Add support for legacy clients using SSLv2 and SSLv3 #35
Conversation
|
This caught my interest. I'm following Sensepost for updates to the project, as i'm porting it to OpenWRT. If people are interested in testing this on OpenWRT, feel free to head to my repos below: |
|
I’ve been thinking about this. I’d like to make it optional. I wouldn’t want to force an old version of SSL as the default purely for some legacy clients. I’m just not sure how yet. Ideally as a runtime option, but I don’t see how to build against both, alternatively as a build option but then I need to maintain two binaries.
Any ideas?
|
|
Yeah, i understand the issue. |
|
As @adde88 pointed-out, I think that you could successfully use the latest OpenSSL version (1.1.1b). The key part is to compile it to support legacy ciphers and to link hostapd-mana with the local build. You would have to manually upgrade the OpenSSL submodule used by the repo with every version upgrade though. |
|
Upgrading the OpenSSL submodule is quite straight forward and I confirm that hostapd-mana builds fine with the latest OpenSSL 1.1.1b version. Check-out my last commit on no0be:openssl-patch. |
Use a local build of OpenSSL in order to add support for legacy clients using SSLv2 or SSLv3 (s.a. Windows 7) while maintaining support for modern systems, without compromising the integrity of the attacker's operating system.
Since OpenSSL needs to be compiled with special flags for this to work, this also adds a small script to automate the building process.
This is completely based on s0lst1c3's recent update to eaphammer for which details can be found here: