Nmap Development mailing list archives
Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 11 Jun 2014 07:07:54 -0500
Claudiu, This looks great! Unless your mentor has any objections, I'd say this is ready to commit. Thanks for the quick action on this script. Dan On Wed, Jun 11, 2014 at 4:42 AM, Claudiu Perta <claudiu.perta () gmail com> wrote:
1. Expand the script to check all versions (tls.PROTOCOLS) of TLS/SSL, not just TLSv1.0. The bug is very old, and affects all versions equally. As the script stands, a server that only supports TLSv1.1 or newer would not show as vulnerable, even if it is. 2. There is some text in the comments that refers to the ssl-heartbleed script, which this was modifed from: "try sending the heartbeat anyway" 3. Not necessary, because yours seems to work fine, but you could replace the receive_alert function with calls to tls.record_buffer and tls.record_read, since those parse SSL alert messages as well.I integrated the suggested changes in the new version of the script, in attachment. --Claudiu
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE script detecting "CCS Injection" vulnerability in OpenSSL Claudiu Perta (Jun 08)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Daniel Miller (Jun 09)
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Claudiu Perta (Jun 11)
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Daniel Miller (Jun 11)
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Daniel Miller (Jun 11)
- Message not available
- Message not available
- <Possible follow-ups>
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL vito (Jun 19)
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Claudiu Perta (Jun 19)