On Wed, Feb 4, 2009 at 6:21 AM, Stuart VanZee <[email protected]> wrote:
...
> So the question is. How do I prove that our https server doesn't
> provide support for sslv2?
First, you disable it per Otto's email. Then, you run a script like this:
#!/bin/sh
openssl ciphers -v |
while read cipher version other; do
printf 'HEAD / HTTP/1.0\n\n' |
openssl s_client -connect 127.0.0.1:443 -cipher $cipher \
-ssl${version##*v} -quiet 2>&1 |
grep HTTP >/dev/null && echo $version $cipher
done
That'll report the SSL protocol version and cipher suite combos that
it supports for the root page. (In openssl, the cipher suites for TLS
are the same as for SSLv3, so that script only reports SSLv3 for
both.)
Philip Guenther
