[unisog] determining versions of SSL

Jordan K Wiens jwiens at nersp.nerdc.ufl.edu
Mon Sep 16 14:24:14 GMT 2002


The openssl command has a mode called s_client that enables it to act as a
generic openssl client, which can be used to do this, for example:

openssl s_client -connect server:port (typically 443 in this case)

For more information, see man s_client on any system with a recent openssl.

Note that the server determines the negotiation of the cipher method, so to
determine exactly what's supported by the server, it may be necessary to
brute force a number of connections with the client only offering
certainlyl cipher and protocoll types until you figure out what the server
has enabled and disabled.  I don't know of something that does this
automatically, but it doesn't seem like it would be too difficult.

If I were trying to find servers with SSLv2 enabled, I'd do something like
this:

(this isn't clean or efficient, but you get the idea, and it works)
---------begin-sslcheck.sh---------------
#!/bin/sh
if echo "GET /"|/usr/bin/openssl s_client -connect $1:443 -ssl2 -no_ssl3\
-no_tls1 2>&1|grep errno >/dev/null
then
  echo "$1 is not running SSLv2"
else
  #SSL request either failed entirely or it's running v2, let's check.
if echo "GET /"|/usr/bin/openssl s_client -connect localhost:443 -ssl2\
-no_ssl3 -no_tls1 2>&1|grep "Protocol  : SSLv2" >/dev/null
  then
    echo "$1 is running SSLv2"
  else
    echo "$2 is not running SSLv2"
  fi
fi
----------end-sslcheck.sh---------------

Note however, this won't enable you to find vulnerable servers, just
potentially vulnerable servers.  There's no way that I know of to find out
whether a server is vulnerable directly without trying the exploit.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On 16 Sep 2002, Russell Fulton wrote:

> Hi,
> 	I have been meaning to ask this for a while, but the worm has now made
> it urgent:  Is there a straight forward means of determining what
> version of SSL a server is running from the network?  Something that
> could be rolled into a perl script and fed nmap output would be ideal.
>
> If it can tell which rpm or deb it was installed from too then I'd be
> made ;-) ;-)
>
>




More information about the unisog mailing list