Written by georg
on September 7, 2016
Wie kompiliert man OpenSSL 1.1.0 mit SSL3?
Per Default wird SSL3 direkt abgeschaltet:
~/openssl-1.1.0>./config Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0 (0x0x1010000fL) no-asan [default] OPENSSL_NO_ASAN (skip dir) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-fuzz-afl [default] OPENSSL_NO_FUZZ_AFL (skip dir) no-fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-msan [default] OPENSSL_NO_MSAN (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-ubsan [default] OPENSSL_NO_UBSAN (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 ...
Aber man kann es im Configure aktivieren:
~/openssl-1.1.0>./config enable-ssl3 enable-ssl3-method Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0 (0x0x1010000fL) no-asan [default] OPENSSL_NO_ASAN (skip dir) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-fuzz-afl [default] OPENSSL_NO_FUZZ_AFL (skip dir) no-fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-msan [default] OPENSSL_NO_MSAN (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ubsan [default] OPENSSL_NO_UBSAN (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 ...
Die Option -ssl3 wird jetzt wieder erkannt, funktioniert aber nicht:
echo "" | apps/openssl s_client -servername ${SERVERNAME} -connect $SERVERNAME:443 -ssl3 CONNECTED(00000003) 140198926489344:error:141640BF:SSL routines:tls_construct_client_hello:no protocols available:ssl/statem/statem_clnt.c:709: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated ---
Gleicher Befehl mit -tls1 bzw auch wenn keine Protokollversion explizit angegeben wird:
echo "" | apps/openssl s_client -servername ${SERVERNAME} -connect $SERVERNAME:443 -tls1 CONNECTED(00000003) ... Server did acknowledge servername extension. --- Certificate chain ... --- Server certificate -----BEGIN CERTIFICATE----- MIIHfjCC... ... dTc= -----END CERTIFICATE-----
Irgendjemand eine Idee dazu?
Schreibe einen Kommentar