Address openssl sslv2 issues

David Maloney · David Maloney · commit 246977e0cf2f · 2013-03-04T17:39:28.000-06:00
Debian/Ubuntu ship openssl without sslv2 compiled in.
we now check for this ahead of time
diff --git a/lib/rex/sslscan/result.rb b/lib/rex/sslscan/result.rb
@@ -5,6 +5,8 @@
 module Rex::SSLScan
 class Result
 
+	attr_accessor :sslv2
+
 	attr_reader :ciphers
 	attr_reader :supported_versions
 
@@ -197,6 +199,7 @@ def to_s
 		if @cert
 			text <<" \n\n #{@cert.to_text}"
 		end
+		text << "\n\n *** WARNING: Your OS hates freedom! Your OpenSSL libs are compiled without SSLv2 support!"
 		text
 	end
 end
diff --git a/lib/rex/sslscan/scanner.rb b/lib/rex/sslscan/scanner.rb
@@ -11,6 +11,7 @@ class Scanner
 	attr_accessor :timeout
 	
 	attr_reader :supported_versions
+	attr_reader :sslv2
 
 	# Initializes the scanner object
 	# @param host [String] IP address or hostname to scan
@@ -22,7 +23,13 @@ def initialize(host,port = 443,context = {},timeout=5)
 		@port       = port
 		@timeout    = timeout
 		@context    = context
-		@supported_versions = [:SSLv2, :SSLv3, :TLSv1]
+		if check_opensslv2
+			@supported_versions = [:SSLv2, :SSLv3, :TLSv1]
+			@sslv2 = true
+		else
+			@supported_versions = [:SSLv3, :TLSv1]
+			@sslv2 = false
+		end
 		raise StandardError, "The scanner configuration is invalid" unless valid?
 	end
 
@@ -44,7 +51,7 @@ def valid?
 	# @return [Result] object containing the details of the scan
 	def scan
 		scan_result = Rex::SSLScan::Result.new
-		
+		scan_result.sslv2 = sslv2
 		# If we can't get any SSL connection, then don't bother testing
 		# individual ciphers.
 		if test_ssl == :rejected and test_tls == :rejected
@@ -181,5 +188,14 @@ def validate_params(ssl_version, cipher)
 		end
 	end
 
+	def check_opensslv2
+		begin 
+			OpenSSL::SSL::SSLContext.new(:SSLv2)
+		rescue
+			return false
+		end
+		return true
+	end
+
 end
 end
diff --git a/spec/lib/rex/sslscan/result_spec.rb b/spec/lib/rex/sslscan/result_spec.rb
@@ -456,4 +456,16 @@
 		end
 	end
 
+	context "when OpenSSL is compiled without SSLv2" do
+		before(:each) do
+			subject.add_cipher(:SSLv3, "AES256-SHA", 256, :accepted)
+			subject.add_cipher(:TLSv1, "AES256-SHA", 256, :accepted)
+			subject.add_cipher(:SSLv3, "AES128-SHA", 128, :accepted)
+			subject.sslv2 = false
+		end
+		it "should warn the user" do
+			subject.to_s.should include "*** WARNING: Your OS hates freedom! Your OpenSSL libs are compiled without SSLv2 support!"
+		end
+	end
+
 end
