1) How can I tell that the SSL being used is provided by Crypt::SSLeay and not IO::Socket::SSL ?
see which is loaded
use Crypt::SSLeay 0.57;
use Net::SSL 2.84;
print "Net::SSL $Net::SSL::VERSION\n";
print "Crypt::SSLeay $Crypt::SSLeay::VERSION\n";
or you could even go poking around inside
print $Net::HTTPS::SSL_SOCKET_CLASS;
2) And once we figure that out, we're still not aware of a way to learn which version of SSL is actually being used. It may fail when trying SSL 3.0 and fall back to SSL 2.0... We may have such an old version of (insert dependancy name here) that 3.0 isn't even available. These are our prime concerns we're trying to figure out.
Demand up to date versions of modules like shown above.
And don't be afraid to dig through the source till you figure it out :)
3) Also, those notes make reference to "$ENV{HTTPS_VERSION}".... As this is a web app, isn't the $ENV variable filled with values associated with the connection between the web app client and our server? The connection we're worried about is between our server and the 3rd party service.
%ENV is filled with lots of stuff, and AFAIK, no webserver sets $ENV{HTTPS_VERSION}, which is probably why it was chosen by Crypt::SSLeay
Heres one way to check
#!/usr/bin/perl --
use strict;
use warnings;
use WWW::Mechanize 1.54;
use LWP 5.823;
use Crypt::SSLeay 0.57;
use Net::SSL 2.84;
use LWP::Protocol::https;
sub LWP::Protocol::https::_get_sock_info
{
package LWP::Protocol::https;
my $self = shift;
$self->SUPER::_get_sock_info(@_);
my($res, $sock) = @_;
$res->header("Client-SSL-Cipher" => $sock->get_cipher);
my $cert = $sock->get_peer_certificate;
if ($cert) {
$res->header("Client-SSL-Cert-Subject" => $cert->subject_name);
$res->header("Client-SSL-Cert-Issuer" => $cert->issuer_name);
$res->header("Client-SSL-VERSION" => *$sock->{ssl_version}); #ding
+dong
}
if(! eval { $sock->get_peer_verify }) {
$res->header("Client-SSL-Warning" => "Peer certificate not veri
+fied");
}
}
use LWP::ConnCache;
$Net::SSLeay::ssl_version = 10; # Insist on TLSv1
$Net::SSLeay::ssl_version = 3; # Insist on SSLv3
my $ua = WWW::Mechanize->new(); # keep_alive => 1
$ua->conn_cache(LWP::ConnCache->new);
my $uri = URI->new("https://www.modsecurity.org/");
$ua->get( $uri, 'host' => $uri->host,
'Accept' => 'text/html,application/xhtml+xml,application/xml',
);
print "
######################################################################
+########
WWW::Mechanize $WWW::Mechanize::VERSION
LWP $LWP::VERSION
Crypt::SSLeay $Crypt::SSLeay::VERSION;
Net::HTTPS::SSL_SOCKET_CLASS = $Net::HTTPS::SSL_SOCKET_CLASS
";
for my $con( $ua->conn_cache->get_connections ){
# LWP::Protocol::https::Socket; @ISA = qw(Net::HTTPS LWP::Protocol
+::http::SocketMethods);
print "
######################################################################
+########
";
print "$con $_ = ${*$con}{$_}\n" for grep /ssl/i, keys %{ *$con };
};
print "\n",'#'x66,"\n", $ua->response->headers->as_string,"\n",'#'x66,
+"\n";
#print Data::Dumper->new([$ua])->Indent(1)->Dump();use Data::Dumper;
__END__
Subroutine LWP::Protocol::https::_get_sock_info redefined at lwp-ssl-v
+ersion.pl line 16.
######################################################################
+########
WWW::Mechanize 1.54
LWP 5.823
Crypt::SSLeay 0.57;
Net::HTTPS::SSL_SOCKET_CLASS = Net::SSL
######################################################################
+########
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_ssl = Crypt::SSLeay::
+Conn=SCALAR(0x215afc0)
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_peer_addr = www.modse
+curity.org
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_peer_port = 443
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_ctx = Crypt::SSLeay::
+CTX=SCALAR(0x215a8f4)
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_arg = HASH(0x1fa1238)
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_debug = 0
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_new_arg = HASH(0x1f44
+c8c)
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_peer_verify = 0
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_version = 23
##################################################################
Connection: Keep-Alive
Date: Thu, 26 Feb 2009 17:58:28 GMT
Accept-Ranges: bytes
Server: Apache
Content-Type: text/html
Content-Type: text/html; charset=UTF-8
Client-Date: Thu, 26 Feb 2009 17:59:54 GMT
Client-Peer: 216.75.21.122:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, I
+nc./OU=http://certificates.godaddy.com/repository/
CN=Go Daddy Secure Certification Authority/serialNumber=07969287
Client-SSL-Cert-Subject: /O=www.modsecurity.org/OU=Domain Control Vali
+dated/CN=www.modsecurity.org
Client-SSL-Cipher: DHE-RSA-AES256-SHA
Client-SSL-VERSION: 23
Client-SSL-Warning: Peer certificate not verified
Client-Transfer-Encoding: chunked
Keep-Alive: timeout=15, max=100
Link: <ms.css>; rel="StyleSheet"; type="text/css"
Link: <favicon.ico>; rel="shortcut icon"; type="image/x-icon"
Title: ModSecurity: Open Source Web Application Firewall
X-Meta-Citydesk: 69C8DF18/12
X-Meta-Description: ModSecurity is an open source web application fire
+wall. Working embedded in the web server, or stand
alone as a network appliance, it detects and prevents attacks against
+web applications.
X-Meta-Generator: Fog Creek CityDesk 2.0.25
X-Meta-Keywords: web application firewall, application firewall, intru
+sion detection, intrusion prevention, open source,
web security, application security, web application security, applica
+tion gateway
##################################################################
|