How to connect an “SSLv3 only” web client to a web server that only accept TLS1.0 - TLS1.2
I have a legacy embedded HTTP client (very old) that supports SSLv3, TLS1.0, TLS1.1 and TLS1.2. I would like to remove SSLv3 for security reasons.
I rebuilt the openssl library and wanted to verify if this webclient does not use SSLv3 during secure HTTP connection. This client also is programmed to connect to a specific web server on the internet, which already does NOT support SSLv3.
I tried to verify if it work by using a proxy in between the embedded web client and the internet webserver.
Setup:
Webclient <----> Squid proxy <----> Https://www.loremipsum.com/xxx/xxx
Setting: Webclient -SSLv3 only Squid proxy: -Installed in windows server 2012
-client TLS version --> TLS1.0, TLS1.1, TLS1.2 enabled
-server TLS version --> SSLv3 Only
External web server: -only supports TLS1.0, TLS1.1 and TLS1.2 Expected results: Before removing SSLv3: SSLv3 used in HTTPS connection After removing SSLv3: Webclient cannot connect with handshake failure code in packet Actual result: Before removing SSLv3: **TLS1.0** is used instead of SSLv3 (this part is my problem) After removing SSLv3: TLS1.0 used in HTTPS connection
Anyone here knows why TLS1.0 is used instead of SSLv3 during the actual test? Or can you recommend any tool that I can use to confirm this change?
Thank you very much.
Solution 1:
As why tls is used in your test: the client will go through its available ciphers and try the strongest ciphers first. So it will always prefer tls over ssl3.
If the website is visible form the internet you can use one of test services like https://testtls.com to verify which protocol is enabled/disabled.
If (as I am guessing) the service is only available internally you can use curl and specify the protocol:
curl -vvv --sslv3 https://www.myhost.tld
You can go into even more detail and specify each cipher individually: https://curl.se/docs/ssl-ciphers.html
An alternative is to use openssl directly: (https://www.misterpki.com/openssl-s-client/)
openssl s_client -connect www.host.tdl:443 -ssl3
Note that in both instances you need openssl/curl with ssl3 still available (newer ones do not have ssl compiled at all)
What you need to configure in squid is something like this (you might have to tweak the options depending on the openssl version):
https_port ... options=SSLv3:NO_SSLv2:NO_TLS1:NO_TLS1_1:NO_TLS1_3
http_port ... ssl-bump options=NO_SSLv3:NO_SSLv2:NO_TLS1:NO_TLS1_1:NO_TLS1_3