Kurt,

Just realised that I'd replied to you off-list - my bad.

I'm not really sure where this should be logged as separate bug (or a
security issue?) - I'll leave that up to you guys.

~Robin

On 17/10/14 23:42, Kurt Roeckx wrote:
> On Fri, Oct 17, 2014 at 11:21:38PM +0100, rbsec wrote:
>> Kurt,
>>
>> I just re-ran sslscan with Wireshark capturing the traffic to take a
>> look. I added a few more options to disable sslscan features to give a
>> nice clean output - the only check performed is the preferred
>> ciphersuite for the SSLv3 protocol.
>>
>> $ ./sslscan --no-heartbleed --no-compression --no-renegotiation
>> --no-ciphersuites --no-check-certificate --ssl3 <target>
>>
>> Wireshark shows an SSLv3 handshake (SSL Version 0x0300 == SSLv3), and I
>> get a ServerHello returned with the same version.
>>
>> Can you recreate this with sslscan?
> You seem to be right.
>
>
> Kurt
>
>


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to