LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-23-2015, 06:12 PM   #1
aus9
LQ Addict
 
Registered: Oct 2003
Location: Australia
Distribution: MX 17
Posts: 5,298

Rep: Reputation: Disabled
openssl client test help please


Hi

I don't run a server and am aware there a lots of server tests as some show up by searching here.

I have re-compiled openssl v 1.0.2d with configure that included
Code:
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
shared zlib no-ssl2 no-ssl3
I used the internet to find a client test and changed the domain to
---snipped to show what I hope is relevant info

Code:
openssl s_client -connect google.com:443 -ssl3
CONNECTED(00000003)
snip
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 10620 bytes and written 305 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-RC4-SHA
    Session-ID: CDA1D2D20450896150CB6958A79956AF6A78F9AA1754A9E82BAA8EBD4D6E1395
    Session-ID-ctx: 
Master-Key: 7BDE9F683FD9E3456E6AB300BC782E2476874D2616C57678289C91DE32AFA26999CB8F3B52328B2E478F39CA7D927DF5
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1448155249
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
My reference was/is
http://chrisburgess.com.au/how-to-te...vulnerability/

which claims
Quote:
SSLv3 Test Using the OpenSSL Client
openssl s_client -connect example.com:443 -ssl3

If it connects you are most likely vulnerable, if it fails it is most likely disabled
####################################
questions if I may?
1) Is this a reasonable client test for openssl?

2) As I attempted to connect using sslv3 why does the output show
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA

3) Does the presence of the cipher show it truly connected using sslv3?
Quote:
Protocol : SSLv3
Cipher : ECDHE-RSA-RC4-SHA
Comments. What I am hoping although I accept I may have failed, is some kind soul might suggest that the connection attempted sslv3 and then decided to use TLSv1

Thanks for reading

gordon

Last edited by aus9; 11-23-2015 at 06:16 PM.
 
Old 11-24-2015, 10:48 AM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,343
Blog Entries: 36

Rep: Reputation: Disabled
Perhaps this can shed some light?

I get little resemblance from your query of google.com:443 -ssl3
Code:
echo | openssl s_client -connect google.com:443  -ssl3
Output at http://pastie.org/private/hkbc8ugdshilowopgwokg

Last edited by Habitual; 11-24-2015 at 10:53 AM.
 
Old 11-24-2015, 07:11 PM   #3
aus9
LQ Addict
 
Registered: Oct 2003
Location: Australia
Distribution: MX 17
Posts: 5,298

Original Poster
Rep: Reputation: Disabled
Habitual

True but yours still shows.....I snipped out the certificate stuff
Quote:
Protocol : SSLv3
Cipher : ECDHE-RSA-RC4-SHA
Thankyou for your link as it has other links of which I post just one
https://www.rfc-editor.org/rfc/rfc7525.txt

and the text link makes numerous references to ciphers to disable/recommend etc

It appears to be a server rather than a client reference but 4.2. Recommended Cipher Suites looks like I can re-compile to use those ciphers and test later

Quote:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

o TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

o TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

These cipher suites are supported only in TLS 1.2 because they are
authenticated encryption (AEAD) algorithms [RFC5116].

Typically, in order to prefer these suites, the order of suites needs
to be explicitly configured in server software. (See [BETTERCRYPTO]
for helpful deployment guidelines, but note that its recommendations
differ from the current document in some details.) It would be ideal
if server software implementations were to prefer these suites by
default.
thanks again....post is still not solved as I still don't have an answer to my questions

Last edited by aus9; 11-24-2015 at 07:13 PM.
 
Old 11-24-2015, 07:43 PM   #4
aus9
LQ Addict
 
Registered: Oct 2003
Location: Australia
Distribution: MX 17
Posts: 5,298

Original Poster
Rep: Reputation: Disabled
To anyone

I found a new command to try out as per https://wiki.openssl.org/index.php/M...Ciphers%281%29


Code:
openssl ciphers -ssl3
Error in cipher list
140649614739096:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1372:
If I go back to the old build which was compiled without the no-ssl2 no-ssl3 config I get
Code:
openssl ciphers -ssl3
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA
So does this mean that I don't have a cipher for sslv3 and therefore my attempt to connect to a server re-negotiated to TLS?
 
Old 11-25-2015, 05:23 AM   #5
aus9
LQ Addict
 
Registered: Oct 2003
Location: Australia
Distribution: MX 17
Posts: 5,298

Original Poster
Rep: Reputation: Disabled
drat can not delete. sorry

Last edited by aus9; 11-25-2015 at 05:26 AM.
 
Old 11-29-2015, 07:01 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Try
Code:
true|openssl s_client -tls1_2 -servername www.bing.com -connect www.bing.com:443
? Using "ssl3" instead of "-tls1_2" should then result in something like:
Code:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
(..)
meaning it doesn't do SSLv3 connections.
 
Old 11-30-2015, 01:18 AM   #7
aus9
LQ Addict
 
Registered: Oct 2003
Location: Australia
Distribution: MX 17
Posts: 5,298

Original Poster
Rep: Reputation: Disabled
Hi

Thanks for helping me out. Handshake and cipher seen for TLS command as expected
Code:
true|openssl s_client -tls1_2 -servername www.bing.com -connect www.bing.com:443
snip
SSL handshake has read 4151 bytes and written 553 bytes
snip
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384

########################################################################
# now try out sslv3

true|openssl s_client -ssl3 -servername www.bing.com -connect www.bing.com:443
# no snip for full test
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1448863735
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
to my eyesight.....I was mislead by the link in the first post claiming if you connect you are likely to be vulnerable

Instead if handshake shows zero bytes and no cipher shows up for sslv3 then that is a good result for my client test.

I will mark this as solved unless I have over looked something.

unSpawn no need to reply now unless you feel I am wrong again



No matter what, thankyou very much for taking time out to help me out
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Test driving NVIDIA GRID Workspace (Windows client). Linux client is in the works LXer Syndicated Linux News 0 05-24-2014 07:10 AM
LXer: Test Sites for Heartbleed OpenSSL Vulnerability LXer Syndicated Linux News 0 04-09-2014 02:00 PM
Openssl client through proxy thirumalesh Programming 1 05-23-2011 01:36 PM
[SOLVED] OpenSSL: Signing Client Certificate - Help Needed peridian Linux - Security 2 02-20-2011 08:32 AM
Server and Client process using Openssl: Error: no client certificate available lokesh_c2004 Linux - Security 2 11-10-2008 09:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration