I have Tomcat with TLS1 and SSLv2Hello enabled under sslEnabledProtocols but I'd like to test whether SSLv2Hello client hello upgrade actually works. I could not find anything in openssl s_client documentation on how to do a SSLv2hello connection to a server.
How to test for SSLv2Hello support with openssl s_client
openssl
Related Topic
- Heartbleed – How to Reliably Check OpenSSL Version
- Debian – Building curl, httpd and others with custom openssl build, while avoiding default system openssl
- Ssl – start time in openssl s_client
- OpenSSL – Understanding ‘connected(00000005)’ and ‘verify return:1’ in s_client Command
- OpenSSL fails to detect expired intermediate CA certificate in s_client SSL connection test
Best Answer
You should disable SSL2 support completely. It has been found vulnerable & deprecated in 1996(!). You probably need to compile OpenSSL yourself to enable support for it, I don't see any reason at all to do such thing.
So unless you can really explain why do you need SSLv2, just stick to TLS1 for encryption...
You can verify that you server doesn't support SSLv2, by using OpenSSL versions pre-1.0.2e (which still have support for SSLv2) and issuing
It should read:
write:errno=104
And this command will help to verify that SSLv3 is also disabled:
Should read something like: