Penetration Testing mailing list archives
Re: How to check for SSL1 ?
From: Thomas Springer <tuevsec () gmx net>
Date: Fri, 30 Sep 2005 09:36:19 +0200
Michael Sierchio wrote:
I have no idea where you come by your ideas, but SSLv3 is much more widely deployed on servers than TLSv1.0.
I don't know how you come by your idea - I do quite a lot of checks and I've seen literally hundreds of TLS1.0 but only two or three SSLV3.
Check it out with your favourite SSL-Client, be it OpennSSL, GnuTLS or something other:
R:\>openssl s_client -connect mail.google.com:443 CONNECTED(00000003) .... [cert-infos deleted] --- SSL handshake has read 1765 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHASession-ID: 7DCF431FC3548D1063E1BC71D43708E74ED9ACC05AC46E04610316AF495A09B9
Try any other SSL-enabled Server you know - I had a hard time finding any SSL-Servers that won't offer TLS1.0 first.
Or did I simply miss something? thomas ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: How to check for SSL1 ? Thomas Springer (Oct 01)
- <Possible follow-ups>
- Re: How to check for SSL1 ? Dean H. Saxe (Oct 01)