ROBOT false negative

[weddige]

Describe the bug
The lines 187-201 in _robot_tester.py (https://github.com/nabla-c0d3/sslyze/blob/release/sslyze/plugins/robot/_robot_tester.py#L186) are never executed and lead to false negatives when scanning servers for the ROBOT vulnerability.

To Reproduce
At the moment, I can't reveal the vulnerable server. However, I encountered it in the wild.

Expected behavior
A vulnerable server should never report NOT_VULNERABLE_NO_ORACLE.

Python environment (please complete the following information):

• OS: Windows 10
• Python version: 3.8

[weddige]

If the increase in the term makes this check undesirable, I would be also happy about an optional plugin (not included in --regular) to perform this check.

[nabla-c0d3]

Hello and thanks the report. If you uncomment the lines of code, is SSLyze able to detect the issue on the server?

[weddige]

Yes, with the following change, the issue is detected:

$ git diff
diff --git a/sslyze/plugins/robot/_robot_tester.py b/sslyze/plugins/robot/_robot_tester.py
index 784ef20..48e68a3 100644
--- a/sslyze/plugins/robot/_robot_tester.py
+++ b/sslyze/plugins/robot/_robot_tester.py
@@ -183,7 +183,7 @@ def test_robot(server_info: ServerConnectivityInfo) -> Dict[RobotPmsPaddingPaylo
     server_responses_per_robot_payloads = _run_oracle_detection(
         server_info, tls_version_to_use, cipher_string, rsa_modulus, rsa_exponent, robot_should_complete_handshake
     )
-    return server_responses_per_robot_payloads
+    # return server_responses_per_robot_payloads

     # TODO(AD): The following section was taken from the original ROBOT poc script but makes the scans really slow as it
     # waits for server timeouts

[nabla-c0d3]

@weddige Would you be able to email me the server, so I can troubleshoot this?

[weddige]

@weddige Would you be able to email me the server, so I can troubleshoot this?

Did you get my email or do you need any more information?