SSL Middleman Attack was discovered in 2009 for all devices based on OpenSSL. WebMux issued a security fix immediately at that time. How to verify if your own WebMux has the fix in its firmware or not? Some of the verifying agency software mistakenly based on the SSL version number alone to determine if the SSL problem fixed or not. This howto guide provide a simple method to verify the SSL security hole still exist or not in your WebMux firmware.

Let′s first see the problem with stock Debian Apache 2.2.3 server without fix. This can be done using openssl points to the server, then issue a renegotiation command:

$ openssl s_client -connect testdomain.com:443 -cipher EXP-RC4-MD5
CONNECTED(00000003)
...(certificate verification process trimmed)...
GET / http/1.0
X-ignore-me: GET /
R
RENEGOTIATING
...(certificate verification process trimmed)...
read R BLOCK
HTTP/1.1 200 OK
Date: Wed, 23 Sep 2009 14:23:07 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c
Last-Modified: Mon, 21 Sep 2009 00:24:57 GMT
ETag: "33ecf-54-4740b82eee840"
Accept-Ranges: bytes
Content-Length: 84
Connection: close
Content-Type: text/html; charset=UTF-8
<html><head><title>It Worked!</title></head><body><h1>It Worked!
</h1></body></html>
closed
$

Note the line with the single "R" initiates a renegotiation, and the following line RENEGOTIATING was emitted by the s_client program to indicate that a renegotiation was in process. Note also that it successfully occurs before the HTTP headers are terminated. After the renegotiation is complete, the final newline is sent, causing the response to be sent.

For a WebMux firmware with security fix, the process should fail after issuing the "R" command.