not that long ago it was possile in centos to have an easy test as to whether a web server under centos 7 was supporting sslv2 ort sslv3
eg
openssl s_client -connect <server>:<port> -ssl2
but it seems that parameters -ssl2 is no longer supported.
unknown option -ssl2
anyone got a simple equuivalent ?
I notice ssl3 parameter still works
cheers
didds
openssl, sslv2 & sslv3 testing
openssl, sslv2 & sslv3 testing
Last edited by didds1962 on 2020/01/21 09:20:20, edited 1 time in total.
Re: openssl, sslv2 & sslv3 testing
Code: Select all
openssl s_client --help
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: openssl, sslv2 & sslv3 testing
curl --sslv2
But it might not be there as it calls OpenSSL/GnuTLS/NSS etc, depending on what's compiled/installed.
Certainly if sslv2 is not installed on the server, it can't do sslv2.
But it might not be there as it calls OpenSSL/GnuTLS/NSS etc, depending on what's compiled/installed.
Certainly if sslv2 is not installed on the server, it can't do sslv2.
Re: openssl, sslv2 & sslv3 testing
SSL2 has been deprecated and suggested not to be used for years. I've been dealing in SSL for at least 8 years and it has been a no-no for at least that long. Probably longer, in fact.
SSLv3 and TLS 1.0 have both been shown to not be secure as of maybe three years ago. Heartbleed and various other attacks have made those insecure.
TLS 1.1, 1.2 and 1.3 are really the only viable options.
Also, this is not entirely dependent on the OS but more what version of openssl is being used. I believe some of the newer openssl versions (I believe starting in 1.1.1) do not have SSLv3 natively supported. But could be wrong on that.
Anyways, Trevors post should get you where you need to go with testing the various versions. IIRC, it is just a matter of tagging on an option for which protocol you want to test, like sslv2, sslv3, tls1, tls11, tls12. I'd imagine 1.3 would be tls13.
But again, at this point, I would recommend moving to something that is actually secure, which is not TLS 1.0 and below.
SSLv3 and TLS 1.0 have both been shown to not be secure as of maybe three years ago. Heartbleed and various other attacks have made those insecure.
TLS 1.1, 1.2 and 1.3 are really the only viable options.
Also, this is not entirely dependent on the OS but more what version of openssl is being used. I believe some of the newer openssl versions (I believe starting in 1.1.1) do not have SSLv3 natively supported. But could be wrong on that.
Anyways, Trevors post should get you where you need to go with testing the various versions. IIRC, it is just a matter of tagging on an option for which protocol you want to test, like sslv2, sslv3, tls1, tls11, tls12. I'd imagine 1.3 would be tls13.
But again, at this point, I would recommend moving to something that is actually secure, which is not TLS 1.0 and below.
Re: openssl, sslv2 & sslv3 testing
Both TLS 1.0 and 1.1 are or will be shortly deprecated and no longer recommended. The lowest now recommended is TLS 1.2 (which is as high as CentOS 7 supports).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke