Hi
I don't run a server and am aware there a lots of server tests as some show up by searching here.
I have re-compiled openssl v 1.0.2d with configure that included
Code:
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
shared zlib no-ssl2 no-ssl3
I used the internet to find a client test and changed the domain to
---snipped to show what I hope is relevant info
Code:
openssl s_client -connect google.com:443 -ssl3
CONNECTED(00000003)
snip
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 10620 bytes and written 305 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : ECDHE-RSA-RC4-SHA
Session-ID: CDA1D2D20450896150CB6958A79956AF6A78F9AA1754A9E82BAA8EBD4D6E1395
Session-ID-ctx:
Master-Key: 7BDE9F683FD9E3456E6AB300BC782E2476874D2616C57678289C91DE32AFA26999CB8F3B52328B2E478F39CA7D927DF5
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1448155249
Timeout : 7200 (sec)
Verify return code: 0 (ok)
My reference was/is
http://chrisburgess.com.au/how-to-te...vulnerability/
which claims
Quote:
SSLv3 Test Using the OpenSSL Client
openssl s_client -connect example.com:443 -ssl3
If it connects you are most likely vulnerable, if it fails it is most likely disabled
|
####################################
questions if I may?
1) Is this a reasonable client test for openssl?
2) As I attempted to connect using sslv3 why does the output show
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
3) Does the presence of the cipher show it truly connected using sslv3?
Quote:
Protocol : SSLv3
Cipher : ECDHE-RSA-RC4-SHA
|
Comments. What I am hoping although I accept I may have failed, is some kind soul might suggest that the connection attempted sslv3 and then decided to use TLSv1
Thanks for reading
gordon