-2

I have a legacy embedded HTTP client (very old) that supports SSLv3, TLS1.0, TLS1.1 and TLS1.2. I would like to remove SSLv3 for security reasons.

I rebuilt the openssl library and wanted to verify if this webclient does not use SSLv3 during secure HTTP connection. This client also is programmed to connect to a specific web server on the internet, which already does NOT support SSLv3.

I tried to verify if it work by using a proxy in between the embedded web client and the internet webserver.

Setup:
Webclient <----> Squid proxy <----> Https://www.loremipsum.com/xxx/xxx

Setting:
Webclient 
    -SSLv3 only
Squid proxy:
    -Installed in windows server 2012

    -client TLS version --> TLS1.0, TLS1.1, TLS1.2 enabled

    -server TLS version --> SSLv3 Only 

External web server:
    -only supports TLS1.0, TLS1.1 and TLS1.2

Expected results:
Before removing SSLv3: SSLv3 used in HTTPS connection

After removing SSLv3: Webclient cannot connect with handshake failure code in packet

Actual result:
Before removing SSLv3: **TLS1.0** is used instead of SSLv3 (this part is my problem)

After removing SSLv3: TLS1.0 used in HTTPS connection

Anyone here knows why TLS1.0 is used instead of SSLv3 during the actual test? Or can you recommend any tool that I can use to confirm this change?

Thank you very much.

cabrillosa
  • 3
  • 3
  • 1
    No client will prefer SSLv3 to TLS unless explicitly misconfigured to do so. Obviously you should not attempt to do this. It's not clear, therefore, that you are actually having a problem. – Michael Hampton Mar 11 '21 at 03:54
  • Hi @MichaelHampton, thank you for your response. I understand that no client nowadays will prefer SSLv3, its completely unsecure. However, as I pointed out, I just want to confirm its removal by the setup above. – cabrillosa Mar 11 '21 at 04:54
  • 1
    But you seem to have already confirmed its removal! – Michael Hampton Mar 11 '21 at 06:32
  • Sorry for the confusion. I edited the squid proxy above, I interchanged client and server setting in OS where proxy is installed. I expect that the communication should fail given the scenario (should not use TLS1.0) since only SSLv3 was turned in in squid server side. – cabrillosa Mar 11 '21 at 08:16

1 Answers1

1

As why tls is used in your test: the client will go through its available ciphers and try the strongest ciphers first. So it will always prefer tls over ssl3.

If the website is visible form the internet you can use one of test services like https://testtls.com to verify which protocol is enabled/disabled.

If (as I am guessing) the service is only available internally you can use curl and specify the protocol:

 curl -vvv --sslv3 https://www.myhost.tld

You can go into even more detail and specify each cipher individually: https://curl.se/docs/ssl-ciphers.html

An alternative is to use openssl directly: (https://www.misterpki.com/openssl-s-client/)

 openssl s_client -connect www.host.tdl:443 -ssl3

Note that in both instances you need openssl/curl with ssl3 still available (newer ones do not have ssl compiled at all)

What you need to configure in squid is something like this (you might have to tweak the options depending on the openssl version):

https_port ... options=SSLv3:NO_SSLv2:NO_TLS1:NO_TLS1_1:NO_TLS1_3
http_port ... ssl-bump options=NO_SSLv3:NO_SSLv2:NO_TLS1:NO_TLS1_1:NO_TLS1_3
Niko
  • 108
  • 6
  • Hi thank you for answering. "So it will always prefer tls over ssl3." --> but in proxy server, I set it to only accept SSLv3 on the server side. Why it is still choosing TLS1.0? – cabrillosa Mar 11 '21 at 23:58
  • can your povide your squid config options where you disabled all but ssl3? – Niko Mar 12 '21 at 07:55
  • @cabrillosa : A side note, a proxy server does not pass-through the SSL connection... The connection from client to proxy and from proxy to webserver are seperate connections! So it may be, that the client opened an SSLv3 connection to the proxy, and the proxy opened an TLS connection to the webserver... – Martin Mar 12 '21 at 10:56