0

I found an ip which accept SSLv3 connection thank's to sslyze script and testssl.sh script. But when i tried to perform a connection with openssl on this ip, i cant connect using sslv3. Here is my command line : openssl s_client -connect 109.7.48.82:443 -no_tls1_1 -no_tls1_2 -no_tls1 And here is the result of the command

Result of openssl command

So, do you know why i'm not able to force an connection with sslv3 ?

SWIT ER
  • 35
  • 2
  • 7
  • Don't include text as image! – Steffen Ullrich Apr 18 '18 at 14:02
  • If you run `openssl list -disabled` you'll likely see that SSLv3 is disabled. The only way to re-enable it to re-compile openssl with SSLv3 support. – vcsjones Apr 18 '18 at 14:06
  • Ok, thx for your answer. My disable list is : Disabled algorithms: HEARTBEATS IDEA MD2 MDC2 RC5 SCTP SSL3 ZLIB. Why SSLv2 doesnt appear in this list ? (because i think if SSLV3 is disable, SSLV2 will be disable too, am i wrong ?) – SWIT ER Apr 18 '18 at 14:58

1 Answers1

1

Your openssl has no support for SSLv3 anymore like many recent TLS libraries. This can be seen from the error message

tls_construct_client_hello:no protocols available

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Ok, it's strange, because so, there is no way to perform an sslv3 connection with openssl, which is supposed to be the librairie to manipulate ssl/tls ? – SWIT ER Apr 18 '18 at 15:04
  • @SWITER: The code supporting SSLv3 is still in the openssl source code. But since SSLv3 is considered broken many current builds of openssl (and other TLS libraries) have SSLv3 explicitly disabled. If you want to use it then you need to use an openssl build where SSLv3 is not disabled or build your own. – Steffen Ullrich Apr 18 '18 at 15:40
  • Ok. But I dont really understand what is a build for a librairie ? Is it a different way to compile the librairie ? So the only way to do what i want is to remove the librairie openssl and install it again ? (but not with apt-get install i suppose ?). – SWIT ER Apr 18 '18 at 15:49
  • @SWITER: It is possible to have multiple versions of openssl on the system in different places. You find alternative builds of OpenSSL with support for more ciphers and protocol versions for example at the testssl.sh site. Apart from that the question only asked *why* you got this problem - which is explained in my answer. How to get some version of openssl with support for SSLv3 or how to compile it yourself is not part of your question. – Steffen Ullrich Apr 18 '18 at 16:15