Testing for SSL Renegotiation

I've noticed that OpenSSL will say that "Renegotiation IS supported" even when a server has disabled it. To know for sure, it's possible to trigger a Renegotiation with the open ssl client to see what happens.

To do this, run the command:
openssl s_client -connect host:port

And enter R to trigger Renegotiation:
R

You will see "RENEGOTIATING" followed by an error if Renegotiation has failed.

Comments

Post a Comment

Popular posts from this blog

metasploitable exploits

Metasploit have a test VM which they call "Metasplotiable", it can be downloaded and used to try out Metasploit. I recommend using the backtrack VM image to do this as it's easier then install metasploit and it comes with lots of other useful tools. However I couldn't find a comprehensive list of vulnerabilities which can be exploited; so here are my notes. I've tried not to give too much away but of course going to be a partial spoiler. So see what you can find for yourself before cross checking against my list. 21/tcp open ftp ProFTPD 1.3.1 # Not a vulnerable version, although an obvious security risk but could be brute forced. 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) # Again no specific vulnerability found but could be brute forced 23/tcp open telnet Linux telnetd # Again no specific vulnerability found but could be brute forced 25/tcp open smtp Postfix smtpd # No specific vulnerability found but doesn...
Read more

SSL Digger

SSL Digger also does the job: Free from mcafee but windows only (.net 1.1). http://www.mcafee.com/us/downloads/free-tools/index.aspx Very light weight and simple to use. Gui based but exports reports.
Read more