How do I use "openssl s_client" to test for (absence of) SSLv3 support?

OpenSSL s_client

To check if you have disabled the SSLv3 support, then run the following

openssl s_client -connect example.com:443 -ssl3

which should produce something like

3073927320:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
3073927320:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

meaning SSLv3 is disabled on the server. Otherwise the connection will established successfully.

Nmap

Alternatively, you can use nmap to scan server for supported version:

# nmap --script ssl-enum-ciphers example.com
Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-15 03:19 PDT
Nmap scan report for example.com (203.0.113.100)
Host is up (0.090s latency).
rDNS record for 203.0.113.100: edge.example.com
Not shown: 997 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| ssl-enum-ciphers: 
|   **SSLv3: No supported ciphers found**
|   TLSv1.0: 

On a side note you can use nmap with ssl-enum-ciphers script as follows

nmap --script ssl-enum-ciphers -p 443 example.com

You will get a response like this.

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|     compressors: 
|       NULL
|_  least strength: strong

As you can see it lists all the supported versions of ssl/tls as well as the cipher suites


I created this test for the availability of the SSLv3 protocol. There is probably a better way to search for a string that also shows that CBC ciphers are in use, but most people just seem to want to know if SSLv3 is available at all.

A few things to note:

  • Written for the bash on Mac OS X so can't say for sure it will work everywhere
  • Uses gtimeout vs. timeout since Mac is weird about those core utils
  • allexternal.txt is a file with one hostname or IP per line

script:

for ip in `awk '{print $1}' < allexternal.txt`; do
    if gtimeout 30 openssl s_client -connect $ip:443 -ssl3 | grep -q 'Protocol  : SSLv3' ; then
        echo $ip SSLv3 detected >> sslv3output;
    else
        echo $ip SSLv3 NOT detected >> sslv3output;
    fi;
done

Tags:

Openssl

Tls