Simple way of enabling SSLv2 and SSLv3 in OpenSSL?
Fresh install of Ubuntu here and trying to use the SSLScan tool, only to find out that I get these error:
OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected
OpenSSL version does not support SSLv3
SSLv3 ciphers will not be detected
Testing SSL server xyzx on port 443
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support
I found some article online on trying to re-compile OpenSSL without those flags being explicitly disabled, but I can't even get past the first few steps in some of these guides. For example, one guide recommends running sudo apt-get build-dep openssl. I can't run that because then I get the following error:
[03.14.2017/23:47:31] user@box $ sudo apt-get build-dep openssl
Reading package lists... Done
E: You must put some 'source' URIs in your sources.list
Although I have many uncommented sources in my /etc/apt/sources.list file.
Any suggestions? I just want to enable SSLv2 and SSLv3, and at least enable compression too. Can I just simply re-enable all of the disabled features?
Solution 1:
My solution was to build just the openssl binary to avoid overwriting the system OpenSSL installation:
wget https://openssl.org/source/openssl-1.0.2k.tar.gz
tar -xvf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k/
# --prefix will make sure that make install copies the files locally instead of system-wide
# --openssldir will make sure that the binary will look in the regular system location for openssl.cnf
# no-shared builds a mostly static binary
./config --prefix=`pwd`/local --openssldir=/usr/lib/ssl enable-ssl2 enable-ssl3 no-shared
make depend
make
make -i install
sudo cp local/bin/openssl /usr/local/bin/
To test:
$ openssl s_client -connect google.com:443 -ssl2
CONNECTED(00000003)
139675635414688:error:1407F0E5:SSL routines:ssl2_write:ssl handshake failure:s2_pkt.c:412:
$ openssl s_client -connect google.com:443 -ssl3
CONNECTED(00000003)
140647504119456:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365:
I've got a more complete script here if you're interested: https://gist.github.com/bmaupin/8caca3a1e8c3c5686141
Solution 2:
I also had this exact problem! (And this post is now the first hit on Google.)
I solved it by building sslscan myself, with static linking; this puts the SSLv2 and SSLv3 support into the executable itself. It might be dangerous to have the global openssl library support old vulnerable protocol versions.
The source code repo for sslscan is here: https://github.com/rbsec/sslscan
I could not get the instructions there to work without problems, because I did not have any deb-src lines in /etc/apt/sources.list, giving the error:
E: You must put some 'source' URIs in your sources.list
However, I ignored the error and it worked for me anyway. Building took about 10 minutes on my laptop (-j flag did not work). The build failed once for some reason (test not passing) but compiling again made it work.
TL;DR: Run:
sudo apt-get install build-essential git zlib1g-dev
git clone https://github.com/rbsec/sslscan.git
cd sslscan
make static
Verify the output
./sslscan --version
1.11.13-rbsec-9-g55ec8c7-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)