[unisog] determining versions of SSL
Jordan K Wiens
jwiens at nersp.nerdc.ufl.edu
Mon Sep 16 14:24:14 GMT 2002
The openssl command has a mode called s_client that enables it to act as a
generic openssl client, which can be used to do this, for example:
openssl s_client -connect server:port (typically 443 in this case)
For more information, see man s_client on any system with a recent openssl.
Note that the server determines the negotiation of the cipher method, so to
determine exactly what's supported by the server, it may be necessary to
brute force a number of connections with the client only offering
certainlyl cipher and protocoll types until you figure out what the server
has enabled and disabled. I don't know of something that does this
automatically, but it doesn't seem like it would be too difficult.
If I were trying to find servers with SSLv2 enabled, I'd do something like
(this isn't clean or efficient, but you get the idea, and it works)
if echo "GET /"|/usr/bin/openssl s_client -connect $1:443 -ssl2 -no_ssl3\
-no_tls1 2>&1|grep errno >/dev/null
echo "$1 is not running SSLv2"
#SSL request either failed entirely or it's running v2, let's check.
if echo "GET /"|/usr/bin/openssl s_client -connect localhost:443 -ssl2\
-no_ssl3 -no_tls1 2>&1|grep "Protocol : SSLv2" >/dev/null
echo "$1 is running SSLv2"
echo "$2 is not running SSLv2"
Note however, this won't enable you to find vulnerable servers, just
potentially vulnerable servers. There's no way that I know of to find out
whether a server is vulnerable directly without trying the exploit.
UF Network Incident Response Team
On 16 Sep 2002, Russell Fulton wrote:
> I have been meaning to ask this for a while, but the worm has now made
> it urgent: Is there a straight forward means of determining what
> version of SSL a server is running from the network? Something that
> could be rolled into a perl script and fed nmap output would be ideal.
> If it can tell which rpm or deb it was installed from too then I'd be
> made ;-) ;-)
More information about the unisog