Oracle Weblogic 10.3 + gnutls-cli = A TLS fatal...

Simon Josefsson simon at josefsson.org
Thu Feb 18 13:00:57 CET 2010


Michael Meyer <mime at gmx.de> writes:

>> Using GnuTLS in known insecure modes just because there are broken
>> servers out there doesn't seem like a good idea. Then you might as well
>> not use TLS at all, and just use TCP?
>
> Let me explain.
>
> OpenVAS stands for Open Vulnerability Assessment System and is a
> network security scanner. OpenVAS is a GPL fork of Nessus.
>
> I try to write a plugin for 
> http://www.securityfocus.com/bid/37926
>
> Normaly this is very simple. See
> http://intevydis.blogspot.com/2010/01/oracle-weblogic-1032-node-manager-fun.html
>
> For that a SSL connection is required.
>
> in NASL (Nessus Attack Scripting Language) it would look like (simplified):
>
> ,---|
> | port = 5556;
> | soc = open_sock_tcp(port, transport: ENCAPS_SSLv3); # or ENCAPS_SSLv23, ENCAPS_TLSv1
> |
> | if(!soc) {
> |   display("NO SOCKET\n\n");
> | } else {
> |   display("SOCKET OK\n\n");
> |   send(socket:soc, data: string("HELLO asdf\r\n"));
> |   buf = recv(socket:soc, length: 512);
> |   display("\n",buf,"\n\n");
> |   close(soc);
> | }
> `---|
>
> Result should be "+OK Node manager v10.3 started". I got always "NO
> SOCKET". With any kind of "transport". GnuTLS error at this point is:
> "A TLS fatal alert has been received".
>
> At this point, it's a problem, if GnuTLS (rather the NASL function
> open_sock_tcp() which is using GnuTLS) cant't connect to the remote
> service because of some problems (e.g. broken certificate, insecure
> cipher, ...) on the remote side. It means that I can not recognize the
> vulnerability. That's bad. ;)
>
> That's why i need - whenever humanly possible - a succesfull
> connection. In this case I'm not interested whether the connection is
> really secure.

Thanks for explaining, I understand now.

Using the priority string we came up with here seems reasonable if the
code is only used for testing this particular vulnerability.  In general
it is not easy to predict what problem needs to be worked around like we
did here, so I cannot give a general recommendation on what to
disable/enable to make sure you can always talk to any server.  You'll
have to test it like you did here, but at least now you should have the
information you need to work around several common TLS problems out
there.

/Simon





More information about the Gnutls-help mailing list