Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
user:jenda:ssl3 [2015/06/19 16:21]
jenda
user:jenda:ssl3 [2016/09/28 08:43] (current)
jenda old ciphers
Line 1: Line 1:
 +====== TLS1.2 <-> SSLv3 wrapper ======
  
 +Situation: there is a proprietary application that only supports SSLv3 and the vendor does not care.
 +
 +Solution:
 +  - make the application listen to 127.0.0.1:​4443 or something like this
 +  - socat -v openssl-listen:​443,​cert=/​etc/​ssl/​our_key_cert.pem,​verify=0,​reuseaddr,​fork ssl:​127.0.0.1:​4443,​verify=0**,​method=ssl3**
 +
 +===== Disabled SSL3 support =====
 +
 +As of 9/2016, Debian links socat against openssl without SSL3 support. Therefore the above no longer works.
 +
 +I have managed to compile openssl with SSL3
 +<​code>​
 +./Configure --prefix=/​opt/​ssl3 linux-x86_64
 +</​code>​
 +and somehow compile socat with it
 +<​code>​
 +change /sw to /opt/ssl3 in configure
 +negate the condition above
 +LIBS=-ldl ./configure
 +</​code>​
 +openssl s_client supports ssl3 now (/​opt/​ssl3/​bin/​openssl s_client -connect xxx:443 -ssl3) and socat too.
 +
 +===== Old ciphersuites only =====
 +
 +Next, the following system was encountered during an... eh... //network security reconnaissance//​.
 +
 +<​code>​
 +443/tcp open  Ubiquity Crap
 +| ssl-enum-ciphers: ​
 +|   ​SSLv3: ​
 +|     ​ciphers: ​
 +|       ​TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
 +|       ​TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - A
 +|       ​TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - A
 +|     ​compressors: ​
 +
 +|     ​cipher preference: client
 +|     ​warnings: ​
 +|       ​CBC-mode cipher in SSLv3 (CVE-2014-3566)
 +|       ​Ciphersuite uses MD5 for message integrity
 +|       Weak certificate signature: SHA1
 +|_  least strength: D
 +</​code>​
 +
 +Cipher suites need to be replaced in your socat in xio-openssl.c:​
 +<code c>
 +   //​char *ci_str = "​HIGH:​-NULL:​-PSK:​-aNULL"; ​  /* cipher string */
 +   char *ci_str = "​ALL:​+NULL"; ​ /* cipher string */
 +</​code>​
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki