Full Disclosure mailing list archives
Re: Openssl proof of concept code?
From: John Lampe <jwlampe () nessus org>
Date: Thu, 8 Jan 2004 21:44:04 -0500 (EST)
On Thu, 8 Jan 2004, Lachniet, Mark wrote:
Alternately, has anyone written a good program to remotely identify what SSL codebase is in use, other than looking for it in HTTP server headers? Nessus' ssltest.nasl can allegedly distinguish between a openssl and MS CryptoAPI or Novell, but this isn't really enough in my opinion.
and, so we're clear. The Nessus test is a *specific* test which looks for SSL servers which will accept unrequested client-side certs (as opposed to a more general test which either fingerprints or fuzzes SSL servers...both of which seem very interesting, btw). And, if you look at the code, the section where we weed out MS and Novell SSL servers just leads to an exit(). i.e. the plugin will never flag or report on an "SSL type or version". So, it was incidental that we found certain systems (Microsoft and Netware, to name two) which responded (how shall I say)...anomalously. It was never the intent of the plugin to do anything more than test for one specific bug. John Lampe jwlampe -at- nessus.org http://f00dikator.aceryder.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Openssl proof of concept code? Lachniet, Mark (Jan 08)
- Re: Openssl proof of concept code? Bram Matthys (Syzop) (Jan 08)
- Re: Openssl proof of concept code? John Lampe (Jan 08)
- Re: Openssl proof of concept code? Michael Iseyemi (Jan 14)
- Re: Re: Openssl proof of concept code? Joe Fox (Jan 14)