3 min read | by Jordi Prats
To make sure we don't publish an SSL service with vulnerable protocols enabled we can check which protocols the server has enabled using openssl s_client
Depending on the OpenSSL version we have we will have different procotols available. For example, if we are using OpenSSL 1.0.2j we will have the following options for s_client:
-ssl2 - just use SSLv2 -ssl3 - just use SSLv3 -tls1_2 - just use TLSv1.2 -tls1_1 - just use TLSv1.1 -tls1 - just use TLSv1 -dtls1 - just use DTLSv1 On the other hand, if we are using OpenSSL 1.1.1f we will only have:
-tls1 Just use TLSv1 -tls1_1 Just use TLSv1.1 -tls1_2 Just use TLSv1.2 -tls1_3 Just use TLSv1.3 To be able to test a connection for a specific protocol we just need to look at it's output:
$ echo | openssl s_client -connect pet2cattle.com:443 -tls1_1 CONNECTED(00000003) 140063618889024:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 7 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- If we are receiving the server's certificate means that the protocol is enabled
$ echo | openssl s_client -connect pet2cattle.com:443 -tls1_2 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = pet2cattle.com verify return:1 --- Certificate chain 0 s:CN = pet2cattle.com i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFTDCCBDSgAwIBAgISAwXD7VJX4nuT0D36AAaBjuTBMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTA2MTIxNzQyNDRaFw0yMTA5MTAxNzQyNDNaMBkxFzAVBgNVBAMT DnBldDJjYXR0bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA (...) So, we can check for the s_clients output looking for the Server certificate string to tell if the protocol is enabled. We can even make a small oneliner to list all status of the available protocols:
$ for i in $(openssl s_client --help 2>&1 | grep -i "just use" | awk '{ print $1 }' | grep -v dtls); do echo | openssl s_client -connect pet2cattle.com:443 $i 2>&1 | grep "Server certificate" > /dev/null; if [ $? -eq 0 ]; then echo $i ENABLED; else echo $i DISABLED; fi; done -tls1 DISABLED -tls1_1 DISABLED -tls1_2 ENABLED -tls1_3 DISABLED Just by changing the -connect string we can test any server we like:
$ for i in $(openssl s_client --help 2>&1 | grep -i "just use" | awk '{ print $1 }' | grep -v dtls); do echo | openssl s_client -connect google.com:443 $i 2>&1 | grep "Server certificate" > /dev/null; if [ $? -eq 0 ]; then echo $i ENABLED; else echo $i DISABLED; fi; done -tls1 DISABLED -tls1_1 DISABLED -tls1_2 ENABLED -tls1_3 ENABLED Posted on 06/07/2021