Hi Answering your questions: Are you even sure HOSTNAME:443 and HOSTNAME:8000 are the same host? Yes . Its a device .
2. 443 is disabled , Hence it disconnects. 3. 8000 is the port we used to communicate. I need to make sure device does not support weak security. Hence , I ran the openssl commands where for 8000 it connected and writeErr . 4. when you say weak algorithm , We are using SSLV3 ciphers used SSL_RSA_WITH_RC4_128_SHA. Thanks Noufel Dave Thompson-5 wrote: > >> From: owner-openssl-us...@openssl.org On Behalf Of Nouefel >> Sent: Monday, 28 February, 2011 19:10 > >> Openssl version - OpenSSL 0.9.8l 5 Nov 2009 >> >> Now regarding the commands and their results : >> >> openssl s_client -connect HOSTNAME:443 -cipher LOW:EXP >> connect: Connection timed out >> connect:errno=110 >> > Okay, so this is almost certainly Linux > and that error means you didn't connect at all. > You have NO information what the server supports. > > However, if ALL clients are like you unable to connect on 443 > (see below) then it shouldn't matter if the server software > contains support for weak ciphers (or other problems like > SQL or script injection, crossdomain forgery, etc.) since > no one can send the data that would exploit these problems. > >> openssl s_client -connect HOSTNAME:8000 -cipher LOW:EXP >> CONNECTED(00000003) >> write:errno=104 >> > That's a bit odd; you connected and then got reset. > It's especially odd to get it on write, unless maybe > your random-gen for KeyExchange is extra slow or something. > Depending on the server (particularly OS), this MAY > indicate that the server is failing (e.g. crashing). > > Normally I would first suggest checking the server logs, > but if you're trying to probe basic crypto from outside > I'm guessing you don't have access to the logs. > > As I said, try with -msg (or -debug) to get details of > the handshake process. That MAY get far enough to have > some information about the crypto support of the server. >> >> So on 8000 it says connected but there is also an err. Where >> as first one >> times out as 443 port is not enabled. >> > What exactly do you mean by "port is not enabled"? > If there is simply no software listening on port N on > a reachable host, connect normally fails with reset. > The host might have rules or features to just discard > connects (SYNs) on some port(s) e.g. 443 for any reason > it likes, possibly to avoid scans or probes like yours. > Or, there might be a firewall or similar device > between you and the host which decides to discard 443, > but let through 8000 -- maybe even to let through > the SYNs for 8000 but then subsequently break the > connection with RST, although that's rather rude. > > Are you even sure HOSTNAME:443 and HOSTNAME:8000 are > the same host? First, one name can translate in DNS > to different addresses at different times, although it > is unlikely it would consistently translate to different > values for your :443 attempts versus your :8000 ones. > Second, a single address could be "on" a NAT-type box > that routes different ports to different hosts; > this is fairly common in today's network world. > > If this host belongs to your organization, or a business > partner or something, they should be able to tell you > how the network setup works, and quite possibly how > the crypto is set up if that is your actual question. > Admittedly in some (large) organizations, it can be > a chore to find the correct person with such answers. > If this host belongs to someone else, they may want you > NOT to know this setup, which they may want to change > without warning and without you knowing or noticing. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/SSL---Weak-Encryption-Test-tp31016002p31046126.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
