SSLv2 and v3

From The Catalog
Jump to: navigation, search

To determine whether your openssl has support for SSLv2 try running a simple sslscan on your own Apache server like this below:

sslscan phillipgrimes.com

You will see warnings if openssl is not compiled to support SSLv2.

To configure OpenSSL to support V2 and V3, follow these instructions:

$ sudo apt-get install build-essential devscripts $ sudo apt-get build-dep openssl $ apt-get source openssl $ cd openssl-* $ quilt pop -a

  1. This removes updates

$ vi debian/patches/series

  1. Remove ‘no-ssl2.patch’

$ vi debian/rules

  1. Remove ‘no-ssl2’ in args

$ quilt push -a

  1. Re-applies the updates

$ dch -n ‘Allow dangerous v2 protocol’ $ dpkg-source –commit $ debuild -uc -us $ ls ../*ssl*.deb $ sudo dpkg -i *ssl*.deb

Then, uninstall/reinstall (or recompile) sslscan, and you should no longer see these errors.

apt-get remove sslscan && apt-get install -y sslscan

Update: 10/16/2018

I had some trouble getting the instructions above to work so I had to find a little bit of a different way to skin this cat:

wget https://openssl.org/source/openssl-1.0.2k.tar.gz tar -xvf openssl-1.0.2k.tar.gz cd openssl-1.0.2k/

  1. --prefix will make sure that make install copies the files locally instead of system-wide
  2. --openssldir will make sure that the binary will look in the regular system location for openssl.cnf
  3. no-shared builds a mostly static binary

./config --prefix=`pwd`/local --openssldir=/usr/lib/ssl enable-ssl2 enable-ssl3 no-shared make depend make make -i install sudo cp local/bin/openssl /usr/local/bin/

Again, you'll be required to uninstall/reinstall or recompile sslscan, but the errors should no longer present.