Kurt, Just realised that I'd replied to you off-list - my bad.
I'm not really sure where this should be logged as separate bug (or a security issue?) - I'll leave that up to you guys. ~Robin On 17/10/14 23:42, Kurt Roeckx wrote: > On Fri, Oct 17, 2014 at 11:21:38PM +0100, rbsec wrote: >> Kurt, >> >> I just re-ran sslscan with Wireshark capturing the traffic to take a >> look. I added a few more options to disable sslscan features to give a >> nice clean output - the only check performed is the preferred >> ciphersuite for the SSLv3 protocol. >> >> $ ./sslscan --no-heartbleed --no-compression --no-renegotiation >> --no-ciphersuites --no-check-certificate --ssl3 <target> >> >> Wireshark shows an SSLv3 handshake (SSL Version 0x0300 == SSLv3), and I >> get a ServerHello returned with the same version. >> >> Can you recreate this with sslscan? > You seem to be right. > > > Kurt > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

