Bug 862577 - Can not scan https / ssl in 2.1.5-2
Can not scan https / ssl in 2.1.5-2
Product: Fedora
Classification: Fedora
Component: nikto (Show other bugs)
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Huzaifa S. Sidhpurwala
Fedora Extras Quality Assurance
Depends On: 862937
  Show dependency treegraph
Reported: 2012-10-03 05:36 EDT by Kjetil Nygård
Modified: 2012-12-20 10:21 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-12-20 10:21:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
New nikto.spec file (4.23 KB, text/x-rpm-spec)
2012-10-03 07:04 EDT, Kjetil Nygård
no flags Details

  None (edit)
Description Kjetil Nygård 2012-10-03 05:36:52 EDT
Description of problem:
When i upgrade to 2.1.5-2, scanning of https / ssl does not work anymore.

It could be that nikto has it's own LW.pm module, which is not in the package. (See http://cirt.net/nikto2-docs/installation.html)

Version-Release number of selected component (if applicable):

How reproducible:
Just run this command:
   $ nikto -host google.com -port 443 -ssl

and get the result:
    Undefined subroutine &LW2::init_ssl_engine called at /bin/nikto line 66.

Steps to Reproduce:
1. Run in shell "nikto -host google.com -port 443 -ssl"

Actual results:
Undefined subroutine &LW2::init_ssl_engine called at /bin/nikto line 66.

Expected results:
That the scanning runs

Additional info:
It worked in 2.1.4
Comment 1 Kjetil Nygård 2012-10-03 07:04:00 EDT
Created attachment 620751 [details]
New nikto.spec file

Figured out that the problem is that Nikto uses a modified version of LW2.pm.

Therefore modified the spec-file. (Attached.)
Should also remove the "nikto-libwhisker2.patch" file.
Comment 2 Michal Ambroz 2012-10-03 14:26:01 EDT
Hello Kjetil,
this is against the pakaging guidelines to use embedded libraries.
If possible we should have one libwhisker in the system. That is the reason why there was some libwhisker2 patch in the first place.

Simple commenting out the line works, but is indeed somehow greedy in resources.
#set SSL Engine

I would say it is libwhisker which should be patched or maybe even the Net:SSLey, if it is really the one who leaks.

There seems to be some more thing on the other hand some more issue which needs attention. With this release all db_* files moved from /usr/share/nikto/plugins to /usr/share/nikto/database.

Michal Ambroz
Comment 3 Michal Ambroz 2012-10-03 15:34:44 EDT
I just confirmed the memory leak is really there. 
The memory leak in Net::SSleay is best demonstrated on a ssl server, which takes long to response. 
Using the libwhisker from nikto2 using Net::SSL would be running ok (cca 30M of memory), but using the system libwhisker

Some more info:
Comment 4 Michal Ambroz 2012-10-03 15:38:43 EDT
but using system libwhisker - the Net::SSLeay is preffered and it quickly eats all the memory (2Gigs in less than minute scanning single host)
Comment 5 Fedora Update System 2012-10-03 21:32:02 EDT
nikto-2.1.5-3.fc17 has been submitted as an update for Fedora 17.
Comment 6 Fedora Update System 2012-10-04 20:56:32 EDT
Package nikto-2.1.5-3.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nikto-2.1.5-3.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-12-20 10:21:11 EST
nikto-2.1.5-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.