How to check your SSL ciphers to make sure they don't accept SSLv3


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » System Level

How to check your SSL ciphers to make sure they don't accept SSLv3Last Modified: Oct 15, 2014, 7:42 pm
If you're trying to become PCI compliant, one common check they do is to see if any of your SSL connections are using SSLv3.

If you want to check your own setup first to ensure it will pass this check, you can use the command:

openssl s_client -port 2222 -host 127.0.0.1 -ssl3

where you're replace the bold items with the things respective values you're trying to test.  In the above example, we're checking DA on port 2222 locally (127.0.0.1), but a remote check to anywhere else, with any port can be used.

The above code will produce some output.  If SSLv3 is not allowed in that connection (which is good), then you'll see about 3 to 7 lines of output, and the last line will show:

140506571089736:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140506571089736:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

Basically, it will throw some kind of error.

If the connection worked (bad if testing for -ssl3), then you'll see a full page of output, including all certificate information, as well as the certificate itself.

Some services like exim use TLS for their ssl connection.  In that case, you'd use -tls1 to test to enusre TLSv1 still works.

To set ciphers for the services, see this guide:
http://help.directadmin.com/item.php?id=571

 
Related Helpfiles
Setting up DA with an SSL certificate
Current SSL cipher lists for DirectAdmin servers

2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST