[unisog] determining versions of SSL

Jordan K Wiens jwiens at nersp.nerdc.ufl.edu
Mon Sep 16 14:24:14 GMT 2002

The openssl command has a mode called s_client that enables it to act as a
generic openssl client, which can be used to do this, for example:

openssl s_client -connect server:port (typically 443 in this case)

For more information, see man s_client on any system with a recent openssl.

Note that the server determines the negotiation of the cipher method, so to
determine exactly what's supported by the server, it may be necessary to
brute force a number of connections with the client only offering
certainlyl cipher and protocoll types until you figure out what the server
has enabled and disabled.  I don't know of something that does this
automatically, but it doesn't seem like it would be too difficult.

If I were trying to find servers with SSLv2 enabled, I'd do something like

(this isn't clean or efficient, but you get the idea, and it works)
if echo "GET /"|/usr/bin/openssl s_client -connect $1:443 -ssl2 -no_ssl3\
-no_tls1 2>&1|grep errno >/dev/null
  echo "$1 is not running SSLv2"
  #SSL request either failed entirely or it's running v2, let's check.
if echo "GET /"|/usr/bin/openssl s_client -connect localhost:443 -ssl2\
-no_ssl3 -no_tls1 2>&1|grep "Protocol  : SSLv2" >/dev/null
    echo "$1 is running SSLv2"
    echo "$2 is not running SSLv2"

Note however, this won't enable you to find vulnerable servers, just
potentially vulnerable servers.  There's no way that I know of to find out
whether a server is vulnerable directly without trying the exploit.

Jordan Wiens
UF Network Incident Response Team

On 16 Sep 2002, Russell Fulton wrote:

> Hi,
> 	I have been meaning to ask this for a while, but the worm has now made
> it urgent:  Is there a straight forward means of determining what
> version of SSL a server is running from the network?  Something that
> could be rolled into a perl script and fed nmap output would be ideal.
> If it can tell which rpm or deb it was installed from too then I'd be
> made ;-) ;-)

More information about the unisog mailing list