[Pkg-openssl-devel] Bug#765565: Bug#765565: Bug#765565: openssl: don't completely disable ssl3/2 but rather just don't use it
rbsec
robin at rbsec.net
Sat Oct 18 12:06:29 UTC 2014
Kurt,
Just realised that I'd replied to you off-list - my bad.
I'm not really sure where this should be logged as separate bug (or a
security issue?) - I'll leave that up to you guys.
~Robin
On 17/10/14 23:42, Kurt Roeckx wrote:
> On Fri, Oct 17, 2014 at 11:21:38PM +0100, rbsec wrote:
>> Kurt,
>>
>> I just re-ran sslscan with Wireshark capturing the traffic to take a
>> look. I added a few more options to disable sslscan features to give a
>> nice clean output - the only check performed is the preferred
>> ciphersuite for the SSLv3 protocol.
>>
>> $ ./sslscan --no-heartbleed --no-compression --no-renegotiation
>> --no-ciphersuites --no-check-certificate --ssl3 <target>
>>
>> Wireshark shows an SSLv3 handshake (SSL Version 0x0300 == SSLv3), and I
>> get a ServerHello returned with the same version.
>>
>> Can you recreate this with sslscan?
> You seem to be right.
>
>
> Kurt
>
>
More information about the Pkg-openssl-devel
mailing list