Resuming SSL Sessions

[stueng]

Hello all,

As a result of a recent pen test I have been tasked with fixing an issue described as "the following services support resuming SSL sessions"

I am wondering how I can use Backtrack to repeat this test, I do not know which tool set the pen testers used, all I know if I have to fix this issue

I would l like to know how I can test this issue again once I have applied patches / updates / registry changes etc on the offending servers

Thanks in advance
Stuart

[scottm99]

Well, in order to fix the issue, you'd need to reproduce it. The deliverable/report from your pen testers should have included details regarding the specific problem(s) found, tools used to find & confirm those problem(s), screen shots, mitigation plans, etc. If your deliverable/report didn't include that, first thing I would do is get that info...then maybe kick the pen test team for not supplying it in the first place!

[thorin]

You can use openssl to check:

What you want to see (you type the parts in bold):

openssl s_client -connect www.google.com:443
[snip... a lot of openssl output]
---
Secure Renegotiation IS supported
---
HEAD / HTTP/1.0
R
RENEGOTIATING
20025:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

What you don't want to see (you type the parts in bold):

openssl s_client -connect www.othersite.com:443
[snip... a lot of openssl output]
---
Secure Renegotiation IS NOT supported
---
HEAD / HTTP/1.0
R
RENEGOTIATING

If your HTTP requests complete that means insecure renegotiation is enabled.
If you get an error (similar to above) then insecure renegotiation was not supported.
The connection may timeout after a while which is now openssl 0.9.8l deals with it.

Note: The tests above only work with an OpenSSL version that was not patched to deal with insecure renegotiation.

You can also use this free Qualys tool/website to check:
https://www.ssllabs.com/ssldb/

[thorin]

Good write-up here:
http://devadraco.blogspot.ca/2010/01...gotiation.html