.net/w3af/?rev=3434&view=rev >> >>> >>> >>> Tiago Mendo >>> [email protected] >>> +351 215000959 >>> Portugal Telecom / SAPO / DTS / Equipa de Segurança >>> http://www.sapo.pt >>> PGP: 0xF962B36970A3DF1D >>> >>> ------------------------------------------------------------------------------ >>> Download Intel® Parallel Studio Eval >>> Try the new software tools for yourself. Speed compiling, find bugs >>> proactively, and fine-tune applications for parallel performance. >>> See why Intel Parallel Studio got high marks during beta. >>> http://p.sf.net/sfu/intel-sw-dev >>> _______________________________________________ >>> W3af-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >>> >> >> >> >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ >> >> > > > Tiago Mendo > [email protected] > > +351 215000959 > > Portugal Telecom / SAPO / DTS / Equipa de Segurança > http://www.sapo.pt > > PGP: 0xF962B36970A3DF1D > Tiago Mendo [email protected] +351 215000959 Portugal Telecom / SAPO / DTS / Equipa de Segurança http://www.sapo.pt PGP: 0xF962B36970A3DF1D ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
