in Linux, Security, Windows

How to check if SSL v2 is enabled using openssl

SSL v2 is weak and outdated protocol. All modern browsers and applications support SSL v3 and that’s why you should disable SSL v2 where possible.

Using this command you can check if SSL v2 is enabled:

openssl s_client -connect www.example.org:443 -ssl2

If SSL v2 is disabled you should get a response like this (this is the response you want to get because SSL v2 should be disabled):

CONNECTED(00000003)
write:errno=104

or

CONNECTED(00000003)
11132:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

However, if SSL v2 is enabled the response will be a lot longer and include something like this:

...
Ciphers common between both SSL endpoints:
RC4-MD5         EXP-RC4-MD5     RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5     DES-CBC3-MD5
---
SSL handshake has read 1370 bytes and written 364 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
...

Here are instructions on how to disable SSL v2 on Windows 2008 servers:
How to disable SSL v2 / enable SSL v3 on Windows 2008

Write a Comment

Comment

  1. Unfortunately, the -ssl2 option has been deprecated from the openssl client, so this will only work with old versions.