WebApp Sec mailing list archives

Re: SSL 2.0 enabled or disabled?

From: Rogan Dawes <discard () dawes za net>
Date: Thu, 20 May 2004 17:10:38 +0200

Of course, if you're going to try it that way, it is easier to write alittle script that iterates through the list of ciphers that OpenSSLknows about (openssl ciphers) and then use openssl to connect to theserver in question with that specific cipher.


Regards,

Rogan

Dimitris Petropoulos wrote:

Does anyone know of a tool that can scan a web server todetermine which version of SSL is being used? nmap? nessus?



This can easily be achieved by simply using a browser, provided that the
browser allows you to define the version of SSL/TLS to use. For example,
in Interner Explorer's Advanced Internet Options one can enable SSL v2
and disable SSL v3 and TLS v1 and try to connect to a website. If the
connection is successful then the web server allows SSL v2. Some
browsers (e.g. Mozilla) go even further and allow you to specify
specific ciphersuites for each SSL/TLS version, making therefore testing
of server SSL/TLS settings easier.



--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

Current thread:

SSL 2.0 enabled or disabled? Ooper Starr (May 18)
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 19)
  - Re: SSL 2.0 enabled or disabled? Jason Coombs (May 20)
- <Possible follow-ups>
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 20)
- Re: SSL 2.0 enabled or disabled? Blane Perry (May 20)
  - Re: SSL 2.0 enabled or disabled? Mark Foster (May 20)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 20)
  - Re: SSL 2.0 enabled or disabled? Rogan Dawes (May 20)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 20)
  - Re: SSL 2.0 enabled or disabled? Rogan Dawes (May 21)
- Re: SSL 2.0 enabled or disabled? James Bowman (May 24)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 25)