Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
658 views
in Technique[技术] by (71.8m points)

encryption - Check if a connection is TLSv1 vs SSLv3 (SSL_CIPHER_description/SSL_CIPHER_get_name)

I have a server application that uses OpenSSL. I'm trying to understand what type of SSL connections are hitting my system (i.e. SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2). In particular, I'm working towards disabling SSLv3 (re: POODLE). Before I can do that, I want to see who/what is connecting on SSLv3

I'm currently using the SSL_CIPHER_description and SSL_CIPHER_get_name functions, which provide really good information on the ciphers negotiated for each connection

I'm having some challenges trying to differentiate SSLv3 vs TLSv1 connections. Per https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html:

"The TLSv1.0 ciphers are flagged with SSLv3. No new ciphers were added by TLSv1.1." 

I've confirmed that TLSv1 connections get noted as SSLv3 Ex: SSL_CIPHER_description returns the following on a connection that is definitely TLSv1.0: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

Does anyone have any ideas on how to detect if a connection is SSLv3 versus TLSv1 in OpenSSL?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

See the API SSL_get_cipher_version() and friends.

Additionally, SSLv3/TLS packets all start with a header which you can easily inspect as well:

Byte 0  : Record Type
Byte 1  : Version Major
Byte 2  : Version Minor
Byte 3-4: Length of payload minus header (16k max)

Version Major breaks down like this:

Major == 2: SSLv2 (The rest differs from SSLv3+ headers)
Major == 3: SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2

Version Minor:

Minor == 0: SSLv3
Minor == 1: TLSv1.0
Minor == 2: TLSv1.1
Minor == 3: TLSv1.2

Do note though that until the handshake/negotiation is complete, the versions used can change. If you wait until Application Data, it should be accurate. Example Application Data of a TLSv1.2 record:

0x17 0x03 0x03 ...

Sniff the Data!

Yet another approach if this is simply for research is to sniff the data with Wireshark or similar.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...