Re: Tools to exercise SSL implementation

[Matthew Franz <matthewdfranz () yahoo com>]

See http://www.trinux.org/iplayer/ for an example of
how to manually build a ClientHello by sniffing
traffic with ssldump and building a nasl. You are
really only going to be able to do this stuff
(especially malformed stuff) by hand -- meaning that
does not use an SSL_connect() (or whatever its
actually called) because it sets up the session/does
everything automatically.

Eric Rescorla's book on SSL is a must have for doing
this type of stuff.

You can really use NASL, perl, C, python, or whatever
your favorite scripting language for socket
programming.


-mdf


--- Mike Murray <mmurray () ncircle com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You should also be able to use stunnel or sslproxy
> to do this task.
>
> On Wednesday 03 October 2001 12:59 pm, Cushing,
> David wrote:
> > Is anyone aware of a tool that will send bogus
> and/or maliciously
> > crafted packets to an SSL enabled application?
> >
> > I don't want to write it if it's already out
> there... couldn't find
> > anything on a web search.
> >
> > Thanks,
> > David
>
> - -- 
> | Mike Murray                   
> <mmurray () nCircle com>
> | Scientific Technologist      
> http://www.nCircle.com
> | nCircle Network Security                 
> 415-625-5968
> | cell - 415.305.0859
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
iD8DBQE7vMEmSZ6Dtue7Vb4RAo19AJ9/gwWucs6UqgLqjlmCy+8LsjHtoACeONIq
> NR+e2hJOL5XOWIfClf2t+TY=
> =LZKC
> -----END PGP SIGNATURE-----


__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1