|
Do you know the way to test if our IIS is using SSL
2 or 3?
A: Based on my research, I think you can use
SSL analysis tool or
OpenSSL tool, please have a reference from
http://www.slproweb.com/products/Win32OpenSSL.html. I am not sure that
if this is a right way to view certificate version. If it is V3, which means
SSL V3.
Here are our test results.
Before disabling the SSL 2.0
serversniff
net
|
Serversniff SSL-Check, using:
|
|
|
OpenSSL 0.9.8h 28 May 2008
|
|
|
|
|
Preferred cipher:
|
|
|
TLSv1/SSLv3, Cipher is AES128-SHA AES(128)
|
|
|
|
|
Available SSL2 ciphers:
|
|
|
DES-CBC3-MD5
|
168 bit
|
|
RC4-MD5
|
128 bit
|
|
|
|
Available SSL3 ciphers:
|
|
|
DES-CBC3-SHA
|
168 bit
|
|
RC4-SHA
|
128 bit
|
|
RC4-MD5
|
128 bit
|
|
|
|
Available TLS1 ciphers:
|
|
|
AES256-SHA
|
256 bit
|
|
DES-CBC3-SHA
|
168 bit
|
|
AES128-SHA
|
128 bit
|
|
RC4-SHA
|
128 bit
|
|
RC4-MD5
|
128 bit
|
|
Certificate:
|
|
Domain (CN):
chicagotech.dyndns.org
|
|
Valid from:
Nov 4 19:58:30 2010 GMT
|
|
Valid until:
Nov 3 19:58:30 2012 GMT
|
|
|
|
Herausgeber:
|
|
Domain (CN):
chicagotech-SBS2008-CA1
|
|
SSL-Connection:
|
|
SSL-Overhead:
SSL handshake has read 1703 bytes and written 444 bytes
|
|
New, TLSv1/SSLv3,
Default Cipher
is AES128-SHA
|
|
Length of public server-key:
2048 bit
|
|
Default protocol
: TLSv1
|
|
Default Cipher
: AES128-SHA
|
|
•
|
TLS 1.1 support...
no
|
|
|
|
•
|
fallback from TLS 1.1 to... TLS 1.0
|
|
|
|
•
|
TLS 1.0 support...
yes
|
|
|
|
•
|
SSL 3.0 support...
yes
|
|
|
|
•
|
server can accept Hello Extensions...
yes
|
|
|
|
•
|
server can accept cipher suites
not
in SSL 3.0 spec...
yes
|
|
|
|
•
|
server can accept a bogus TLS record version in the client
hello...
yes
|
|
|
|
•
|
server understands TLS closure alerts...
no
|
|
|
|
•
|
server supports session resumption...
yes
|
|
|
|
•
|
ephemeral Diffie Hellman support...
no
|
|
|
|
•
|
ZLIB compression support (TLS extension)...
no
|
|
|
|
•
|
LZO compression support (GnuTLS extension)...
no
|
|
|
|
•
|
SRP authentication support (TLS extension)...
no
|
|
|
|
•
|
OpenPGP authentication support (TLS extension)...
no
|
After disabling SSL 2.0
|
Serversniff SSL-Check, using:
|
|
|
OpenSSL 0.9.8h 28 May 2008
|
|
|
|
|
Preferred cipher:
|
|
|
TLSv1/SSLv3, Cipher is AES128-SHA AES(128)
|
|
|
|
|
Available SSL2 ciphers:
|
|
|
|
|
Available SSL3 ciphers:
|
|
|
DES-CBC3-SHA
|
168 bit
|
|
RC4-SHA
|
128 bit
|
|
RC4-MD5
|
128 bit
|
|
|
|
Available TLS1 ciphers:
|
|
|
AES256-SHA
|
256 bit
|
|
DES-CBC3-SHA
|
168 bit
|
|
AES128-SHA
|
128 bit
|
|
RC4-SHA
|
128 bit
|
|
RC4-MD5
|
128 bit
|
|
Certificate:
|
|
Domain (CN):
chicagotech.dyndns.org
|
|
Valid from:
Nov 4 19:58:30 2010 GMT
|
|
Valid until:
Nov 3 19:58:30 2012 GMT
|
|
|
|
Herausgeber:
|
|
Domain (CN):
chicagotech-SBS2008-CA1
|
|
SSL-Connection:
|
|
SSL-Overhead:
SSL handshake has read 1703 bytes and written 444 bytes
|
|
New, TLSv1/SSLv3,
Default Cipher
is AES128-SHA
|
|
Length of public server-key:
2048 bit
|
|
Default protocol
: TLSv1
|
|
Default Cipher
: AES128-SHA
|
|
•
|
TLS 1.1 support...
no
|
|
|
|
•
|
fallback from TLS 1.1 to... TLS 1.0
|
|
|
|
•
|
TLS 1.0 support...
yes
|
|
|
|
•
|
SSL 3.0 support...
yes
|
|
|
|
•
|
server can accept Hello Extensions...
yes
|
|
|
|
•
|
server can accept cipher suites
not
in SSL 3.0 spec...
yes
|
|
|
|
•
|
server can accept a bogus TLS record version in the client
hello...
yes
|
|
|
|
•
|
server understands TLS closure alerts...
no
|
|
|
|
•
|
server supports session resumption...
yes
|
|
|
|
•
|
ephemeral Diffie Hellman support...
no
|
|
|
|
•
|
ZLIB compression support (TLS extension)...
no
|
|
|
|
•
|
LZO compression support (GnuTLS extension)...
no
|
|
|
|
•
|
SRP authentication support (TLS extension)...
no
|
|
|
|
•
|
OpenPGP authentication support (TLS extension)...
no
|
|
|
Post your questions, comments, feedbacks and suggestions
Contact a consultant
Related Topics
|
|
