Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL

[Daniel Miller <bonsaiviking () gmail com>]

I'm sorry for the false report. I upgraded the openssl package only, and it
did not update the libssl package that it is dynamically linked to. So even
though the program was from the latest version, the OpenSSL library was
still vulnerable. Your script is good, I think you should commit it after a
couple minor changes:

1. Expand the script to check all versions (tls.PROTOCOLS) of TLS/SSL, not
just TLSv1.0. The bug is very old, and affects all versions equally. As the
script stands, a server that only supports TLSv1.1 or newer would not show
as vulnerable, even if it is.

2. There is some text in the comments that refers to the ssl-heartbleed
script, which this was modifed from: "try sending the heartbeat anyway"

3. Not necessary, because yours seems to work fine, but you could replace
the receive_alert function with calls to tls.record_buffer and
tls.record_read, since those parse SSL alert messages as well.

Dan


On Mon, Jun 9, 2014 at 12:34 PM, Claudiu Perta <claudiu.perta () gmail com>
wrote:

>  I also tried the 1.0.1-4ubuntu5.14 package and indeed it doesn't pass
> > > the check. I'll look into it tomorrow.
> So it seems to be working after making an 'apt-get dist-upgrade'  and
> reinstalling openssl.
>
> --Claudiu
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/