A common question on security surveys and often an item auditors love to point out because it’s “easy” is the question of SSLv2/3 support. SSLv2 is insecure and shouldn’t be used. Various sources can describe (pdf) the issues better than I, but I will say I don’t know if anyone has made SSLv2 attacks very practical, even if browsers dropped to SSLv2 anymore.
So how do you check what SSL version your web site supports?
1. SSLDigger available as a free Foundstone tool
SSLDigger is a GUI tool that accepts a site (or IP) and digs on the supported SSL ciphers. A nice tool, but it actually gives no distinction between what is SSLv2 and what is SSLv3. However, it does rate ciphers on how weak they are, which can be a nice guide if you’re digging down that deeply and enabling or disabling various individual ciphers.
THCSSLCheck is a Windows command-line tool. THCSSLCheck takes things a step further and groups ciphers based on their SSL version, which is a nice indicator. Very clean!
Yup, OpenSSL (Windows and Linux) can also check SSL strength, and might be the easiest test to understand. It also gives some content that it receives from the website. This is helpful if you have a proxy, filter, or load-balancer in the way that redirects SSLv2 connection attempts. The above two tools simply determine whether a cipher negotiation was successful, but they do not report any context. In my case, I have load-balancers in front of my web servers that answer to SSLv2 connections with a landing page saying we don’t support SSLv2. So, yes the scan showed a positive, but it’s not a real positive. OpenSSL will catch this if you wait a bit and hit enter a few times.
openssl s_client -connect www.mysite.com:443 -ssl2