Table of Contents

TLS1.2 <-> SSLv3 wrapper

Situation: there is a proprietary application that only supports SSLv3 and the vendor does not care.

Solution:

  1. make the application listen to 127.0.0.1:4443 or something like this
  2. socat -v openssl-listen:443,cert=/etc/ssl/our_key_cert.pem,verify=0,reuseaddr,fork ssl:127.0.0.1:4443,verify=0,method=ssl3

Disabled SSL3 support

As of 9/2016, Debian links socat against openssl without SSL3 support. Therefore the above no longer works.

I have managed to compile openssl with SSL3

./Configure --prefix=/opt/ssl3 linux-x86_64

and somehow compile socat with it

change /sw to /opt/ssl3 in configure
negate the condition above
LIBS=-ldl ./configure

openssl s_client supports ssl3 now (/opt/ssl3/bin/openssl s_client -connect xxx:443 -ssl3) and socat too.

Old ciphersuites only

Next, the following system was encountered during an… eh… network security reconnaissance.

443/tcp open  Ubiquity Crap
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - A
|     compressors: 
| 
|     cipher preference: client
|     warnings: 
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|       Ciphersuite uses MD5 for message integrity
|       Weak certificate signature: SHA1
|_  least strength: D

Cipher suites need to be replaced in your socat in xio-openssl.c:

   //char *ci_str = "HIGH:-NULL:-PSK:-aNULL";   /* cipher string */
   char *ci_str = "ALL:+NULL";  /* cipher string */