Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+====== TLS1.2 <-> SSLv3 wrapper ======
+Situation: there is a proprietary application that only supports SSLv3 and the vendor does not care.
+Solution:
+  - make the application listen to 127.0.0.1:4443 or something like this
+  - socat -v openssl-listen:443,cert=/etc/ssl/our_key_cert.pem,verify=0,reuseaddr,fork ssl:127.0.0.1:4443,verify=0**,method=ssl3**
+===== Disabled SSL3 support =====
+As of 9/2016, Debian links socat against openssl without SSL3 support. Therefore the above no longer works.
+I have managed to compile openssl with SSL3
+<code>
+./Configure --prefix=/opt/ssl3 linux-x86_64
+</code>
+and somehow compile socat with it
+<code>
+change /sw to /opt/ssl3 in configure
+negate the condition above
+LIBS=-ldl ./configure
+</code>
+openssl s_client supports ssl3 now (/opt/ssl3/bin/openssl s_client -connect xxx:443 -ssl3) and socat too.
+===== Old ciphersuites only =====
+Next, the following system was encountered during an... eh... //network security reconnaissance//.
+<code>
+/tcp open  Ubiquity Crap
+| ssl-enum-ciphers:
+|   SSLv3:
+|     ciphers:
+|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
+|       TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - A
+|       TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - A
+|     compressors:
+|
+|     cipher preference: client
+|     warnings:
+|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
+|       Ciphersuite uses MD5 for message integrity
+|       Weak certificate signature: SHA1
+|_  least strength: D
+</code>
+Cipher suites need to be replaced in your socat in xio-openssl.c:
+<code c>
+   //char *ci_str = "HIGH:-NULL:-PSK:-aNULL";   /* cipher string */
+   char *ci_str = "ALL:+NULL";  /* cipher string */
+</code>

wiki

User Tools

Site Tools

Differences

Page Tools