0

I have Tomcat with TLS1 and SSLv2Hello enabled under sslEnabledProtocols but I'd like to test whether SSLv2Hello client hello upgrade actually works. I could not find anything in openssl s_client documentation on how to do a SSLv2hello connection to a server.

cen
  • 109
  • 1
  • 2

1 Answers1

1

You should disable SSL2 support completely. It has been found vulnerable & deprecated in 1996(!). You probably need to compile OpenSSL yourself to enable support for it, I don't see any reason at all to do such thing.

So unless you can really explain why do you need SSLv2, just stick to TLS1 for encryption...

You can verify that you server doesn't support SSLv2, by using OpenSSL versions pre-1.0.2e (which still have support for SSLv2) and issuing 

 openssl s_client -ssl2 -brief -connect example.com:443

It should read: write:errno=104

And this command will help to verify that SSLv3 is also disabled:

openssl s_client -ssl3 -brief -connect example.com:443

Should read something like:

140547360663192:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140547360663192:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
Anubioz
  • 3,677
  • 18
  • 23
  • I don't need SSLv2 support, I need SSLv2Hello support. The reason is that Java 6 clients initiate TLS connection with SSLv2Hello by default and then upgrade to TLS. I want to simulate this with an openssl client for convenience. I don't use this because i want to or because it is my choice, It's because other people have older clients that do it that way and I need to support that. – cen Sep 14 '16 at 21:44
  • 1
    @cen There is no such thing as SSLv2Hello protocol. It's just an Oracle-made workaround for Oracle-made problems. You will not find that 'technology' anywhere but Oracle-made products. So no, you can't "simulate" it with openssl, you'll have to "simulate" it with java. And you still haven't answered my question why would you want it. Please skip the "I need to test it" part & say what you need to do after you have tested it, since there may be no reason to test anything at all. – Anubioz Sep 14 '16 at 22:10
  • I see, I didn't know this was specific to java world, I thought it was more general. I guess I'll have to write a java client to test it then. – cen Sep 15 '16 at 08:45
  • You're doing it wrong - you can't test whether old java 6 applications (probably running on windows XP) will be able to connect to your service by writing your own client on java 8 @ windows 10. The only way to determine if those clients would be able to connect is to actually connect with those clients themselves. Get a Remote Desktop into those old PCs & test. – Anubioz Sep 15 '16 at 09:11
  • And be prepared, that if you got no source of the application, there may be *no way* to make those old clients work without enabling SSLv3, thus making your communications vulnerable to various attacks, such as POODLE. That's really a problem in Java world - lazy vendors don't distribute even security patches to their software for free. You may have to live with it (until your company buys a new version) – Anubioz Sep 15 '16 at 09:15
  • I made a java 6 client using Oracle Java 6 rpm and I managed to reproduce the issue. It turns out SSLv2Hello must be explicitely enabled in Tomcat under sslEnabledProtocols config. Thanks anyway. – cen Sep 15 '16 at 09:47