How can I verify that SSLv3 protocol is disabled?

Question

I'm trying to disable SSLv3 in ejabberd 2.1.10 on Ubuntu 12.04. There is no way to disable it in config file, so I have to patch the source and rebuild the package: https://github.com/processone/ejabberd/issues/113

The problem is after patching and installed, how can I verify that SSLv3 protocol is disabled? It is a private server, so I can't use https://xmpp.net/.

I know we can use openssl with -ssl3 option, something like this:

openssl s_client -connect chat.local:5222 -starttls xmpp -ssl3

but the thing is: I cannot disable SSLv3 cipher suites: https://github.com/processone/ejabberd/issues/113#issuecomment-29279707:

Please note that while you can disable SSL version 3, you cannot disable "SSLv3 cipher suites" as there is no such thing, all SSLv3 cipher suites are used also by all TLS versions (TLS 1.1/1.2 just adds some new ones).

so the above command still shows the result:

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: D1D474B68F6C4F59ED5E96963F94FAF078A0C5531A7841B1E0E34257925309A96EA2F25F59F65CCD151F05EB75BC935C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1414072098
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)

Two questions:

how can a online ssl checker (https://www.ssllabs.com/ssltest/, https://xmpp.net/, ...) can test if SSLv3 protocol is disabled or not?
Is there any risk if SSLv3 protocol is disabled, but SSLv3 cipher suites enabled for some reasons (for e.g OpenSSL on Ubuntu 12.04 disabled TLSv1.2, we have to enable SSLv3 cipher suites to make some monitoring tool worked)?

See also [this question](http://security.stackexchange.com/q/70940/9312). — Question Overflow, Oct 24 '14 at 04:28

Steffen Ullrich · Accepted Answer · 2014-10-23T18:04:28.543

18

SSL-Session:
   Protocol  : SSLv3
   Cipher    : AES256-SHA

Obviously your server still has SSLv3 enabled. If you successfully disabled SSLv3 openssl s_client -ssl3 -connect ... should get something like this:

...SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40
...SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
...
Protocol  : SSLv3
Cipher    : 0000

The indicator here is that you get no cipher ("0000").

As for the ciphers itself you don't need to make any changes.

edited Oct 23 '14 at 18:04

answered Oct 23 '14 at 17:38

Steffen Ullrich

184,332
29
363
424

`s_client: Option unknown option -ssl3` – B. Shea Oct 18 '20 at 22:30
@bshea: Note that the post is from 2014 whereas now is 2020. Since SSLv3 is considered weak and obsolete for many years it is no longer compiled in by default with modern versions of OpenSSL. You need to use an older version or compile your own with SSLv3 support. – Steffen Ullrich Oct 19 '20 at 04:51
Yes, I know it's an old answer. But, my point was that your answer for most people is now defunct. Maybe make an edit/note stating as much.. – B. Shea Oct 19 '20 at 13:48
@bshea: *"... my point was ..."* - I wasn't aware of this since you just posted an error message and did not actually make an explicit point. But I think the clear error message in your comment and the explanation in my comment should provide sufficient information, i.e. no additional edits are needed. – Steffen Ullrich Oct 19 '20 at 15:04
Well, if it was me, I would edit the answer to reflect what you said above. But, that's me. Anyway, enough said.. – B. Shea Oct 21 '20 at 16:18

score 12 · Answer 2 · answered Oct 23 '14 at 19:01

12

just for completeness:

testssl.sh is a nice, console-based tool to check ssl-setups of any ssl/ts - enabled servers, in oposite to ssllabs

answered Oct 23 '14 at 19:01

that guy from over there

3,476
17
26

score 7 · Answer 3 · answered Oct 23 '14 at 17:56

7

Two ways that I know of:

If you have Webinspect, they have a check specifically for this.

The simple way is to uncheck all protocols in IE with the exception of SSLv3 and see if you connect to the website.

enter image description here

answered Oct 23 '14 at 17:56

k1DBLITZ

3,933
14
20

+1 for providing a simple method anyone can use easily. – gowenfawr Oct 23 '14 at 18:41

score 7 · Answer 4 · answered Oct 23 '14 at 18:40

Qualys has a nice SSL testing tool that will give you a lot of information about your SSL connection. You can check the SSL version the server supports on the "Protocol" section.

https://www.ssllabs.com/ssltest/

score 2 · Answer 5 · answered Oct 23 '14 at 19:16

The nmap script 'ssl-enum-ciphers' is how I manage finding out what versions and ciphers are supported. Command is "nmap -p 443 --script ssl-enum-ciphers "

The output can also be put into a grepable format.

http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

How can I verify that SSLv3 protocol is disabled?

5 Answers5

Linked

Related