[openssl-dev] Rgd. CVE-2015-3197 fix test verification !!
Hubert Kario
hkario at redhat.com
Wed Feb 3 12:22:54 UTC 2016
On Wednesday 03 February 2016 07:22:05 Hareesh D wrote:
> Can someone please tell me how to verify the fix done for
>
> CVE-2015-3197. I want to test 1.0.1r version for this issue.
>
> From the issue description I'm not able to understand what exactly
> client and server doing.
>
> Please tell me what packet client has to send or else please provide
> me the packet capture of the issue.
>
> Please help. Thanks !!
I have "published" a reproducer but it is a bit hairy - you will need
development versions of few python modules, but nothing too crazy. You
will also need Python 2.6, 3.2 or later.
The relevant libraries are tlslite-ng, tlsfuzzer and python-ecdsa.
To start, download tlsfuzzer and switch to branch with new code:
git clone https://github.com/tomato42/tlsfuzzer
cd tlsfuzzer
git checkout ssl2
Then get the crypto library, switch to its development branch and make
it available to the tlsfuzzer:
git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
pushd .tlslite-ng
git checkout sslv2
popd
ln -s .tlslite-ng/tlslite tlslite
Then get the dependency of the crypto library:
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
Note: In future checking out the development branches will not be
necessary (the lines with `git checkout` can be skipped).
The relevant test to check if SSLv2 is completely disabled and client
can't force a connection is
scripts/test-sslv2-force-cipher.py
It will test if the server rejects the SSLv2 style client hello by
either closing the connection or sending an alert and closing a
connection.
To run it use the following command:
PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h hostname \
-p port-number
For example:
PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h localhost\
-p 4433
All tests returning "OK" and the summary being:
Test end
successful: 21
failed: 0
means that the server is most likely NOT vulnerable.
Any error in form of
Unexpected message from peer: Handshake(43)
(or any other number) and an exit value of non-zero means that the
server IS vulnerable.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160203/6cdc2697/attachment.sig>
More information about the openssl-dev
mailing list