[W3af-users] SSL3 handshake used when TLS1 protocol specified?
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
[W3af-users] SSL3 handshake used when TLS1 protocol specified?
|
From: Andres R. <and...@gm...> - 2014-10-28 11:17:25
|
List,
I'm trying to fix w3af [0] in order to be able to scan sites which
have disabled SSLv3 because of the POODLE vulnerability, and I'm
seeing some strange behaviour in the logs. The problem is that even
when I tell python to use TLS (version 3 in ssl.py) it seems to use
SSLv3 (don't confuse the previous three with this one):
SSL connection error occurred with protocol 1: '[Errno 1] _ssl.c:510:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure'
SSL connection error occurred with protocol 3: '[Errno 1] _ssl.c:510:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure'
SSL connection error occurred with protocol 2: '[Errno 1] _ssl.c:510:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure'
In the first line w3af tries to connect to the host using protocol
1 and fails, because it's disabled server-side. The second line shows
how w3af tries to start a connection with TLSv1 (protocol 3) but then
it says "SSL3_READ_BYTES:sslv3"... why is this? What am I doing wrong?
You can see the patch here [1]
[0] https://github.com/andresriancho/w3af/issues/5802
[1] https://github.com/andresriancho/w3af/commit/4d3da21fb4f779891b0931826f65431f8e3e0a51#diff-fb2412155fd3f437748e8b4bd0282e68R893
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
