OpenSSL force client to use specific protocol

Posted by Ex Umbris on Super User See other posts from Super User or by Ex Umbris
Published on 2012-06-07T21:25:17Z Indexed on 2012/06/07 22:43 UTC
Read the original article Hit count: 192

Filed under:

openssl

When subversion attempts to connect to an https URL, the underlying protocol library (openssl) attempts to start the secure protocol negotiation at the most basic level, plain SSL.

Unfortunately, I have to connect to a server that requires SSL3 or TLS1, and refuses to respond to SSL or SSL2.

I’ve done some troubleshooting using s_client and confirmed that if I let s_client start with the default protocol the server never responds to the CLIENT HELLO:

$ openssl s_client -connect server.domain.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Watching this in Wireshark I see:

Client                Server
    -------syn---------->
    <------ack-----------
    ---CLIENT HELLO----->
    <------ack-----------
      [60 second pause]
    <------rst-----------

If I tell s_client to use ssl2 the server immediately closes the connection. Only ssl3 and tls1 work.

Is there any way to configure openssl to skip SSL and SSL2, and start the negotiation with TLS or SSL3? I've found the OpenSSL config file, but that seems to control only certificate generation.

Related posts about openssl

Redhat | Openssl installation error

as seen on Server Fault - Search for 'Server Fault'
make -f objs/Makefile make[1]: Entering directory `/root/fuse-ssh/nginx-0.7.65' cd /usr/bin/openssl \ && make clean \ && ./config --prefix=/usr/bin/openssl/.openssl no-shared no-threads \ && make \ && make install /bin/sh: line 0: cd:… >>> More
Redhat | Openssl installation error

as seen on Stack Overflow - Search for 'Stack Overflow'
make -f objs/Makefile make[1]: Entering directory `/root/fuse-ssh/nginx-0.7.65' cd /usr/bin/openssl \ && make clean \ && ./config --prefix=/usr/bin/openssl/.openssl no-shared no-threads \ && make \ && make install /bin/sh: line 0: cd:… >>> More
Upgrade OpenSSL 0.9.8k to OpenSSL 1.0.1c on Ubuntu 10.04

as seen on Server Fault - Search for 'Server Fault'
We're currently using Ubuntu 10.04 and based on the PCI Compliance results, we're told to upgrade our OpenSSL. I attempted to do this using this reference: http://sandilands.info/sgordon/upgrade-latest-version-openssl-on-ubuntu and http://www.lunarforums.com/dedicated_web_hosting_at_lunarpages/upgrading_openssl-t35015… >>> More
Installing OpenSSL that supports SNI along with previous version of OpenSSL

as seen on Server Fault - Search for 'Server Fault'
So I learned that to host multiple HTTPS websites on the same IP address you need an OpenSSL version that supports SNI (0.9.8f and higher). My RHEL5 box currently has 0.9.8e and Apache version httpd-2.2.26-2.el5. According to a same question here it's not a good idea to replace the original version… >>> More
Solaris X86 AESNI OpenSSL Engine

as seen on Oracle Blogs - Search for 'Oracle Blogs'
Solaris X86 AESNI OpenSSL Engine Cryptography is a major component of secure e-commerce. Since cryptography is compute intensive and adds a significant load to applications, such as SSL web servers (https), crypto performance is an important factor. Providing accelerated crypto hardware greatly… >>> More

Developer IT