0

How can I identify the versions (TLSv1.2, TLSv1.1, TLSv1.0, SSLv3, etc.) supported in OpenSSL1.1.0g when I manually compile it from its source (NOT the one shipped with the OS like ubuntu) without explicit disabling any version in the compilation?

Q: Is SSLv3 supported by default in OpenSSL1.1.0g? How can I know this?

user9371654
  • 469
  • 1
  • 6
  • 15
  • you mean like `openssl ciphers -s`? https://www.openssl.org/docs/man1.1.0/apps/ciphers.html – schroeder Oct 03 '18 at 11:13
  • No I mean versions (TLSv1.2, TLSv1.1, TLSv1.0, SSLv3, etc.) not ciphers. – user9371654 Oct 03 '18 at 11:15
  • check out my link above – schroeder Oct 03 '18 at 11:16
  • @schroeder: the list of ciphersuites supported does NOT tell you the protocol versions supported. Steffen's answer is correct. Also crossdupe https://stackoverflow.com/questions/27430158/list-supported-ssl-tls-versions-for-a-specific-openssl-build – dave_thompson_085 Oct 04 '18 at 02:50
  • @dave_thompson_085 so the list of protocol versions in the link, what's that? – schroeder Oct 04 '18 at 08:03
  • @schroeder the ciphersuites versions is different than the negotiated versions. So a client can support SSLv3 ciphersuites (AES128_SHA) but not negotiate the protocol version SSLv3 as a protocol. – user9371654 Oct 04 '18 at 09:52

1 Answers1

3

The test program openssl s_server has several option to choose the SSL/TLS version, i.e. -ssl2, -ssl3, -tls1, -tls1_1, .... Starting with OpenSSL 1.1.0 the usage openssl s_server -help shows all actually supported options, i.e. -ssl3 is only shown if SSLv3 is actually supported.
With earlier versions of OpenSSL the usage might show version which were not actually supported but an attempt to actually use these resulted in an error.

Q: Is SSLv3 supported by default in OpenSSL1.1.0g? How can I know this?

Since you compile it from source you can just look at the output from config:

$ ./config
...
Configuring OpenSSL version 1.1.0g-dev (0x10100070L)
...
    no-ssl3         [default]  OPENSSL_NO_SSL3

Thus, it looks like SSLv3 is disabled by default.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I did `openssl s_server -help` and I get option: `-no_ssl3`. Does this meand ssl3 is supported? In the same time, there is no option to just talk ssl3, while there are options to just talk tls1, tls1_1, etc. Is there any reliable way through whcih I know which versions are supported by default? Unfortunately it is difficult to know as ssl3 not supported by many servers to test connecting to them, and TLS does send the max. version so its hard to tell the min. – user9371654 Oct 03 '18 at 12:25
  • @user9371654: The `-no_ssl3` etc options are not relevant for this. If you don't have a `-ssl3` option then you don't have support for SSLv3. – Steffen Ullrich Oct 03 '18 at 12:29
  • If I have it already installed in my system, can I run the ./config to check that I am having it disabled without affecting anything? – user9371654 Oct 03 '18 at 12:35
  • it is working with me & I do not want to recompile or reconfigure it. I have made custom configurations before., Will ./config restore the default? Not sure the ./config will perform anything that changes my current installation? sorry but I'm not a linux user. – user9371654 Oct 03 '18 at 12:46
  • @user9371654: I'm not sure what your problem is. You asked if SSLv3 is supported by default and I've shown you the output of `./config` which clearly says it is disabled by default. There is no need to run `./config` yourself unless you want to see how this behaves with a different version of OpenSSL. If you just want to know if SSLv3 is supported by your current installation see if `openssl s_server` supports the `-ssl3` option. – Steffen Ullrich Oct 03 '18 at 13:57
  • If I run the command ./configure will this override any previous configurations I have made before I compile OpenSSL? I need to know because I executed ./config as you posted. If this is the case (i.e. it will override previous configurations), then I need to recompile the library, right? because as I said I made custom configurations before I install it previously. – user9371654 Oct 03 '18 at 18:39
  • @user9371654: running `config` prepares everything for compiling. It does not change anything on the existing build but only affects newly compiled builds. – Steffen Ullrich Oct 03 '18 at 18:50
  • 1
    For completeness, below 1.1.0 there isn't an actual `-help` option, but any invalid option gives the usage message -- including `-help` or `-zowie` or `-????????` – dave_thompson_085 Oct 04 '18 at 02:52