There was a suite of test scripts posted to the dev list (I set them up and used them very quickly), see below .... Nou Dadoun Senior Firmware Developer, Security Specialist Office: 604.629.5182 ext 2632 -----Original Message----- From: openssl-dev [mailto:openssl-dev-bounces@xxxxxxxxxxx] On Behalf Of Hubert Kario Sent: Tuesday, March 01, 2016 7:22 AM To: openssl-dev at openssl.org Subject: Re: [openssl-dev] OpenSSL Security Advisory Scripts to verify that a server is not vulnerable to DROWN. Two scripts are provided to verify that SSLv2 and all of its ciphers are disabled and that export grade SSLv2 are disabled and can't be forced by client. Reproducer requires Python 2.6 or 3.2 or later, you will also need git to download the sources # Download the reproducer: git clone https://github.com/tomato42/tlsfuzzer cd tlsfuzzer git checkout ssl2 # Download the reproducer dependencies git clone https://github.com/tomato42/tlslite-ng .tlslite-ng ln -s .tlslite-ng/tlslite tlslite pushd .tlslite-ng # likely won't be necessary in near future, code will be merged soon git checkout sslv2 popd git clone https://github.com/warner/python-ecdsa .python-ecdsa ln -s .python-ecdsa/ecdsa ecdsa To verify that an https server at example.com does not support SSLv2 at all, use the following command: PYTHONPATH=. python scripts/test-sslv2-force-export-cipher.py \ -h example.com -p 443 To only verify that the server does not support export grade SSLv2 ciphers, use the following command: PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h example.com \ -p 443 (note, the first script is a superset of the second one) In both cases all the individual tests in the scripts should print "OK" status if the specific cipher is not supported and report "failed: 0" together with exit status of 0 if you want to automate it. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part.asc URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160304/d5435685/attachment.sig> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160304/d5435685/attachment.txt>
