Ethernet Switching
Reply
Contributor
francisowen
Posts: 13
Registered: ‎07-04-2011
0

verify if ssl version 2 disable

Hi need help how to verify if ssl version 2 is disabled on juniper ex platform

Trusted Expert
Trusted Expert
jtb
Posts: 311
Registered: ‎08-26-2009
0

Re: verify if ssl version 2 disable

hi,

 

simple way is to use openssl tool (any U**x/Windows):

 

admin@nms3:~$ openssl s_client  -connect www.hp.com:443 -ssl2
CONNECTED(00000003)
17481:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
admin@nms3:~$

admin@nms3:~$ openssl s_client  -connect www.hp.com:443 -ssl3
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
[... read the long output ...]

// change www.hp.com:443 to with www.juniper.net:443 - SSL2 is accepted

// ex2200 running 11.4R2.14:

admin@nms3:~$ openssl s_client  -connect 10.0.0.14:443 -ssl2
CONNECTED(00000003)
17516:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

admin@nms3:~$ openssl s_client  -connect 10.0.0.14:443 -ssl3
CONNECTED(00000003)
depth=0 /CN=CU0xxxxxxxxx/CN=system generated/CN=self-signed
[... read the long output ...]

 

there are many online/offline tools&scripts to play with SSL,  sslscan (sslscan-win for Windows) is one example:

 

// the same ex2200

admin@nms3:~$ sslscan 10.0.0.14
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server 10.0.0.14 on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2  56 bits   DES-CBC-MD5
    Rejected  SSLv2  40 bits   EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2  40 bits   EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3  56 bits   ADH-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3  40 bits   EXP-ADH-RC4-MD5
    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3  56 bits   DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3  40 bits   EXP-RC4-MD5
    Rejected  SSLv3  0 bits    NULL-SHA
    Rejected  SSLv3  0 bits    NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   ADH-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1  40 bits   EXP-ADH-RC4-MD5
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1  56 bits   DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1  40 bits   EXP-RC4-MD5
    Rejected  TLSv1  0 bits    NULL-SHA
    Rejected  TLSv1  0 bits    NULL-MD5

  Prefered Server Cipher(s):
    SSLv3  256 bits  DHE-RSA-AES256-SHA
    TLSv1  256 bits  DHE-RSA-AES256-SHA

  SSL Certificate:
    Version: 2
    Serial Number: 4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /CN=CU0xxxxxxxx/CN=system generated/CN=self-signed
    Not valid before: May  2 13:58:30 2012 GMT
    Not valid after: May  1 13:58:30 2017 GMT
    Subject: /CN=CUxxxxxxx/CN=system generated/CN=self-signed
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Modulus (1024 bit):
          00:b8:c1:40:0c:38:56:db:4c:82:61:5f:12:b4:0d:
          [...]
          ac:17:0d:33:d3:c8:91:e8:c5
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Subject Alternative Name: 
        <EMPTY>

  Verify Certificate:
    self signed certificatea
admin@nms3:~$

 jtb

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.