[openssl-dev] OpenSSL Security Advisory

Hubert Kario hkario at redhat.com
Tue Mar 1 15:22:03 UTC 2016

Scripts to verify that a server is not vulnerable to DROWN.

Two scripts are provided to verify that SSLv2 and all of its ciphers are 
disabled and that export grade SSLv2 are disabled and can't be forced by 

Reproducer requires Python 2.6 or 3.2 or later, you will also need git 
to download the sources

# Download the reproducer:
git clone https://github.com/tomato42/tlsfuzzer
cd tlsfuzzer
git checkout ssl2

# Download the reproducer dependencies
git clone https://github.com/tomato42/tlslite-ng .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
pushd .tlslite-ng
# likely won't be necessary in near future, code will be merged soon
git checkout sslv2
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa

To verify that an https server at example.com does not support SSLv2 at 
all, use the following command:

PYTHONPATH=. python scripts/test-sslv2-force-export-cipher.py \
-h example.com -p 443

To only verify that the server does not support export grade SSLv2 
ciphers, use the following command:

PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h example.com \
-p 443

(note, the first script is a superset of the second one)

In both cases all the individual tests in the scripts should print "OK" 
status if the specific cipher is not supported and report "failed: 0" 
together with exit status of 0 if you want to automate it.
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160301/c0126f46/attachment.sig>

More information about the openssl-dev mailing list