Situation: there is a proprietary application that only supports SSLv3 and the vendor does not care.
Solution:
As of 9/2016, Debian links socat against openssl without SSL3 support. Therefore the above no longer works.
I have managed to compile openssl with SSL3
./Configure --prefix=/opt/ssl3 linux-x86_64
and somehow compile socat with it
change /sw to /opt/ssl3 in configure negate the condition above LIBS=-ldl ./configure
openssl s_client supports ssl3 now (/opt/ssl3/bin/openssl s_client -connect xxx:443 -ssl3) and socat too.
Next, the following system was encountered during an… eh… network security reconnaissance.
443/tcp open Ubiquity Crap | ssl-enum-ciphers: | SSLv3: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - A | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - A | compressors: | | cipher preference: client | warnings: | CBC-mode cipher in SSLv3 (CVE-2014-3566) | Ciphersuite uses MD5 for message integrity | Weak certificate signature: SHA1 |_ least strength: D
Cipher suites need to be replaced in your socat in xio-openssl.c:
//char *ci_str = "HIGH:-NULL:-PSK:-aNULL"; /* cipher string */ char *ci_str = "ALL:+NULL"; /* cipher string */