[Pkg-openssl-devel] Bug#765565: openssl: don't completely disable ssl3/2 but rather just don't use it
Robin Bailey
robin at rbsec.net
Fri Oct 17 15:47:57 UTC 2014
Is it just s_client that doesn't support SSLv3 for you, or is it
everything? SSLv3 seems to be disabled in s_client (the -ssl3 switch is no
longer accepted), but doesn't actually seem to be disabled in the library.
I built sslscan (https://github.com/rbsec/sslscan) against the latest
OpenSSL on a Debian sid system and although I got warnings
that OPENSSL_NO_SSL3 was set, it still connected fine using SSLv3 servers.
$ cat sslscan.c
<...>
2698 #ifdef OPENSSL_NO_SSL3
2699 printf("\t\t%sOpenSSL version does not support SSLv3%s\n",
COL_RED, RESET);
2700 printf("\t\t%sSSLv3 ciphers will not be detected%s\n",
COL_RED, RESET);
2701 #endif
<...>
$ make
gcc -Wall -L/usr/local/ssl/lib/ sslscan.c -I/usr/local/ssl/include/
-I/usr/local/ssl/include/openssl/ -lssl -lcrypto -o sslscan
$ ./sslscan --no-heartbleed --no-renegotiation --no-compression --ssl3
<target>
Version: 1.9.6-rbsec
OpenSSL 1.0.1j 15 Oct 2014
OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected
OpenSSL version does not support SSLv3
SSLv3 ciphers will not be detected
Testing SSL server <target> on port 443
Supported Server Cipher(s):
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 112 bits DES-CBC3-SHA
$ dpkg -l
<...>
ii openssl 1.0.1j-1 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii libssl-dev:amd64 1.0.1j-1 amd64
Secure Sockets Layer toolkit - development files
$ /usr/bin/openssl version
OpenSSL 1.0.1j 15 Oct 2014
Am I doing something stupid here, or is the fix for CVE-2014-3568
incomplete?
~rbsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20141017/6197d2d9/attachment.html>
More information about the Pkg-openssl-devel
mailing list