How can I verify that SSLv3 protocol is disabled?

Question

I'm trying to disable SSLv3 in ejabberd 2.1.10 on Ubuntu 12.04. There is no way to disable it in config file, so I have to patch the source and rebuild the package: https://github.com/processone/ejabberd/issues/113

The problem is after patching and installed, how can I verify that SSLv3 protocol is disabled? It is a private server, so I can't use https://xmpp.net/.

I know we can use openssl with -ssl3 option, something like this:

openssl s_client -connect chat.local:5222 -starttls xmpp -ssl3

but the thing is: I cannot disable SSLv3 cipher suites: https://github.com/processone/ejabberd/issues/113#issuecomment-29279707:

Please note that while you can disable SSL version 3, you cannot disable "SSLv3 cipher suites" as there is no such thing, all SSLv3 cipher suites are used also by all TLS versions (TLS 1.1/1.2 just adds some new ones).

so the above command still shows the result:

New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: D1D474B68F6C4F59ED5E96963F94FAF078A0C5531A7841B1E0E34257925309A96EA2F25F59F65CCD151F05EB75BC935C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1414072098 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate)

Two questions:

how can a online ssl checker (https://www.ssllabs.com/ssltest/, https://xmpp.net/, ...) can test if SSLv3 protocol is disabled or not?
Is there any risk if SSLv3 protocol is disabled, but SSLv3 cipher suites enabled for some reasons (for e.g OpenSSL on Ubuntu 12.04 disabled TLSv1.2, we have to enable SSLv3 cipher suites to make some monitoring tool worked)?

See also this question.

Question Overflow
– Question Overflow

2014-10-24 04:28:10 +00:00
Commented Oct 24, 2014 at 4:28 — Question Overflow
– Question Overflow, Commented Oct 24, 2014 at 4:28

Steffen Ullrich · Accepted Answer · 2014-10-23 18:04:28Z

18

SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA

Obviously your server still has SSLv3 enabled. If you successfully disabled SSLv3 openssl s_client -ssl3 -connect ... should get something like this:

...SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40 ...SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: ... Protocol : SSLv3 Cipher : 0000

The indicator here is that you get no cipher ("0000").

As for the ciphers itself you don't need to make any changes.

edited Oct 23, 2014 at 18:04

answered Oct 23, 2014 at 17:38

Steffen Ullrich

213k30 gold badges423 silver badges495 bronze badges

s_client: Option unknown option -ssl3

B. Shea
– B. Shea

2020-10-18 22:30:38 +00:00
Commented Oct 18, 2020 at 22:30
@bshea: Note that the post is from 2014 whereas now is 2020. Since SSLv3 is considered weak and obsolete for many years it is no longer compiled in by default with modern versions of OpenSSL. You need to use an older version or compile your own with SSLv3 support.

Steffen Ullrich
– Steffen Ullrich

2020-10-19 04:51:19 +00:00
Commented Oct 19, 2020 at 4:51
Yes, I know it's an old answer. But, my point was that your answer for most people is now defunct. Maybe make an edit/note stating as much..

B. Shea
– B. Shea

2020-10-19 13:48:06 +00:00
Commented Oct 19, 2020 at 13:48
@bshea: "... my point was ..." - I wasn't aware of this since you just posted an error message and did not actually make an explicit point. But I think the clear error message in your comment and the explanation in my comment should provide sufficient information, i.e. no additional edits are needed.

Steffen Ullrich
– Steffen Ullrich

2020-10-19 15:04:10 +00:00
Commented Oct 19, 2020 at 15:04
Well, if it was me, I would edit the answer to reflect what you said above. But, that's me. Anyway, enough said..

B. Shea
– B. Shea

2020-10-21 16:18:59 +00:00
Commented Oct 21, 2020 at 16:18

Add a comment |

that guy from over there · Accepted Answer · 2014-10-23 19:01:59Z

just for completeness:

testssl.sh is a nice, console-based tool to check ssl-setups of any ssl/ts - enabled servers, in oposite to ssllabs

k1DBLITZ · Accepted Answer · 2014-10-23 17:56:07Z

Two ways that I know of:

If you have Webinspect, they have a check specifically for this.

The simple way is to uncheck all protocols in IE with the exception of SSLv3 and see if you connect to the website.

enter image description here

+1 for providing a simple method anyone can use easily.

gowenfawr
– gowenfawr

2014-10-23 18:41:41 +00:00
Commented Oct 23, 2014 at 18:41 — gowenfawr
– gowenfawr, Commented Oct 23, 2014 at 18:41

user59338 · Accepted Answer · 2014-10-23 18:40:53Z

Qualys has a nice SSL testing tool that will give you a lot of information about your SSL connection. You can check the SSL version the server supports on the "Protocol" section.

https://www.ssllabs.com/ssltest/

AdamAntium · Accepted Answer · 2014-10-23 19:16:49Z

The nmap script 'ssl-enum-ciphers' is how I manage finding out what versions and ciphers are supported. Command is "nmap -p 443 --script ssl-enum-ciphers "

The output can also be put into a grepable format.

http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

Stack Exchange Network

How can I verify that SSLv3 protocol is disabled?

5 Answers 5

You must log in to answer this question.

Linked

Hot Network Questions

How can I verify that SSLv3 protocol is disabled?

5 Answers 5

You must log in to answer this question.

Linked

Related

Hot Network Questions