WebApp Sec mailing list archives
RE: SSL 2.0 enabled or disabled?
From: "Dimitris Petropoulos" <D.Petropoulos () encode-sec com>
Date: Thu, 20 May 2004 19:34:14 +0300
Dear Rogan,
Of course, if you're going to try it that way, it is easier to write a little script that iterates through the list of ciphers that OpenSSL knows about (openssl ciphers) and then use openssl to connect to the server in question with that specific cipher.
Yes, that's even better if you want automation. However, there are cases where this might not always provide accurate results: some sites that require strong SSL/TLS ciphersuites will allow you to connect using a weak ciphersuite only to send you to a help/error page informing you that the SSL/TLS ciphersuite you used to connect was not strong enough to allow you access (a better practice than dropping the connection without any explanation)... In technical terms, in those cases the client and the server will exchange ChangeCipherSpec messages and the client will send the HTTP request encrypted under the weak ciphersuite session key, to which the server will probably reply with a 403 message, rather than sending an SSL/TLS alert (with insufficient_security or handshake_failure alert description) during the handshake phase, which would seem the normal reply to the client since the ciphersuite is not amongst the supported ones, Therefore, the fact that you may successfully establish a weak ciphersuite SSL/TLS connection to a website may not always be conclusive; you might need to parse the HTTP reply in order to be sure (that's why -in my opinion- a browser is preferable). Best regards, ----------------------- Dimitrios Petropoulos MSc InfoSec, CISSP Director, Security Research & Development ENCODE S.A. 3, R.Melodou Str 151 25 Maroussi Athens, Greece Tel: +30210-6178410 Fax: +30210-6109579 web: www.encode-sec.com ------------------------ ****************************************************************** Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of ENCODE S.A. ******************************************************************
Current thread:
- SSL 2.0 enabled or disabled? Ooper Starr (May 18)
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 19)
- Re: SSL 2.0 enabled or disabled? Jason Coombs (May 20)
- <Possible follow-ups>
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 20)
- Re: SSL 2.0 enabled or disabled? Blane Perry (May 20)
- Re: SSL 2.0 enabled or disabled? Mark Foster (May 20)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 20)
- Re: SSL 2.0 enabled or disabled? Rogan Dawes (May 20)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 20)
- Re: SSL 2.0 enabled or disabled? Rogan Dawes (May 21)
- Re: SSL 2.0 enabled or disabled? James Bowman (May 24)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 25)
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 19)