5

For some demonstration on HTTPS weakness, I'd like to enable SSLv3 on one sub domain of my webserver. I use nginx 1.12.2 on debian 8, and already tried to add the following line

ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;

and then a sudo service nginx restart, but ssllabs still shows SSL as disabled (with the clear-cache option).

Apparently the version of openssl I have supports SSLv3 (openssl ciphers -v), so I don't understand why SSLv3 isn't enabled.

Thanks !

zarak
  • 663
  • 1
  • 6
  • 16
  • what did you put in for the Cipher Suite? – Shawn C. Nov 20 '17 at 15:30
  • 1
    `openssl ciphers -v` only shows cipher support and not protocol support. A SSLv3 information at the cipher shows only that this cipher is defined for protocols starting with SSLv3 and not that your openssl supports SSLv3. – Steffen Ullrich Nov 20 '17 at 16:14

2 Answers2

4

Try this command to compare with SSLLabs result :

openssl s_client -ssl3 -connect youserver:443

If the handshake is OK, you probably need to configure the cipers in the NGINX config.

Eugène Adell
  • 3,089
  • 2
  • 18
  • 34
  • I get "unknown option -ssl3" – mae Jun 04 '20 at 11:54
  • 2
    @mae You are using a recent version of openssl or at least one which is not old enough. I don't find exactly when the SSL3 support was removed and it doesn't seem obvious as others fail to find this too, see [comments here](https://stackoverflow.com/a/27545567/7748072). What I know from my tests, with version 1.0.2k this option was still available. – Eugène Adell Jun 04 '20 at 15:39
1

With new versions of openssl, configurations goes in exclusion-way. You can use this command to test SSLv3 protocol

 openssl s_client -connect youserver:443 -no_tls1_2 -no_tls1_1 -no_tls1

But the best way to ensure wich versions of SSL/TLS are working on the remote werver is using NMAP:

nmap -sV --script ssl-enum-ciphers -p 443 youserver

Nmap output will point you in the right direction, because it describes the version working protocols and every available cipher. 

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https nginx
|_http-server-header: nginx
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A

Hope that helps

Fco Javier Rod Ca
  • 59
  • 5