How to test for SSLv2Hello support with openssl s_client

openssl

I have Tomcat with TLS1 and SSLv2Hello enabled under sslEnabledProtocols but I'd like to test whether SSLv2Hello client hello upgrade actually works. I could not find anything in openssl s_client documentation on how to do a SSLv2hello connection to a server.

Best Answer

You should disable SSL2 support completely. It has been found vulnerable & deprecated in 1996(!). You probably need to compile OpenSSL yourself to enable support for it, I don't see any reason at all to do such thing.

So unless you can really explain why do you need SSLv2, just stick to TLS1 for encryption...

You can verify that you server doesn't support SSLv2, by using OpenSSL versions pre-1.0.2e (which still have support for SSLv2) and issuing

 openssl s_client -ssl2 -brief -connect example.com:443

It should read: write:errno=104

And this command will help to verify that SSLv3 is also disabled:

openssl s_client -ssl3 -brief -connect example.com:443

Should read something like:

140547360663192:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140547360663192:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:

Related Solutions

Nginx – Can’t compile nginx with SSL support, OpenSSL not found

Most likely you're missing the libssl-dev package.

But why not save yourself all the trouble and just use a PPA for nginx?

SSL connection issue with s_client

You set which ciphers are accepted in server.xml, e.g.

   SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"

which excludes SSLv2. There's more information at techstacks

Best Answer

Related Solutions

Nginx – Can’t compile nginx with SSL support, OpenSSL not found

SSL connection issue with s_client

Related Topic