2

I want to initiate an SSL connection with a remote server using SSLv2. I am using Java. I tried to get the supported protocols in my socket using:

String[] suppProtocols=socket.getSupportedProtocols();
System.out.println("The protocols supported for this socket are: 
"+Arrays.toString(suppProtocols));

and I got this in the output:

[SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]

Now, I read that Java does not support SSLv2 and SSLv2Hello only sends hello message using SSLv2. I can't grasp what does this means? Isn't the same as if the client support SSLv2? How can I make SSL connection using SSLv2.

Jury A
  • 19,192
  • 24
  • 69
  • 93

1 Answers1

4

SSLv3 and TLSv1.x offer a way to wrap their Client Hello message in an SSLv2 Client Hello, as described in the TLS specification: Backward compatibility with SSL. SSLv3 and TLS 1 and above have a more consistent mechanism to negotiate the version. As the TLS spec says:

The ability to send Version 2.0 client hello messages will be phased out with all due haste. Implementors SHOULD make every effort to move forward as quickly as possible. Version 3.0 provides better mechanisms for moving to newer versions.

The Sun/Oracle JRE or OpenJDK doesn't support SSLv2. Wrapping an SSLv3+ message into an SSLv2 message was just for backward compatibility. It is now disabled by default for clients in Java 7. From a server point of view, it can at least accept other SSLv3+ clients that wrap their Client Hello message in an SSLv2 message this way, whether they support SSLv2 or not.

You'll find more details about Java support (including other implementations) in this question.

Generally speaking, SSLv2 is considered insecure: you simply shouldn't use it. The general trend is to move away from SSLv3 towards TLS 1.0 or higher, not to go backwards.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • I know that it is not secure and should not be used. I need to use it for testing purposes. I still need any way to do this if possible. – Jury A Oct 07 '12 at 23:52
  • 1
    Not quite sure what you'd want to test. SSLv2 really should no longer exist. This being said, check EJP's answer to the question I've linked to. Apparently, the IBM JRE supports it. Alternatively, if you really need to talk to an SSLv2 server, you could use a tunnel that's implemented with OpenSSL (and configured with v2), perhaps with something like `stunnel`, instead of using the JSSE. – Bruno Oct 07 '12 at 23:54
  • @Bruno The second 'SSLv3' in this answer should be 'SSLv2' (client hello). – user207421 Dec 12 '12 at 20:30