I was thinking of having a go at writing this, but it's hard! One thing I noticed was that a change they made in the fix was to only parse client certificates if the certificate is actually used. My idea was to connect without a client certificate and see if you get a connection. If you do, then try connecting again with a deliberately invalid client certificate. If this is rejected, you're using an old and vulnerable version; if it is accepted the host has the fix applied. This method cannot test hosts that use a client certificate. I figured to make this into a plugin I'd start by trying to reproduce it with the openssl command line. So far I haven't managed it, but I've only had a relatively quick look. I may find more time to spend on this.
Regards,
Paul
bob wrote:
I have looked everywhere but I haven't found any reference to last week's SSL/TLS vulnerability. Am I missing something??
bob
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: [EMAIL PROTECTED] web: www.westpoint.ltd.uk
