[Feature request]Test for Opossum attack / RFC 2817

Question

[Feature request]Test for Opossum attack / RFC 2817

Closed this issue 4 months ago · 4 comments

testssl.sh could check HTTP servers for support of RFC 2817 (opportunistic TLS), which makes them vulnerable to the Opossum attack.

RFC 2817 is not widely used in practice, but supported by some servers. It allows a man-in-the-middle attacker to serve the wrong content to an HTTPS request.

Here's a simple shell-based check:

#!/bin/bash
echo -en "GET / HTTP/1.1\r\nHost: $1\r\nUpgrade: TLS/1.0\r\n\r\nClose\r\n"|nc $1 80|grep "Upgrade: TLS" -q
[ $? -eq 0 ] && echo $1 vulnerable

Answer 1 · 2025-07-09T12:13:40.000Z

Thanks for your suggestion.

I believe CUPS offered such a thing in the past ? Great would be otherwise a FQDN / IP to test against.

Answer 2 · 2025-07-09T16:38:26.000Z

Yes, the opossum webpage mentions that CUPS wants to adress it, so it probably is affected.
You can also enable it in apache by configuring "SSLEngine optional" and a cert/key for an http vhost.

Answer 3 · 2025-07-10T13:05:49.000Z

Thanks, @hannob for the heads up.

For newer CUPS servers (debian) and also for printers the attack didn't work. One cannot check this through a proxy though. Don´t know whether squid swallows the supplied header somehow , per configuration?

Oether than that: Got reliably working code (for HTTP services), needs to be integrated into testssl.sh though.

--> tomorrow

Answer 4 · 2025-07-10T13:11:58.000Z

drwetter commented 4 months ago