I want to check if my server has SSLv2 disabled. I am doing this by attempting to connect remotely with openssl with the following shell command.
openssl s_client -connect HOSTNAME:443 -ssl2Most literature I could find on the Internet says if I see something similar to the following error then SSLv2 is properly disabled.
29638:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:I do get the above error when connecting to my Ubuntu server with SSLv2 disabled in Apache Apache but when I connect to my Windows Server 2008 R2 server with SSLv2 disabled in the registry I get the following output and error.
CONNECTED(00000003)
write:errno=104I can't find any literature explaining this output and error. If anybody could explain to me if and why this output and error means that SSLv2 is properly disabled, I would appreciate it.
Thanks!
3 Answers
At least on Linux, 104 is ECONNRESET for "Connection reset by peer" – in other words, the connection was forcibly closed with a TCP RST packet, either sent out by the server or spoofed by an intermediary.
I would try Wireshark/tshark on the Ubuntu server to see what actually gets sent. If the RST is real, it could be that the httpd process died – check the log files and dmesg just in case.
The Qualys SSL Server Test website can show all SSL/TLS versions supported by your web server. (Unfortunately, it doesn't even bother with TLS SNI...)
2There is likely a mismatch between the ciphers that are supported by your server, and those supported by the recipient's server.
1I had the same error and it was related to interface MTU. Setting the client interface MTU to 1492 (it was 1500), solved this error for me.
1