Re: [openssl-dev] Rgd. CVE-2015-3197 fix test verification !!

Wed, 03 Feb 2016 04:23:35 -0800 

On Wednesday 03 February 2016 07:22:05 Hareesh D wrote:
> Can someone please tell me how to verify the fix done for
> 
> CVE-2015-3197. I want to test 1.0.1r version for this issue.
> 
> From the issue description I'm not able to understand what exactly
> client and server doing.
> 
> Please tell me what packet client has to send or else please provide
> me the packet capture of the issue.
> 
> Please help. Thanks !!


I have "published" a reproducer but it is a bit hairy - you will need 
development versions of few python modules, but nothing too crazy. You 
will also need Python 2.6, 3.2 or later.

The relevant libraries are tlslite-ng, tlsfuzzer and python-ecdsa.

To start, download tlsfuzzer and switch to branch with new code:

    git clone https://github.com/tomato42/tlsfuzzer
    cd tlsfuzzer
    git checkout ssl2

Then get the crypto library, switch to its development branch and make 
it available to the tlsfuzzer:

    git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
    pushd .tlslite-ng
    git checkout sslv2
    popd
    ln -s .tlslite-ng/tlslite tlslite

Then get the dependency of the crypto library:

    git clone https://github.com/warner/python-ecdsa .python-ecdsa
    ln -s .python-ecdsa/ecdsa ecdsa    

Note: In future checking out the development branches will not be 
necessary (the lines with `git checkout` can be skipped).

The relevant test to check if SSLv2 is completely disabled and client 
can't force a connection is
    scripts/test-sslv2-force-cipher.py
It will test if the server rejects the SSLv2 style client hello by 
either closing the connection or sending an alert and closing a 
connection.

To run it use the following command:

    PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h hostname \
    -p port-number

For example:

    PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h localhost\
    -p 4433


All tests returning "OK" and the summary being:

    Test end
    successful: 21
    failed: 0

means that the server is most likely NOT vulnerable.

Any error in form of 

    Unexpected message from peer: Handshake(43)

(or any other number) and an exit value of non-zero means that the 
server IS vulnerable.
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to