Racker Hacker

Verify that SSLv2 is disabled

If you're looking to get PCI/CISP compliance, or you just like better security, disable SSL version 2. Here's how to check if it's enabled on your server:

Testing a web server:
openssl s_client -connect hostname:443 -ssl2

Testing an SMTP server:
openssl s_client -connect hostname:25 -starttls smtp -ssl2

If you get lines like these, SSLv2 is disabled:
419:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
420:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

If it shows the actual certificate installed, SSLv2 is enabled!

This entry was posted on 24/01/2007 (Wednesday) at 9:57 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Printed from: http://rackerhacker.com/2007/01/24/verify-that-sslv2-is-disabled/ .
© Major Hayden 2010.

1 Comment   »

• tom says:

  05.12.09 at 11:47

  Hello,
  thanks for the post. when I test it I get an error but still say connected

  #openssl s_client -connect localhost:8443 -ssl2
  CONNECTED(00000003)
  write:errno=104

  does it means it's disable?

RSS feed for comments on this post , TrackBack URI

• • Home
  • About the Racker Hacker
  • MySQLTuner
  • Favorite Mac Apps

• My Sites

  • Major's Posterous
  • MySQLTuner
  • PleskHacker

• Social Media

  • Facebook
  • Flickr
  • LinkedIn
  • Twitter

• Web Links

  • 5dollarwhitebox
  • langui.sh
  • rjamestaylor.com
  • Steven Crowder
  • Stuffleufagus
  • Transcend Linux

• RackerHacker's Tweets

  • Pretty awesome status board for developers: http://is.gd/ahAdp 14 mins ago
  • Anyone else going to be at SXSW on Monday? I'm looking forward to meeting some tech folks. ;-) 1 hr ago
  • @OvrWrkdTech I'd imagine that could be good or bad, depending on your personality. in reply to OvrWrkdTech 1 hr ago
  • @soulresin I see what you did there. in reply to soulresin 11 hrs ago
  • Do you use Freenode regularly? Chip in for the £7 for seven fundraiser and support the network. http://freenode.net/ 11 hrs ago
  • More updates...

• Recent Comments

  • Deeapk on rpmdb: Lock table is out of available locker entries
  • Franck on Obscure MySQL variable explained: max_seeks_for_key
  • beaulebens: Nevermind, Ma… « satuwp on Fix MacFusion on Snow Leopard
  • Jake on Enable submission port 587 in Sendmail
  • Automatically starting synergy in GDM in Ubuntu/Fedora | Racker Hacker on Sticky shift key with synergy in Fedora 12

• Random Posts

  • Change Primary IP Address in Plesk
  • Changing the time zone in irssi
  • BIND: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
  • MySQL: Can't drop one or more of the requested users
  • Postgresql not listening on network

• Tags

  apache blog command line database debian development emergency encryption fedora filesystem ftp fun general advice horde iowait iptables kernel kernel panics linux mac mail memory mysql mysqltuner networking optimization performance perl php plesk procmail qmail red hat rpm screencasts security sendmail ssh ssl sysadmin ubuntu vmware web wordpress yum