> From: owner-openssl-us...@openssl.org On Behalf Of Nouefel > Sent: Monday, 28 February, 2011 19:10
> Openssl version - OpenSSL 0.9.8l 5 Nov 2009 > > Now regarding the commands and their results : > > openssl s_client -connect HOSTNAME:443 -cipher LOW:EXP > connect: Connection timed out > connect:errno=110 > Okay, so this is almost certainly Linux and that error means you didn't connect at all. You have NO information what the server supports. However, if ALL clients are like you unable to connect on 443 (see below) then it shouldn't matter if the server software contains support for weak ciphers (or other problems like SQL or script injection, crossdomain forgery, etc.) since no one can send the data that would exploit these problems. > openssl s_client -connect HOSTNAME:8000 -cipher LOW:EXP > CONNECTED(00000003) > write:errno=104 > That's a bit odd; you connected and then got reset. It's especially odd to get it on write, unless maybe your random-gen for KeyExchange is extra slow or something. Depending on the server (particularly OS), this MAY indicate that the server is failing (e.g. crashing). Normally I would first suggest checking the server logs, but if you're trying to probe basic crypto from outside I'm guessing you don't have access to the logs. As I said, try with -msg (or -debug) to get details of the handshake process. That MAY get far enough to have some information about the crypto support of the server. > > So on 8000 it says connected but there is also an err. Where > as first one > times out as 443 port is not enabled. > What exactly do you mean by "port is not enabled"? If there is simply no software listening on port N on a reachable host, connect normally fails with reset. The host might have rules or features to just discard connects (SYNs) on some port(s) e.g. 443 for any reason it likes, possibly to avoid scans or probes like yours. Or, there might be a firewall or similar device between you and the host which decides to discard 443, but let through 8000 -- maybe even to let through the SYNs for 8000 but then subsequently break the connection with RST, although that's rather rude. Are you even sure HOSTNAME:443 and HOSTNAME:8000 are the same host? First, one name can translate in DNS to different addresses at different times, although it is unlikely it would consistently translate to different values for your :443 attempts versus your :8000 ones. Second, a single address could be "on" a NAT-type box that routes different ports to different hosts; this is fairly common in today's network world. If this host belongs to your organization, or a business partner or something, they should be able to tell you how the network setup works, and quite possibly how the crypto is set up if that is your actual question. Admittedly in some (large) organizations, it can be a chore to find the correct person with such answers. If this host belongs to someone else, they may want you NOT to know this setup, which they may want to change without warning and without you knowing or noticing. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
