or you could even go poking around insideuse Crypt::SSLeay 0.57; use Net::SSL 2.84; print "Net::SSL $Net::SSL::VERSION\n"; print "Crypt::SSLeay $Crypt::SSLeay::VERSION\n";
2) And once we figure that out, we're still not aware of a way to learn which version of SSL is actually being used. It may fail when trying SSL 3.0 and fall back to SSL 2.0... We may have such an old version of (insert dependancy name here) that 3.0 isn't even available. These are our prime concerns we're trying to figure out.print $Net::HTTPS::SSL_SOCKET_CLASS;
Demand up to date versions of modules like shown above. And don't be afraid to dig through the source till you figure it out :)
3) Also, those notes make reference to "$ENV{HTTPS_VERSION}".... As this is a web app, isn't the $ENV variable filled with values associated with the connection between the web app client and our server? The connection we're worried about is between our server and the 3rd party service.
%ENV is filled with lots of stuff, and AFAIK, no webserver sets $ENV{HTTPS_VERSION}, which is probably why it was chosen by Crypt::SSLeay
Heres one way to check
#!/usr/bin/perl -- use strict; use warnings; use WWW::Mechanize 1.54; use LWP 5.823; use Crypt::SSLeay 0.57; use Net::SSL 2.84; use LWP::Protocol::https; sub LWP::Protocol::https::_get_sock_info { package LWP::Protocol::https; my $self = shift; $self->SUPER::_get_sock_info(@_); my($res, $sock) = @_; $res->header("Client-SSL-Cipher" => $sock->get_cipher); my $cert = $sock->get_peer_certificate; if ($cert) { $res->header("Client-SSL-Cert-Subject" => $cert->subject_name); $res->header("Client-SSL-Cert-Issuer" => $cert->issuer_name); $res->header("Client-SSL-VERSION" => *$sock->{ssl_version}); #ding +dong } if(! eval { $sock->get_peer_verify }) { $res->header("Client-SSL-Warning" => "Peer certificate not veri +fied"); } } use LWP::ConnCache; $Net::SSLeay::ssl_version = 10; # Insist on TLSv1 $Net::SSLeay::ssl_version = 3; # Insist on SSLv3 my $ua = WWW::Mechanize->new(); # keep_alive => 1 $ua->conn_cache(LWP::ConnCache->new); my $uri = URI->new("https://www.modsecurity.org/"); $ua->get( $uri, 'host' => $uri->host, 'Accept' => 'text/html,application/xhtml+xml,application/xml', ); print " ###################################################################### +######## WWW::Mechanize $WWW::Mechanize::VERSION LWP $LWP::VERSION Crypt::SSLeay $Crypt::SSLeay::VERSION; Net::HTTPS::SSL_SOCKET_CLASS = $Net::HTTPS::SSL_SOCKET_CLASS "; for my $con( $ua->conn_cache->get_connections ){ # LWP::Protocol::https::Socket; @ISA = qw(Net::HTTPS LWP::Protocol +::http::SocketMethods); print " ###################################################################### +######## "; print "$con $_ = ${*$con}{$_}\n" for grep /ssl/i, keys %{ *$con }; }; print "\n",'#'x66,"\n", $ua->response->headers->as_string,"\n",'#'x66, +"\n"; #print Data::Dumper->new([$ua])->Indent(1)->Dump();use Data::Dumper; __END__ Subroutine LWP::Protocol::https::_get_sock_info redefined at lwp-ssl-v +ersion.pl line 16. ###################################################################### +######## WWW::Mechanize 1.54 LWP 5.823 Crypt::SSLeay 0.57; Net::HTTPS::SSL_SOCKET_CLASS = Net::SSL ###################################################################### +######## LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_ssl = Crypt::SSLeay:: +Conn=SCALAR(0x215afc0) LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_peer_addr = www.modse +curity.org LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_peer_port = 443 LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_ctx = Crypt::SSLeay:: +CTX=SCALAR(0x215a8f4) LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_arg = HASH(0x1fa1238) LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_debug = 0 LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_new_arg = HASH(0x1f44 +c8c) LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_peer_verify = 0 LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_version = 23 ################################################################## Connection: Keep-Alive Date: Thu, 26 Feb 2009 17:58:28 GMT Accept-Ranges: bytes Server: Apache Content-Type: text/html Content-Type: text/html; charset=UTF-8 Client-Date: Thu, 26 Feb 2009 17:59:54 GMT Client-Peer: 216.75.21.122:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, I +nc./OU=http://certificates.godaddy.com/repository/ CN=Go Daddy Secure Certification Authority/serialNumber=07969287 Client-SSL-Cert-Subject: /O=www.modsecurity.org/OU=Domain Control Vali +dated/CN=www.modsecurity.org Client-SSL-Cipher: DHE-RSA-AES256-SHA Client-SSL-VERSION: 23 Client-SSL-Warning: Peer certificate not verified Client-Transfer-Encoding: chunked Keep-Alive: timeout=15, max=100 Link: <ms.css>; rel="StyleSheet"; type="text/css" Link: <favicon.ico>; rel="shortcut icon"; type="image/x-icon" Title: ModSecurity: Open Source Web Application Firewall X-Meta-Citydesk: 69C8DF18/12 X-Meta-Description: ModSecurity is an open source web application fire +wall. Working embedded in the web server, or stand alone as a network appliance, it detects and prevents attacks against +web applications. X-Meta-Generator: Fog Creek CityDesk 2.0.25 X-Meta-Keywords: web application firewall, application firewall, intru +sion detection, intrusion prevention, open source, web security, application security, web application security, applica +tion gateway ##################################################################
In reply to Re^3: SSL Version Mystery
by Anonymous Monk
in thread SSL Version Mystery
by RiscIt
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |