[openssl-dev] Rgd. CVE-2015-3197 fix test verification !!

Hubert Kario hkario at redhat.com
Wed Feb 3 12:22:54 UTC 2016


On Wednesday 03 February 2016 07:22:05 Hareesh D wrote:
> Can someone please tell me how to verify the fix done for
> 
> CVE-2015-3197. I want to test 1.0.1r version for this issue.
> 
> From the issue description I'm not able to understand what exactly
> client and server doing.
> 
> Please tell me what packet client has to send or else please provide
> me the packet capture of the issue.
> 
> Please help. Thanks !!


I have "published" a reproducer but it is a bit hairy - you will need 
development versions of few python modules, but nothing too crazy. You 
will also need Python 2.6, 3.2 or later.

The relevant libraries are tlslite-ng, tlsfuzzer and python-ecdsa.

To start, download tlsfuzzer and switch to branch with new code:

    git clone https://github.com/tomato42/tlsfuzzer
    cd tlsfuzzer
    git checkout ssl2

Then get the crypto library, switch to its development branch and make 
it available to the tlsfuzzer:

    git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
    pushd .tlslite-ng
    git checkout sslv2
    popd
    ln -s .tlslite-ng/tlslite tlslite

Then get the dependency of the crypto library:

    git clone https://github.com/warner/python-ecdsa .python-ecdsa
    ln -s .python-ecdsa/ecdsa ecdsa    

Note: In future checking out the development branches will not be 
necessary (the lines with `git checkout` can be skipped).

The relevant test to check if SSLv2 is completely disabled and client 
can't force a connection is
    scripts/test-sslv2-force-cipher.py
It will test if the server rejects the SSLv2 style client hello by 
either closing the connection or sending an alert and closing a 
connection.

To run it use the following command:

    PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h hostname \
    -p port-number

For example:

    PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h localhost\
    -p 4433


All tests returning "OK" and the summary being:

    Test end
    successful: 21
    failed: 0

means that the server is most likely NOT vulnerable.

Any error in form of 

    Unexpected message from peer: Handshake(43)

(or any other number) and an exit value of non-zero means that the 
server IS vulnerable.
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160203/6cdc2697/attachment.sig>


More information about the openssl-dev mailing list