Solved

OPENSSL cipher

Posted on 2011-09-05
7
530 Views
Last Modified: 2012-06-27
Hi experts,

I'm looking for an explanation to this:

I am using the site https://www.chase.com as an example.
I use openSSL to verify that a site is using cipher sslv3.
I verified that it is NOT using sslv2 because I do not see the cert when I run command:
openssl s_client -connect chase:443 -ssl2

I then go into my IE browser version 9, tools < internet options < advanced < and uncheck SSLv3 and CHECK sslv2  

Why is it that I can still browse to https://www.chase.com and it works? My wireshark shows it using SSLV2. Shouldn't it break or tell me to upgrade?
0
Comment
Question by:trojan81
  • 4
  • 3
7 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 36486243
Look here: http://en.wikipedia.org/wiki/Transport_Layer_Security  I believe the current spec is actually TLS.  And until March 2011 it would provide backward compatibility.  If the implementation is old than that, it will probably automatically negotiate back to SSLv2.  You can check on http://www.openssl.org/ to see if that has been implemented there.  I don't see it.  In addition, the Chase site uses a web server I never heard of named 'JPMC1.0'.  Apparently stands for "J P Morgan Chase".
0
 

Author Comment

by:trojan81
ID: 36486506
Thank you, Dave. That makes sense.

I was just using chase as an example because my site (which I cannot disclose for privacy reasons)was behaving the same way. It was using TLS.

Was wondering if you have input on this:
I have my site setup to redirect to a friendly URL that tells them why they cannot connect if they are using only sslv2.
I verified this message shows when I use openssl to connect via sslv2.

However, when I go to my broswer and disable sslv3 and TLS and only check SSLV2 and try to access the site, it just gives me an internal 500 error and doesnt show me the redirect message that openssl saw. Any idea why that is?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36486562
Yes, SSL/TLS gets negotiated before anything else.  If the requested method is disabled, you never get a connection that can be redirected.  It simply fails.

The whole purpose of SSL is to encrypt all the data.  If you allow a plain connection before you start encrypting, you have already compromised the connection.  So Nothing else is allowed before the SSL negotiation.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:trojan81
ID: 36486610
Dave,

I belive my situation is a little different. Even though my site does not have SSLV2 enabled it does have a feature called sslv2 redirect. The redirect is enabled and will give a friendly message.
I can verify that message when I connect using OPENSSL on sslv2.
However, when I do it through the browswer I don't get that friendly message and instead get an http 500 error.
Is it normal that you can see the friendly URL from openssl but not through the brower?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36486641
I don't know about connecting with OpenSSL, what I described is how the browser and web server are supposed to interact.  If the secure connection isn't made, you are not supposed to see anything.
0
 

Author Closing Comment

by:trojan81
ID: 36486712
well done, thank you!
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36486763
You're welcome, glad to help.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
non-domain members are not prompted for credentials 18 60
desktop security assessment (windows devices). 2 42
Setting up NAT translation for RDP 6 41
SOC, SIEM, IPS and FW 4 33
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question