SSL Version Question
I need clarification on what is the best way to check which SSL version I have running on my Linux RHEL 5.3 Server
When i use the sslscan tool ie sslscan --no-failed myserver:444 i get an output below(snippets) [root@myserver]# sslscan --no-failed myserver:444 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server myserver on port 444 snip snip **SSL Certificate: Version: 0** When i run openssl command below it gives me a different (conflicting) SSL version ie SSLv3/TLS1 [root@myserver]# openssl s_client -connect myserver:444 CONNECTED(00000003) Snip snip --- New, TLSv1/SSLv3, Cipher is AES256-SHA snip snip This has left me a bit confused, for instance on myserver as sslcan tool says certificate version is 0 but openssl says certificate is SSLv3 /TLS1 ..... Which is which? someone please help Does SSL shows the certificate version rather than the the SSl version number.? Grey area for me someone please shed some light. Your help would be greatly appreciated. |
sslscan is not part of the openssl package tools. The openssl -connect command is the correct version.
SAM |
Thanks Sam i appreciate your help but does that mean that sslscan is not accurate or what
|
If they are reporting two different values then I would say that openssl is definitely more reliable. So the problem could be
1) you're running the command incorrectly without proper options for the information you're looking for (see the man page) 2) the command is wrong and has a bug I've never heard of sslscan but openssl is an industry tested application so I would be more inclined to trust it. |
All times are GMT -5. The time now is 03:25 PM. |