Re: How to check for SSL1 ?

[Thomas Springer <tuevsec () gmx net>]

Michael Sierchio wrote:

> I have no idea where you come by your ideas, but SSLv3 is much
> more widely deployed on servers than TLSv1.0.

I don't know how you come by your idea - I do quite a lot of checks and 
I've seen literally hundreds of TLS1.0 but only two or three SSLV3.

Check it out with your favourite SSL-Client, be it OpennSSL, GnuTLS or 
something other:

R:\>openssl s_client -connect mail.google.com:443
CONNECTED(00000003)
.... [cert-infos deleted]
---
SSL handshake has read 1765 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
7DCF431FC3548D1063E1BC71D43708E74ED9ACC05AC46E04610316AF495A09B9

Try any other SSL-enabled Server you know - I had a hard time finding 
any SSL-Servers that won't offer TLS1.0 first.

Or did I simply miss something?

thomas

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------