Nmap Development mailing list archives
Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 11 Jun 2014 11:12:53 -0500
Thanks for committing this. Since people are linking to the mailing list post directly, I thought I'd link to the official NSEdoc page, since that will always have the most up-to-date information: http://nmap.org/nsedoc/scripts/ssl-ccs-injection.html On Wed, Jun 11, 2014 at 4:42 AM, Claudiu Perta <claudiu.perta () gmail com> wrote:
1. Expand the script to check all versions (tls.PROTOCOLS) of TLS/SSL, not just TLSv1.0. The bug is very old, and affects all versions equally. As the script stands, a server that only supports TLSv1.1 or newer would not show as vulnerable, even if it is. 2. There is some text in the comments that refers to the ssl-heartbleed script, which this was modifed from: "try sending the heartbeat anyway" 3. Not necessary, because yours seems to work fine, but you could replace the receive_alert function with calls to tls.record_buffer and tls.record_read, since those parse SSL alert messages as well.I integrated the suggested changes in the new version of the script, in attachment. --Claudiu
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE script detecting "CCS Injection" vulnerability in OpenSSL Claudiu Perta (Jun 08)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Daniel Miller (Jun 09)
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Claudiu Perta (Jun 11)
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Daniel Miller (Jun 11)
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Daniel Miller (Jun 11)
- Message not available
- Message not available
- <Possible follow-ups>
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL vito (Jun 19)
- Re: NSE script detecting "CCS Injection" vulnerability in OpenSSL Claudiu Perta (Jun 19)