Written by georg
on September 7, 2016
Wie kompiliert man OpenSSL 1.1.0 mit SSL3?
Per Default wird SSL3 direkt abgeschaltet:
~/openssl-1.1.0>./config
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring OpenSSL version 1.1.0 (0x0x1010000fL)
no-asan [default] OPENSSL_NO_ASAN (skip dir)
no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir)
no-crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir)
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
no-egd [default] OPENSSL_NO_EGD (skip dir)
no-fuzz-afl [default] OPENSSL_NO_FUZZ_AFL (skip dir)
no-fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER (skip dir)
no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir)
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-msan [default] OPENSSL_NO_MSAN (skip dir)
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)
no-sctp [default] OPENSSL_NO_SCTP (skip dir)
no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir)
no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir)
no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir)
no-ubsan [default] OPENSSL_NO_UBSAN (skip dir)
no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir)
no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir)
no-zlib [default]
no-zlib-dynamic [default]
Configuring for linux-x86_64
...
Aber man kann es im Configure aktivieren:
~/openssl-1.1.0>./config enable-ssl3 enable-ssl3-method
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring OpenSSL version 1.1.0 (0x0x1010000fL)
no-asan [default] OPENSSL_NO_ASAN (skip dir)
no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir)
no-crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir)
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
no-egd [default] OPENSSL_NO_EGD (skip dir)
no-fuzz-afl [default] OPENSSL_NO_FUZZ_AFL (skip dir)
no-fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER (skip dir)
no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir)
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-msan [default] OPENSSL_NO_MSAN (skip dir)
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)
no-sctp [default] OPENSSL_NO_SCTP (skip dir)
no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir)
no-ubsan [default] OPENSSL_NO_UBSAN (skip dir)
no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir)
no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir)
no-zlib [default]
no-zlib-dynamic [default]
Configuring for linux-x86_64
...
Die Option -ssl3 wird jetzt wieder erkannt, funktioniert aber nicht:
echo "" | apps/openssl s_client -servername ${SERVERNAME} -connect $SERVERNAME:443 -ssl3
CONNECTED(00000003)
140198926489344:error:141640BF:SSL routines:tls_construct_client_hello:no protocols available:ssl/statem/statem_clnt.c:709:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
Gleicher Befehl mit -tls1 bzw auch wenn keine Protokollversion explizit angegeben wird:
echo "" | apps/openssl s_client -servername ${SERVERNAME} -connect $SERVERNAME:443 -tls1
CONNECTED(00000003)
...
Server did acknowledge servername extension.
---
Certificate chain
...
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHfjCC...
...
dTc=
-----END CERTIFICATE-----
Irgendjemand eine Idee dazu?
Schreibe einen Kommentar