Results 1 to 4 of 4

Thread: Resuming SSL Sessions

  1. #1
    Just burned his ISO
    Join Date
    Mar 2012
    Posts
    2

    Default Resuming SSL Sessions

    Hello all,

    As a result of a recent pen test I have been tasked with fixing an issue described as "the following services support resuming SSL sessions"

    I am wondering how I can use Backtrack to repeat this test, I do not know which tool set the pen testers used, all I know if I have to fix this issue

    I would l like to know how I can test this issue again once I have applied patches / updates / registry changes etc on the offending servers

    Thanks in advance
    Stuart

  2. #2
    Good friend of the forums scottm99's Avatar
    Join Date
    Feb 2010
    Location
    underwater
    Posts
    371

    Default Re: Resuming SSL Sessions

    Well, in order to fix the issue, you'd need to reproduce it. The deliverable/report from your pen testers should have included details regarding the specific problem(s) found, tools used to find & confirm those problem(s), screen shots, mitigation plans, etc. If your deliverable/report didn't include that, first thing I would do is get that info...then maybe kick the pen test team for not supplying it in the first place!
    If I could figure out how to scuba dive & hack at the same time, there would be nothing I couldn't do...

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Resuming SSL Sessions

    You can use openssl to check:

    What you want to see (you type the parts in bold):
    openssl s_client -connect www.google.com:443
    [snip... a lot of openssl output]
    ---
    Secure Renegotiation IS supported
    ---
    HEAD / HTTP/1.0
    R

    RENEGOTIATING
    20025:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
    What you don't want to see (you type the parts in bold):
    openssl s_client -connect www.othersite.com:443
    [snip... a lot of openssl output]
    ---
    Secure Renegotiation IS NOT supported
    ---
    HEAD / HTTP/1.0
    R

    RENEGOTIATING
    If your HTTP requests complete that means insecure renegotiation is enabled.
    If you get an error (similar to above) then insecure renegotiation was not supported.
    The connection may timeout after a while which is now openssl 0.9.8l deals with it.

    Note: The tests above only work with an OpenSSL version that was not patched to deal with insecure renegotiation.

    You can also use this free Qualys tool/website to check:
    https://www.ssllabs.com/ssldb/
    Last edited by thorin; 03-15-2012 at 08:02 AM.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Resuming SSL Sessions

    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Similar Threads

  1. 2WIRE WPA Cracking Script for Pyrit with Resuming
    By cRACKmONKEY421 in forum BackTrack 5 General Topics
    Replies: 8
    Last Post: 06-12-2012, 04:24 PM
  2. Fast Track no sessions
    By kicker7734 in forum Beginners Forum
    Replies: 3
    Last Post: 02-10-2010, 10:29 AM
  3. fast-track, never has sessions
    By Mr.Happy in forum Beginners Forum
    Replies: 2
    Last Post: 02-09-2010, 11:33 PM
  4. Replies: 5
    Last Post: 09-02-2009, 03:09 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •