Wiki

User Tools

Site Tools

Trace:
ssl:check_for_poodle_bug

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ssl:check_for_poodle_bug [2016/07/04 08:05] peterssl:check_for_poodle_bug [2019/12/04 21:38] (current) – removed peter
Line 1: Line 1:
-====== SSL - Check for Poodle bug ====== 
- 
-Use the following command to check an IP or hostname: 
- 
-<code bash> 
-echo | timeout 3 openssl s_client -connect HOSTNAMEORIPADDRESS:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: HOSTNAMEORIPADDRESS timeout or connection error"; else echo | openssl s_client -connect HOSTNAMEORIPADDRESS:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: HOSTNAMEORIPADDRESS Not vulnerable" || echo "FAIL:  HOSTNAMEORIPADDRESS vulnerable; sslv3 connection accepted"; fi 
-</code> 
- 
-Replace **HOSTNAMEORIPADDRESS** by the actual hostname or IP address.  
-If you use SNI, add the **-servername sharewiz.net** option to the 2 OpenSSL commands, like so: 
- 
-<code bash> 
-openssl s_client -servername snihostname.org -connect 172.16.30.5:443 -ssl     
-</code> 
- 
-===== Examples ===== 
- 
-**Non-vulnerable website:** 
- 
-<code bash> 
-echo | timeout 3 openssl s_client -connect sharewiz.net:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: raymii.org timeout or connection error"; else echo | openssl s_client -connect sharewiz.net:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: sharewiz.net Not vulnerable" || echo "FAIL:  raymii.org vulnerable; sslv3 connection accepted"; fi 
-</code> 
- 
-Result: 
- 
-<code bash> 
-OK: sharewiz.net Not vulnerable 
-</code> 
- 
-**Vulnerable site:** 
- 
-<code bash> 
-echo | timeout 3 openssl s_client -connect sslv3-testhost.com:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: sslv3-testhost.com timeout or connection error"; else echo | openssl s_client -connect sslv3-testhost.com:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: sslv3-testhost.com Not vulnerable" || echo "FAIL:  sslv3-testhost.com vulnerable; sslv3 connection accepted"; fi 
-</code> 
- 
-Result: 
- 
-<code bash> 
-FAIL: sslv3-testhost.com vulnerable; sslv3 connection accepted 
-</code> 
- 
- 
-**Site without SSL:** 
- 
-<code bash> 
-echo | timeout 3 openssl s_client -connect sharewiz.net:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: pepermunt.net timeout or connection error"; else echo | openssl s_client -connect sharewiz.net:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: sharewiz.net Not vulnerable" || echo "FAIL:  sharewiz.net vulnerable; sslv3 connection accepted"; fi 
-</code> 
- 
-Result: 
- 
-<code bash> 
-UNKNOWN: sharewiz.net timeout or connection error 
-</code> 
- 
-You can check other ports by changing 443 to any other valid port. 
- 
  
ssl/check_for_poodle_bug.1467619550.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki