View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002357Kali LinuxGeneral Bugpublic2015-06-24 23:082015-06-24 23:30
Reporterjsherwood0 Assigned Tomuts  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Product Version1.1.0 
Summary0002357: SSLv2 needs to be functional in a pentesting distro
Description

The baseline Debian openssl package has been patched to disable SSLv2 due to its inherent insecurity. While this makes perfect sense for a server distro, it is completely inappropriate to have the ability to connect to insecure servers (using SSLv2) disabled on a pentesting distro. Part of what Kali is used for is exploiting vulnerable protocols, so using the mainstream Debian package where SSLv2 is disabled is contrary to the main use case of the distro.

Issue 0000146 was closed because a single tool (sslscan) was modified to use static libraries with SSLv2 support enabled. A note was left on that issue that it should be reopened if other apps that needed the libraries were identified.

It is important here to recognize that identifying the use of SSLv2 on a server is good, but that identifying high level vulnerabilities aside from that is still required. The problem is that all of the apps that can be used to connect over SSL need to function with SSLv2. For (incomplete) example:

  • every scripting language that an exploit could be written in (i.e., ruby, python, perl, lua, etc.)
  • curl
  • wget
  • web browsers

As it stands, we have had to rebuild the openssl package and rebuild curl and ruby against those libraries to support our common needs. Obviously, these are steps that shouldn't be needed with a pentesting distro.

Activities

muts

muts

2015-06-24 23:16

reporter   ~0003433

Last edited: 2015-06-24 23:17

Thanks for the suggestion, however i do not think we will go down this path. People who need this extended functionality can rebuild tools and packages as they see fit.
jsherwood0

jsherwood0

2015-06-24 23:24

reporter   ~0003434

I'm sorry, but all of your userbase needs this functionality. If they are not using it then they are failing to do their job thoroughly. Requiring your users to rebuild packages to get the ability to use all protocol types does not seem like the right solution, since those who want to go that route are using other distros.
muts

muts

2015-06-24 23:30

reporter   ~0003435

We will not be enabling SSLv2 system wide.

Issue History

Date Modified Username Field Change
2015-06-24 23:08 jsherwood0 New Issue
2015-06-24 23:16 muts Note Added: 0003433
2015-06-24 23:16 muts Status new => closed
2015-06-24 23:16 muts Assigned To => muts
2015-06-24 23:16 muts Resolution open => no change required
2015-06-24 23:17 muts Note Edited: 0003433
2015-06-24 23:17 muts Note Edited: 0003433
2015-06-24 23:24 jsherwood0 Note Added: 0003434
2015-06-24 23:24 jsherwood0 Status closed => feedback
2015-06-24 23:24 jsherwood0 Resolution no change required => reopened
2015-06-24 23:30 muts Note Added: 0003435
2015-06-24 23:30 muts Status feedback => closed
2015-06-24 23:30 muts Resolution reopened => no change required