How do I use "openssl s_client" to test for (absence of) SSLv3 support?
In order to mitigate the "Poodle" vulnerability, I'd like to disable SSLv3 support in my (in this case, TLS, rather than HTTPS) server. How can I use
openssl s_clientto verify that I've done this?OpenSSL s_client
To check if you have disabled the SSLv3 support, then run the following
openssl s_client -connect example.com:443 -ssl3which should produce something like
3073927320:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40 3073927320:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:meaning SSLv3 is disabled on the server. Otherwise the connection will established successfully.
Nmap
Alternatively, you can use nmap to scan server for supported version:
# nmap --script ssl-enum-ciphers example.com Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-15 03:19 PDT Nmap scan report for example.com (203.0.113.100) Host is up (0.090s latency). rDNS record for 203.0.113.100: edge.example.com Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https | ssl-enum-ciphers: | **SSLv3: No supported ciphers found** | TLSv1.0:The openssl command works; I can't get the nmap script to work, though.
Ah. Non-default port. Use `--script +ssl-enum-ciphers`, per http://stackoverflow.com/a/17175548/8446.
What is the output of your nmap command ?
@RogerLipscombe Right, so what's not working there? SSLv3 is not listed, so it's not supported.
It's working fine; I solved it. I'm using a non-standard port, so I have to prefix the script name with '+' to force it to run.
See also this answer to know how to interpret the openssl output: https://security.stackexchange.com/a/169738/60157
License under CC-BY-SA with attribution
Content dated before 6/26/2020 9:53 AM
Roger Lipscombe 6 years ago
The openssl command works; I can't get the nmap script to work, though.