sunhux
asked on
How to verify IIS, Apache & SMTP is vulnerable to Logjam
Q1:
Can I use openssl cliengt command to verify if our IIS, Apache are vulnerable?
What's the exact syntax/command?
Is it "openssl s_client -connect IP_addr:443" ?
Q2:
Are TLS1.0, TLS1.1 or TLS1.2 vulnerable?
Q3:
How do I verify our SMTP (Linux customized sendmail) is vulnerable?
Can I use openssl cliengt command to verify if our IIS, Apache are vulnerable?
What's the exact syntax/command?
Is it "openssl s_client -connect IP_addr:443" ?
Q2:
Are TLS1.0, TLS1.1 or TLS1.2 vulnerable?
Q3:
How do I verify our SMTP (Linux customized sendmail) is vulnerable?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So are TLSv1.0 or TLSv1.1 vulnerable?
Looks like the openssl command I used previously is meant for Linux openssl.
Windows openssl has different syntax but I still don't know how to interpret if
the output below means it's vulnerable or otherwise:
C:\Openssl102>openssl s_client -connect internet-banking.dbs.com.s g:443 -tls1_1
-cipher "EDH"
CONNECTED(000001AC)
1148:error:14094410:SSL routines:ssl3_read_bytes:s slv3 alert handshake failure:.
\ssl\s3_pkt.c:1456:SSL alert number 40
1148:error:1409E0E5:SSL routines:ssl3_write_bytes: ssl handshake failure:.\ssl\s3
_pkt.c:644:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1432922310
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Looks like the openssl command I used previously is meant for Linux openssl.
Windows openssl has different syntax but I still don't know how to interpret if
the output below means it's vulnerable or otherwise:
C:\Openssl102>openssl s_client -connect internet-banking.dbs.com.s
-cipher "EDH"
CONNECTED(000001AC)
1148:error:14094410:SSL routines:ssl3_read_bytes:s
\ssl\s3_pkt.c:1456:SSL alert number 40
1148:error:1409E0E5:SSL routines:ssl3_write_bytes:
_pkt.c:644:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1432922310
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
C:\Openssl102> openssl s_client -connect internet-banking.dbs.com.s g:443 -starttls imap -cipher EDH -msg
Loading 'screen' into random state - done
CONNECTED(000001C0)
didn't found STARTTLS in server response, try anyway...
>>> TLS 1.2 [length 0005]
16 03 01 00 8c
>>> TLS 1.2 Handshake [length 008c], ClientHello
01 00 00 88 03 03 b6 de f1 f7 ce c0 b0 ca e2 86
. . .
03 02 01 02 02 02 03 00 0f 00 01 01
write:errno=10053
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 171 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
Loading 'screen' into random state - done
CONNECTED(000001C0)
didn't found STARTTLS in server response, try anyway...
>>> TLS 1.2 [length 0005]
16 03 01 00 8c
>>> TLS 1.2 Handshake [length 008c], ClientHello
01 00 00 88 03 03 b6 de f1 f7 ce c0 b0 ca e2 86
. . .
03 02 01 02 02 02 03 00 0f 00 01 01
write:errno=10053
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 171 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
(though for SSL websites, this same openssl.exe utility works):
C:\Openssl102>openssl s_client -connect gmail.com:25 -starttls smtp -cipher "EDH
" -
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
unknown option -
usage: s_client args
-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-verify_host host - check peer certificate matches "host"
-verify_email email - check peer certificate matches "email"
-verify_ip ipaddr - check peer certificate matches "ipaddr"
-verify arg - turn on peer certificate verification
-verify_return_error - return verification errors
-cert arg - certificate file to use, PEM format assumed
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private key file to use, in cert file if
not specified but cert file is.
-keyform arg - key format (PEM or DER) PEM default
-pass arg - private key file pass phrase source
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-reconnect - Drop and re-make the connection with the same Session-ID
-pause - sleep(1) after each read(2) and write(2) system call
-prexit - print session information even on connection failure
-showcerts - show all certificates in the chain
-debug - extra output
-msg - Show protocol messages
-nbio_test - more ssl protocol testing
-state - print the 'ssl' states
-nbio - Run with non-blocking IO
-crlf - convert LF from terminal into CRLF
-quiet - no s_client output
-ign_eof - ignore input eof (default when -quiet)
-no_ign_eof - don't ignore input eof
-psk_identity arg - PSK identity
-psk arg - PSK in hex (without 0x)
-srpuser user - SRP authentification for 'user'
-srppass arg - password for 'user'
-srp_lateuser - SRP username into second ClientHello message
-srp_moregroups - Tolerate other than the known g N values.
-srp_strength int - minimal length in bits for N (default 1024).
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
-fallback_scsv - send TLS_FALLBACK_SCSV
-mtu - set the link layer MTU
-no_tls1_2/-no_tls1_1/-no_
-bugs - Switch on all SSL implementation bug workarounds
-serverpref - Use server's cipher preferences (only SSLv2)
-cipher - preferred cipher to use, use the 'openssl ciphers'
command to see what is available
-starttls prot - use the STARTTLS command before starting TLS
for those protocols that support it, where
'prot' defines which one to assume. Currently,
only "smtp", "pop3", "imap", "ftp" and "xmpp"
are supported.
-engine id - Initialise and use the specified engine
-rand file;file;...
-sess_out arg - file to write SSL session to
-sess_in arg - file to read SSL session from
-servername host - Set TLS extension servername in ClientHello
-tlsextdebug - hex dump of all TLS extensions received
-status - request certificate status from server
-no_ticket - disable use of RFC4507bis session tickets
-serverinfo types - send empty ClientHello extensions (comma-separated numbers)
-nextprotoneg arg - enable NPN extension, considering named protocols supported
(comma-separated list)
-alpn arg - enable ALPN extension, considering named protocols supporte
d (comma-separated list)
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile l
ist
-keymatexport label - Export keying material using label
-keymatexportlen len - Export len bytes of keying material (default 20)