badssl.com icon indicating copy to clipboard operation
badssl.com copied to clipboard

Published 20 hours ago verified publisher icon chromium

sslv3.badssl.com

Open lgarron opened this issue 9 years ago • 14 comments

This requires a separate IP address that doesn't use SNI (or at least defaults to SSLv3 with this particular domain).

lgarron avatar May 15 '15 18:05 lgarron

Was this ever created? I was just looking for services out there that offer SSLv2 and SSLv3, then thought to myself "hey, wait a second, badssl.com FTW", but then couldn't find a subdomain here.

jschauma avatar Jan 13 '17 22:01 jschauma

Yes, but we still don't have a separate IP, so it has to be on a separate port: https://ssl-v3.badssl.com:1003/

lgarron avatar Jan 13 '17 22:01 lgarron

Hmm, I'm getting a connection reset when connecting to port 1003 on ssl-v3.badssl.com:

$ openssl s_client -ssl3 -connect ssl-v3.badssl.com:1003 CONNECTED(00000003) write:errno=54

Is that expected?

jschauma avatar Jan 14 '17 01:01 jschauma

Is that expected?

I honestly don't know. Maybe OpenSSL has SSLv3 disabled by default, or something.

@davidben, do you know the magic incantation?

lgarron avatar Jan 14 '17 01:01 lgarron

It looks like a problem with the server, not the OpenSSL incant. If it were an SSLv3 host, you would not expect ERR_CONNECTION_RESET in Chrome. Minimum versions are enforced by the client, not the server. Are you sure ssl-v3.badssl.com:1003 is set up correctly?

davidben avatar Jan 18 '17 03:01 davidben

Definitely seems to be server-side. My instance of testssl.sh is using static SSLv3-enabled OpenSSL, and I'm able to successfully detect SSLv2 and SSLv3 on public servers known to be using those, but against ssl-v3, I get "104.154.89.105:1003 doesn't seem to be a TLS/SSL enabled server".

roycewilliams avatar Feb 17 '17 14:02 roycewilliams

@roycewilliams What about ssl-v2?

lgarron avatar Feb 17 '17 19:02 lgarron

Good question - OK, if it's the same port (1003), I get the same result.

roycewilliams avatar Feb 17 '17 19:02 roycewilliams

OK, if it's the same port (1003)

Uh, that sounds disconcerting. Each TLS protocol case has its own port:

https://ssl-v2.badssl.com:1002 https://ssl-v3.badssl.com:1003 https://tls-v1-0.badssl.com:1010 https://tls-v1-1.badssl.com:1011

If port 1003 is responding over SSLv2, that definitely sounds wrong.

lgarron avatar Feb 17 '17 21:02 lgarron

Apologies - I was both unclear and also didn't realize the port mapping.

To clarify, ssl-v3:1003 is not responding for SSL/TLS at all. When I tried ssl-v2:1003, that also failed (which is now unsurprising).

I have just checked, and ssl-v2:1002 is also not responding.

Steps to recreate:

  1. Download testssl.sh and the appropriate accompanying signed static binary of openssl for your platform.
  2. Run testssl.sh against that openssl. On my platform, for example:

./testssl.sh --openssl=bin/openssl.Linux.x86_64 ssl-v2.badssl.com:1002

The response I get is:

104.154.89.105:1002 doesn't seem to be a TLS/SSL enabled server

No test that I've been able to perform remotely detects SSL/TLS on either port.

roycewilliams avatar Feb 17 '17 22:02 roycewilliams

ssl-v2.badssl.com and ssl-v3.badssl.com (wether port 443, 1002 or 1003) do not respond with a cipher. I guess this is due to the limitation of modern openssl. If necessary, I can assist with building a proper openssl.

EnDe avatar Oct 25 '17 20:10 EnDe

Why aren't SSL v2/v3 endpoints listed on the website?

ricmrodrigues avatar May 18 '18 07:05 ricmrodrigues

Why aren't SSL v2/v3 endpoints listed on the website?

They don't work with our installation of nginx.

lgarron avatar May 18 '18 08:05 lgarron

Why aren't SSL v2/v3 endpoints listed on the website?

They don't work with our installation of nginx.

Well, this website, https://mailserv.baehal.com supports SSLv3 only. It was the only one I could find. Here is the SSL Labs test for this website. https://www.ssllabs.com/ssltest/analyze.html?d=mailserv.baehal.com Although, unfortunately, I was unable to find an SSLv2 only website.

sydia1103 avatar Jan 29 '22 15:01 sydia1103