This shows you the differences between two versions of the page.
ssl3 [2016-09-28 08:43:38] |
ssl3 [2016-09-28 08:43:38] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== TLS1.2 <-> SSLv3 wrapper ====== | ||
+ | Situation: there is a proprietary application that only supports SSLv3 and the vendor does not care. | ||
+ | |||
+ | Solution: | ||
+ | - make the application listen to 127.0.0.1:4443 or something like this | ||
+ | - socat -v openssl-listen:443,cert=/etc/ssl/our_key_cert.pem,verify=0,reuseaddr,fork ssl:127.0.0.1:4443,verify=0**,method=ssl3** | ||
+ | |||
+ | ===== Disabled SSL3 support ===== | ||
+ | |||
+ | As of 9/2016, Debian links socat against openssl without SSL3 support. Therefore the above no longer works. | ||
+ | |||
+ | I have managed to compile openssl with SSL3 | ||
+ | <code> | ||
+ | ./Configure --prefix=/opt/ssl3 linux-x86_64 | ||
+ | </code> | ||
+ | and somehow compile socat with it | ||
+ | <code> | ||
+ | change /sw to /opt/ssl3 in configure | ||
+ | negate the condition above | ||
+ | LIBS=-ldl ./configure | ||
+ | </code> | ||
+ | openssl s_client supports ssl3 now (/opt/ssl3/bin/openssl s_client -connect xxx:443 -ssl3) and socat too. | ||
+ | |||
+ | ===== Old ciphersuites only ===== | ||
+ | |||
+ | Next, the following system was encountered during an... eh... //network security reconnaissance//. | ||
+ | |||
+ | <code> | ||
+ | 443/tcp open Ubiquity Crap | ||
+ | | ssl-enum-ciphers: | ||
+ | | SSLv3: | ||
+ | | ciphers: | ||
+ | | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | ||
+ | | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - A | ||
+ | | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - A | ||
+ | | compressors: | ||
+ | | | ||
+ | | cipher preference: client | ||
+ | | warnings: | ||
+ | | CBC-mode cipher in SSLv3 (CVE-2014-3566) | ||
+ | | Ciphersuite uses MD5 for message integrity | ||
+ | | Weak certificate signature: SHA1 | ||
+ | |_ least strength: D | ||
+ | </code> | ||
+ | |||
+ | Cipher suites need to be replaced in your socat in xio-openssl.c: | ||
+ | <code c> | ||
+ | //char *ci_str = "HIGH:-NULL:-PSK:-aNULL"; /* cipher string */ | ||
+ | char *ci_str = "ALL:+NULL"; /* cipher string */ | ||
+ | </code> |