George,
Thanks for the help.
I took a network trace and it appears my server either issues a RST or a FIN on the connection so the first case you mentioned must apply.
I understand that the author of the Nessus plug-in decided that no response is bad, but is that decision really valid here? I.e., does a lack of response from my server indicate that the ASN.1 parsing problem exists in the version of the OpenSSL library (0.9.7d) I am using?
At the server level, I do not see any errors so, if there is indeed a buffer overflow, it must be happening within the OpenSSL library and in such a way as to be transparent to the application.
This is the specific area I am hoping to have clarified.
Thanks again,
- Andrew
From: George Theall <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Nessus security alert issued in error against OpenSSL v0.9.7d? Date: Tue, 30 Nov 2004 20:50:40 -0500
On Tue, Nov 30, 2004, Andrew Kraslavsky wrote:
> To test the security of my proprietary HTTPS server, built with OpenSSL
> library version 0.9.7d, I ran Nessus version 2.2 against it and it reported
> the following alert (as issued by Nessus plug-in ID 11875, described at:
> http://cgi.nessus.org/plugins/dump.php3?id=11875 ):
...
> ---> My question is, why does Nessus report this alert
The why is fairly straightforward based on the plugin source -- in response to a corrupt client certificate sent by the plugin, your server sent either nothing or something other than an "unexpected_message" or "bad_record_mac" alert (by assumption) message.
Now if your web server is on a different network than your Nessus server or was busy, this may have occured simply because the plugin timed out. Have you sniffed the traffic or added some display() statements to the plugin to learn exactly what's being returned?
George -- [EMAIL PROTECTED] << attach3 >>
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
