[openssl-dev] OpenSSL Security Advisory
Hubert Kario
hkario at redhat.com
Tue Mar 1 15:22:03 UTC 2016
Scripts to verify that a server is not vulnerable to DROWN.
Two scripts are provided to verify that SSLv2 and all of its ciphers are
disabled and that export grade SSLv2 are disabled and can't be forced by
client.
Reproducer requires Python 2.6 or 3.2 or later, you will also need git
to download the sources
# Download the reproducer:
git clone https://github.com/tomato42/tlsfuzzer
cd tlsfuzzer
git checkout ssl2
# Download the reproducer dependencies
git clone https://github.com/tomato42/tlslite-ng .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
pushd .tlslite-ng
# likely won't be necessary in near future, code will be merged soon
git checkout sslv2
popd
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
To verify that an https server at example.com does not support SSLv2 at
all, use the following command:
PYTHONPATH=. python scripts/test-sslv2-force-export-cipher.py \
-h example.com -p 443
To only verify that the server does not support export grade SSLv2
ciphers, use the following command:
PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h example.com \
-p 443
(note, the first script is a superset of the second one)
In both cases all the individual tests in the scripts should print "OK"
status if the specific cipher is not supported and report "failed: 0"
together with exit status of 0 if you want to automate it.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160301/c0126f46/attachment.sig>
More information about the openssl-dev
mailing list