How Can I Determine What SSL/TLS Versions Are Available for HTTPS Communication?

Sometimes you’ll want to check the availability of various SSL/TLS versions when working on HTTPS communications. In my case, I had to disable SSL 2.0 on a server and I wanted to test and verify no SSL 2.0 communication was available after making the changes. By default my server negotiated to the highest possible supported version of SSL between it and the client, but that wasn’t good enough. I needed to disable SSL 2.0 as an option altogether and then prove that it was no longer being negotiated.

In this case I’m going to use a Linux system as the testing client with the openssl package installed which gives me access to its s_client feature. For those unaware, and according to the s_client documentation:

The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.

In my case I’m interested in the -connect option to, of course, hand off a hostname and port number for s_client to connect to in the form of hostname:port. (Yes, that’s a single-dash option with a long name. Yay standards!) However, to force the attempted negotiation of one protocol over another, you can use one of the following switches (that are all fairly self explanatory): -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1

The command I used while testing to see if SSL 2.0 was enabled in the first place was openssl s_client -connect my.hostname.com:443 -ssl2

When testing that out on a server that accepts SSL 2.0 communication you will see a torrent of output in your terminal, and one of the sections will look something like this:

SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: 5C2400001B384DE47F1B61395C67481F
    Session-ID-ctx: 
    Master-Key: EFF33404C791EB238811313B40F9E05191A094A8FB267893
    Key-Arg   : 4A8EAFD3BCA49605
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1392248645
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Notice what protocol was used? SSL 2.0. In this way I was able to determine that the target host was allowing SSL 2.0 which I did not want. I made a quick configuration change to the server and then tried the same s_client command to force an SSL 2.0 conversation. This time, I was denied:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 45 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1392250044
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

However I was able to get an SSL 3.0 conversation going with openssl s_client -connect my.host.com:443 -ssl3

New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-SHA
    Session-ID: B11B0000263600F4BA435B2D9F6547C02AA113F83660C7D9697D70C7E63C2CAD
    Session-ID-ctx: 
    Master-Key: 3B5EF0FB577345ED6AC09DBF2E5EC421FCEF5E4BC2081B4E846D83BC65C019E1517EF432D950D9037735D15C68BF3A04
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1392250238
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Success! In this way you can quickly and easily test to see if specific SSL/TLS versions are available to use and react accordingly.

3 Comments

  1. MikeDawg

    February 17, 2014 at 10:58 am

    I recommend using CipherScan: https://github.com/jvehent/cipherscan

    I used to run a modified version of sslthing.sh, but recently switched to CipherScan

    Reply

    • Wesley David

      February 17, 2014 at 11:11 am

      Awesome! Thanks for the tip.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow TheNubbyAdmin!

follow us in feedly

Raw RSS Feed:

Contact Me!

Want to hire me as a consultant? Have a job you think I might be interested in? Drop me a line:

Contact Me!

Subscribe via Email

Your email address is handled by Google FeedBurner and never spammed!

The Nubby Archives

Circle Me on Google+!

Photos from Flickr

Me on StackExchange

The IT Crowd Strava Group