[openssl-users] test for DROWN CVE

Nounou Dadoun nounou.dadoun at avigilon.com
Fri Mar 4 17:36:48 UTC 2016


There was a suite of test scripts posted to the dev list (I set them up and used them very quickly), see below ....

Nou Dadoun
Senior Firmware Developer, Security Specialist

Office: 604.629.5182 ext 2632 

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Hubert Kario
Sent: Tuesday, March 01, 2016 7:22 AM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] OpenSSL Security Advisory

Scripts to verify that a server is not vulnerable to DROWN.

Two scripts are provided to verify that SSLv2 and all of its ciphers are 
disabled and that export grade SSLv2 are disabled and can't be forced by 
client.

Reproducer requires Python 2.6 or 3.2 or later, you will also need git 
to download the sources

# Download the reproducer:
git clone https://github.com/tomato42/tlsfuzzer
cd tlsfuzzer
git checkout ssl2

# Download the reproducer dependencies
git clone https://github.com/tomato42/tlslite-ng .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
pushd .tlslite-ng
# likely won't be necessary in near future, code will be merged soon
git checkout sslv2
popd
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa


To verify that an https server at example.com does not support SSLv2 at 
all, use the following command:

PYTHONPATH=. python scripts/test-sslv2-force-export-cipher.py \
-h example.com -p 443

To only verify that the server does not support export grade SSLv2 
ciphers, use the following command:

PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h example.com \
-p 443

(note, the first script is a superset of the second one)

In both cases all the individual tests in the scripts should print "OK" 
status if the specific cipher is not supported and report "failed: 0" 
together with exit status of 0 if you want to automate it.
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.asc
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160304/d5435685/attachment.sig>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160304/d5435685/attachment.txt>


More information about the openssl-users mailing list