infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

include a list of deprecated ciphers in the sslscan result 

Allow recording remote deprecated cipher support even if the local OpenSSL
library does not support negotiating that cipher.
bug/bundler_fix
Brent Cook 2015-05-08 18:05:00 -05:00
parent d875142468
commit d3730ae18c
2 changed files with 24 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lib/rex/sslscan/result.rb
View File

@ -15,6 +15,24 @@ class Result
@cert = nil @cert = nil
@ciphers = Set.new @ciphers = Set.new
@supported_versions = [:SSLv2, :SSLv3, :TLSv1] @supported_versions = [:SSLv2, :SSLv3, :TLSv1]
@deprecated_weak_ciphers = [
'ECDHE-RSA-DES-CBC3-SHA',
'ECDHE-ECDSA-DES-CBC3-SHA',
'SRP-DSS-3DES-EDE-CBC-SHA',
'SRP-RSA-3DES-EDE-CBC-SHA',
'SRP-3DES-EDE-CBC-SHA',
'EDH-RSA-DES-CBC3-SHA',
'EDH-DSS-DES-CBC3-SHA',
'ECDH-RSA-DES-CBC3-SHA',
'ECDH-ECDSA-DES-CBC3-SHA',
'DES-CBC3-SHA',
'PSK-3DES-EDE-CBC-SHA',
'EXP-EDH-RSA-DES-CBC-SHA',
'EXP-EDH-DSS-DES-CBC-SHA',
'EXP-DES-CBC-SHA',
'EXP-RC2-CBC-MD5',
'EXP-RC4-MD5'
]
end end
def cert def cert
@ -113,7 +131,8 @@ class Result
unless @supported_versions.include? version unless @supported_versions.include? version
raise ArgumentError, "Must be a supported SSL Version" raise ArgumentError, "Must be a supported SSL Version"
end end
unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include? cipher unless OpenSSL::SSL::SSLContext.new(version).ciphers.flatten.include?(cipher) \
|| @deprecated_weak_ciphers.include?(cipher)
raise ArgumentError, "Must be a valid SSL Cipher for #{version}!" raise ArgumentError, "Must be a valid SSL Cipher for #{version}!"
end end
unless key_length.kind_of? Fixnum unless key_length.kind_of? Fixnum

15
spec/lib/rex/sslscan/result_spec.rb
View File

@ -410,9 +410,7 @@ describe Rex::SSLScan::Result do
context "checking for weak ciphers" do context "checking for weak ciphers" do
context "when weak ciphers are supported" do context "when weak ciphers are supported" do
before(:each) do before(:each) do
skip("Fix #5319, deal with system libs not supporting weak ciphers") do subject.add_cipher(:SSLv3, "EXP-RC4-MD5", 40, :accepted)
subject.add_cipher(:SSLv3, "EXP-RC4-MD5", 40, :accepted)
end
subject.add_cipher(:SSLv3, "DES-CBC-SHA", 56, :accepted) subject.add_cipher(:SSLv3, "DES-CBC-SHA", 56, :accepted)
end end
it "should return an array of weak ciphers from #weak_ciphers" do it "should return an array of weak ciphers from #weak_ciphers" do
@ -460,10 +458,8 @@ describe Rex::SSLScan::Result do
end end
it "should return false if weak ciphers are supported" do it "should return false if weak ciphers are supported" do
skip("Fix #5319, deal with system libs not supporting weak ciphers") do subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted)
subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted) subject.standards_compliant?.should == false
subject.standards_compliant?.should == false
end
end end
it "should return true if SSLv2 and Weak Ciphers are disabled" do it "should return true if SSLv2 and Weak Ciphers are disabled" do
@ -492,10 +488,7 @@ describe Rex::SSLScan::Result do
subject.add_cipher(:SSLv3, "AES256-SHA", 256, :accepted) subject.add_cipher(:SSLv3, "AES256-SHA", 256, :accepted)
subject.add_cipher(:TLSv1, "AES256-SHA", 256, :accepted) subject.add_cipher(:TLSv1, "AES256-SHA", 256, :accepted)
subject.add_cipher(:SSLv3, "AES128-SHA", 128, :accepted) subject.add_cipher(:SSLv3, "AES128-SHA", 128, :accepted)
subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted)
skip("Fix #5319, deal with system libs not supporting weak ciphers") do
subject.add_cipher(:SSLv3, "EXP-RC2-CBC-MD5", 40, :accepted)
end
cert = OpenSSL::X509::Certificate.new cert = OpenSSL::X509::Certificate.new
key = OpenSSL::PKey::RSA.new 2048 key = OpenSSL::PKey::RSA.new 2048