trojan81
asked on
OPENSSL cipher
Hi experts,
I'm looking for an explanation to this:
I am using the site https://www.chase.com as an example.
I use openSSL to verify that a site is using cipher sslv3.
I verified that it is NOT using sslv2 because I do not see the cert when I run command:
openssl s_client -connect chase:443 -ssl2
I then go into my IE browser version 9, tools < internet options < advanced < and uncheck SSLv3 and CHECK sslv2
Why is it that I can still browse to https://www.chase.com and it works? My wireshark shows it using SSLV2. Shouldn't it break or tell me to upgrade?
I'm looking for an explanation to this:
I am using the site https://www.chase.com as an example.
I use openSSL to verify that a site is using cipher sslv3.
I verified that it is NOT using sslv2 because I do not see the cert when I run command:
openssl s_client -connect chase:443 -ssl2
I then go into my IE browser version 9, tools < internet options < advanced < and uncheck SSLv3 and CHECK sslv2
Why is it that I can still browse to https://www.chase.com and it works? My wireshark shows it using SSLV2. Shouldn't it break or tell me to upgrade?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, SSL/TLS gets negotiated before anything else. If the requested method is disabled, you never get a connection that can be redirected. It simply fails.
The whole purpose of SSL is to encrypt all the data. If you allow a plain connection before you start encrypting, you have already compromised the connection. So Nothing else is allowed before the SSL negotiation.
The whole purpose of SSL is to encrypt all the data. If you allow a plain connection before you start encrypting, you have already compromised the connection. So Nothing else is allowed before the SSL negotiation.
ASKER
Dave,
I belive my situation is a little different. Even though my site does not have SSLV2 enabled it does have a feature called sslv2 redirect. The redirect is enabled and will give a friendly message.
I can verify that message when I connect using OPENSSL on sslv2.
However, when I do it through the browswer I don't get that friendly message and instead get an http 500 error.
Is it normal that you can see the friendly URL from openssl but not through the brower?
I belive my situation is a little different. Even though my site does not have SSLV2 enabled it does have a feature called sslv2 redirect. The redirect is enabled and will give a friendly message.
I can verify that message when I connect using OPENSSL on sslv2.
However, when I do it through the browswer I don't get that friendly message and instead get an http 500 error.
Is it normal that you can see the friendly URL from openssl but not through the brower?
I don't know about connecting with OpenSSL, what I described is how the browser and web server are supposed to interact. If the secure connection isn't made, you are not supposed to see anything.
ASKER
well done, thank you!
You're welcome, glad to help.
ASKER
I was just using chase as an example because my site (which I cannot disclose for privacy reasons)was behaving the same way. It was using TLS.
Was wondering if you have input on this:
I have my site setup to redirect to a friendly URL that tells them why they cannot connect if they are using only sslv2.
I verified this message shows when I use openssl to connect via sslv2.
However, when I go to my broswer and disable sslv3 and TLS and only check SSLV2 and try to access the site, it just gives me an internal 500 error and doesnt show me the redirect message that openssl saw. Any idea why that is?