Openssl on [K]Ubuntu and the SSLv2 protocol

While troubleshooting a problem related to TLS/SSLv2/SSLv3, I’e found out, that for security reasons, all support for SSLv2 on Ubuntu’s openssl package was removed.

Check out this: http://security.sunera.com/2011_02_01_archive.html for more information. This is very important if using Ubuntu as the OS for running vulnerability scanning, because the lack of SSLv2 support from Ubuntu’s openssl package will always give false negative results for a site with enabled SSLv2 support…

So if there is the need to check for SSLv2 support and or SSLv2 vulnerability scanning using Ubuntu as the host OS, then download, compile and use the OpenSSL sources.

Just for reference: How to check for:

TLS -> openssl s_client -tls1 -connect 10.0.0.0:443

SSLv2 -> openssl s_client -ssl2 -connect 10.0.0.0:443

SSLv3 -> openssl s_client -ssl3 -connect 10.0.0.0 -port 443  -showcerts

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s