How to connect an “SSLv3 only” web client to a web server that only accept TLS1.0 - TLS1.2

ssl openssl proxy squid

I have a legacy embedded HTTP client (very old) that supports SSLv3, TLS1.0, TLS1.1 and TLS1.2. I would like to remove SSLv3 for security reasons.

I rebuilt the openssl library and wanted to verify if this webclient does not use SSLv3 during secure HTTP connection. This client also is programmed to connect to a specific web server on the internet, which already does NOT support SSLv3.

I tried to verify if it work by using a proxy in between the embedded web client and the internet webserver.

Setup:
Webclient <----> Squid proxy <----> Https://www.loremipsum.com/xxx/xxx

Setting:
Webclient 
    -SSLv3 only
Squid proxy:
    -Installed in windows server 2012

    -client TLS version --> TLS1.0, TLS1.1, TLS1.2 enabled

    -server TLS version --> SSLv3 Only 

External web server:
    -only supports TLS1.0, TLS1.1 and TLS1.2

Expected results:
Before removing SSLv3: SSLv3 used in HTTPS connection

After removing SSLv3: Webclient cannot connect with handshake failure code in packet

Actual result:
Before removing SSLv3: **TLS1.0** is used instead of SSLv3 (this part is my problem)

After removing SSLv3: TLS1.0 used in HTTPS connection

Anyone here knows why TLS1.0 is used instead of SSLv3 during the actual test? Or can you recommend any tool that I can use to confirm this change?

Thank you very much.


Solution 1:

As why tls is used in your test: the client will go through its available ciphers and try the strongest ciphers first. So it will always prefer tls over ssl3.

If the website is visible form the internet you can use one of test services like https://testtls.com to verify which protocol is enabled/disabled.

If (as I am guessing) the service is only available internally you can use curl and specify the protocol:

 curl -vvv --sslv3 https://www.myhost.tld

You can go into even more detail and specify each cipher individually: https://curl.se/docs/ssl-ciphers.html

An alternative is to use openssl directly: (https://www.misterpki.com/openssl-s-client/)

 openssl s_client -connect www.host.tdl:443 -ssl3

Note that in both instances you need openssl/curl with ssl3 still available (newer ones do not have ssl compiled at all)

What you need to configure in squid is something like this (you might have to tweak the options depending on the openssl version):

https_port ... options=SSLv3:NO_SSLv2:NO_TLS1:NO_TLS1_1:NO_TLS1_3
http_port ... ssl-bump options=NO_SSLv3:NO_SSLv2:NO_TLS1:NO_TLS1_1:NO_TLS1_3

Related

ESXI: Get machine name from the virtual (within the) machine itself?
How to Configure SSL on Apache 2.4
CentOS 7 httpd modules missing
Postfix header_checks not working
Change NFS to use UDP instead of TCP
Mysterious disk activity with 3ware controller?
Forcing outgoing traffic via specific IP by process or user
How to export MobaXTerm Tunnels?
Excel Extract Text after different letters
rm to match multiple file extensions
Excel chart - spread different time frames to express as percentage
Error while installing Virtualbox guest additions in Ubuntu 20.04.2: Look at /var/log/vboxadd-setup.log to find out what went wrong