Verify that SSLv2 is disabled

If you're looking to get PCI/CISP compliance, or you just like better security, disable SSL version 2. Here's how to check if it's enabled on your server:

Testing a web server:
openssl s_client -connect hostname:443 -ssl2

Testing an SMTP server:
openssl s_client -connect hostname:25 -starttls smtp -ssl2

If you get lines like these, SSLv2 is disabled:
419:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
420:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

If it shows the actual certificate installed, SSLv2 is enabled!

This entry was posted on 24/01/2007 (Wednesday) at 9:57 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
Printed from: http://rackerhacker.com/2007/01/24/verify-that-sslv2-is-disabled/ .
© Major Hayden 2012.

1 Comment   »

  • tom says:
    05.12.09 at 11:47

    Hello,
    thanks for the post. when I test it I get an error but still say connected

    #openssl s_client -connect localhost:8443 -ssl2
    CONNECTED(00000003)
    write:errno=104

    does it means it's disable?


Trackbacks/Pingbacks

  1. How to find out if SSL V2 is enabled « Identity Management , SOA, Testing, Monitoring

RSS feed for comments on this post

Leave a Reply

 

  • Welcome! I started this blog as a way to give back to all of the other system administrators who have taught me something in the past. Writing these posts brings me a lot of enjoyment and I hope you find the information useful. If you spot something that's incorrect or confusing, please write a comment and let me know. Drop me a line if there's something you want to know more about and I'll do my best to write a post on the topic.
    -- Major Hayden

    Flattr this