1

In light of the recent heartbleed flaw, I am trying to do some analysis of various systems that I connect with (email, login pages, etc). I am trying to use the OpenSSL commandline tool to verify what protocols the systems I connect with are using.

Part of the response is:

...
SSL-Session:
    Protocol  : TLSv1
...

Is that all I need to verify that this service is not using Openssl (particularly the buggy 1.0.1 versions)? (I am thinking that it ISN'T enough, as I connected with a server that I KNOW is using Openssl 0.9.8 and it responded with the same string as shown above.)

jww
  • 97,681
  • 90
  • 411
  • 885
Cronk
  • 453
  • 1
  • 6
  • 16
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Oct 15 '16 at 21:31

1 Answers1

2

TLSv1 refers to the protocol TLS version 1, while openssl, NSS, GnuTLS, PolarSSL ... are implementations of the protocol. You usually cannot detect just from a normal TLS dialog which SSL implementation or which version of the implementation is running on the other side, so you better use any of the available tools for checking if the server is vulnerable.

You can try to use the -tlsextdebug option of openssl s_client to find out, which TLS extension the other side supports. Vulnerable versions usually show that they support the heartbeat extension, but I would not count on it. And of course fixed versions support this extension too. If support for the extension is advertised you find this in the output of openssl s_client -tlsextdebug -connect ...:

TLS server extension "heartbeat" (id=15), len=1

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I was hoping that there was something more definitive that would report the version being used on the target system. I guess, in some ways, it makes sense that it doesn't tell you what the underlying mechanism is, just the API being adhered to. – Cronk Apr 15 '14 at 17:14
  • 1
    SSL is a comparable slim protocol and not that chatty as HTTP where you often get information like server version, PHP version etc. You get only the necessary information, e.g. which protocol version is used and which extensions understood. – Steffen Ullrich Apr 15 '14 at 18:02