Rgd. CVE-2015-3197 fix test verification !!

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Rgd. CVE-2015-3197 fix test verification !!

Hareesh D
Can someone please tell me how to verify the fix done for
CVE-2015-3197. I want to test 1.0.1r version for this issue.
From the issue description I'm not able to understand what exactly client and server doing.
Please tell me what packet client has to send or else please provide me the packet capture of the issue.

Please help. Thanks !!

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Rgd. CVE-2015-3197 fix test verification !!

Hubert Kario
On Wednesday 03 February 2016 07:22:05 Hareesh D wrote:

> Can someone please tell me how to verify the fix done for
>
> CVE-2015-3197. I want to test 1.0.1r version for this issue.
>
> From the issue description I'm not able to understand what exactly
> client and server doing.
>
> Please tell me what packet client has to send or else please provide
> me the packet capture of the issue.
>
> Please help. Thanks !!

I have "published" a reproducer but it is a bit hairy - you will need
development versions of few python modules, but nothing too crazy. You
will also need Python 2.6, 3.2 or later.

The relevant libraries are tlslite-ng, tlsfuzzer and python-ecdsa.

To start, download tlsfuzzer and switch to branch with new code:

    git clone https://github.com/tomato42/tlsfuzzer
    cd tlsfuzzer
    git checkout ssl2

Then get the crypto library, switch to its development branch and make
it available to the tlsfuzzer:

    git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
    pushd .tlslite-ng
    git checkout sslv2
    popd
    ln -s .tlslite-ng/tlslite tlslite

Then get the dependency of the crypto library:

    git clone https://github.com/warner/python-ecdsa .python-ecdsa
    ln -s .python-ecdsa/ecdsa ecdsa    

Note: In future checking out the development branches will not be
necessary (the lines with `git checkout` can be skipped).

The relevant test to check if SSLv2 is completely disabled and client
can't force a connection is
    scripts/test-sslv2-force-cipher.py
It will test if the server rejects the SSLv2 style client hello by
either closing the connection or sending an alert and closing a
connection.

To run it use the following command:

    PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h hostname \
    -p port-number

For example:

    PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h localhost\
    -p 4433


All tests returning "OK" and the summary being:

    Test end
    successful: 21
    failed: 0

means that the server is most likely NOT vulnerable.

Any error in form of

    Unexpected message from peer: Handshake(43)

(or any other number) and an exit value of non-zero means that the
server IS vulnerable.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (836 bytes) Download Attachment