Home page logo
/

webappsec logo WebApp Sec mailing list archives

RE: SSL 2.0 enabled or disabled?
From: "Dimitris Petropoulos" <D.Petropoulos () encode-sec com>
Date: Thu, 20 May 2004 19:34:14 +0300

Dear Rogan,

Of course, if you're going to try it that way, it is easier 
to write a 
little script that iterates through the list of ciphers that OpenSSL 
knows about (openssl ciphers) and then use openssl to connect to the 
server in question with that specific cipher.

Yes, that's even better if you want automation. However, there are cases
where this might not always provide accurate results: some sites that
require strong SSL/TLS ciphersuites will allow you to connect using a
weak ciphersuite only to send you to a help/error page informing you
that the SSL/TLS ciphersuite you used to connect was not strong enough
to allow you access (a better practice than dropping the connection
without any explanation)...  In technical terms, in those cases the
client and the server will exchange ChangeCipherSpec messages and the
client will send the HTTP request encrypted under the weak ciphersuite
session key, to which the server will probably reply with a 403 message,
rather than sending an SSL/TLS alert (with insufficient_security or
handshake_failure alert description) during the handshake phase, which
would seem the normal reply to the client since the ciphersuite is not
amongst the supported ones,

Therefore, the fact that you may successfully establish a weak
ciphersuite SSL/TLS connection to a website may not always be
conclusive; you might need to parse the HTTP reply in order to be sure
(that's why -in my opinion- a browser is preferable).

Best regards,

-----------------------
Dimitrios Petropoulos
MSc InfoSec, CISSP

Director, Security Research & Development
 
ENCODE S.A.
3, R.Melodou Str
151 25 Maroussi
Athens, Greece
Tel: +30210-6178410
Fax: +30210-6109579
web: www.encode-sec.com
------------------------


******************************************************************
Any views expressed in this message are those of the
individual sender, except where the sender specifically
states them to be the views of ENCODE S.A.
******************************************************************


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]