Per verificare offline le tue suite di crittografia, consulta la risposta di @ lancnorden!
In particolare, per verificare le vulnerabilità di POODLE, continua a leggere:
L'articolo nell'OP di Microsoft sta leggendo non corretto o vecchio; Poodle può attaccare TLS 1.0 e 1.1 anche .
Puoi seguire alcuni dei passaggi del foglio elettronico di Exploresecurity per cercare BARBONCINO.
Per il semplice caso SSLv3 POODLE, non abilitare affatto SSLv3.
openssl s_client -ssl3 -connect host:port
Secure result
It doesn't connect!
Se hai disabilitato TLSv1.0 e TLSv1.1 e permetti solo TLSv1.2, usa il comando openssl sopra, con -tls1 e -tls1_1 flags invece di -ssl3 (e -tls1_2, che dovrebbe connettersi).
Se hai abilitato uno o entrambi i TLSv1.0 e / o TLSv1.1, i più difficili test TLOD 1.0 e 1.1 POODLE sono elencati in Un distacco separato su ExploreSecurity.com , anche se sembra che SSLLabs.com test è migliore.
Changes to tlslite
It seemed a bit crazy to fork the original project as my changes were tiny. I also thought that working through the changes here may be helpful to anyone else who wants to do the same sort of thing.
So to begin with I needed to signal to tlslite that I wanted to send TLS messages with invalid padding. You get things going with tlslite through the TLSConnection class so I changed how that was instantiated. TLSConnection inherits from TLSRecordLayer, which is where the padding code lives, so that needed changing too. Within the “tlslite” folder I made the following changes (obviously line numbers will be version dependent so I’ve added the original code too; my version was 0.4.8):
tlsconnection.py
Line 52 was:
def init(self, sock):
Now:
def init(self, sock, check_poodle_tls=False):
now i can signal whether or not I want to perform the test
if you already have tlslite, you can change it safely because check_poodle_tls defaults to False so it’s backward-compatible with any existing code that makes use of tlslite
Line 61 was:
TLSRecordLayer.init(self, sock)
Now:
TLSRecordLayer.init(self, sock, check_poodle_tls)
I need to pass that signal on to the parent
tlsrecordlayer.py
Line 102 was:
def init(self, sock):
Now:
def init(self, sock, check_poodle_tls):
After line 103 self.sock = sock added new line:
self.check_poodle_tls = check_poodle_tls
After line 600 paddingBytes = bytearray([paddingLength] * (paddingLength+1)) added new lines:
if self.check_poodle_tls == True:
paddingBytes = bytearray(x ^ 42 for x in paddingBytes[0:-1])
paddingBytes.append(paddingLength)
change all but the last of the padding bytes to be invalid (just XOR with 42, the answer to everything)
make the last byte of padding valid = the number of padding bytes
And that’s it! Remember, as it’s Python, that tabs are important and the new code needs to be properly aligned.