Alan Baugher

OpenSSL Test for SSLv3 Usage for CA solutions

Discussion created by Alan Baugher Employee on Oct 27, 2014

OpenSSL may be part of the CA solution or can be an add-on package.

 

While testing SSL / TLS functionality with a client; a simple test using the openssl binary was used to validate not only that a CA certificate could be validated; but also if SSLv3 was being block (as it should be now due to the Poodle attack vector).

 

 

Instance of use:

 

Worked with client to validate the IM CallBack process works without SSLv3 (this is how the mid-tier IM provisioning server communicates to the J2EE web service)

We found an issue with an LB but not with the IM solution in allowing the CA certificate to be validated.

 

Openssl s_client  -connect  host:port -sslv3        {Check to see if SSLv3 is blocked}

 

Or

 

Openssl s_client  -connect  host:port                 {Check to see if TLSv1.0 is available}

 

 

Of interest, IM solution is able to function even with SSLv3 disabled.  

However, if openssl error code 21 is noticed, this will mapped to the IMPS "notify.log" error that the CA certificate could NOT be validated.

 

Using openssl only, a client network team could continue troubleshooting the issue, independent of the client's IDM team.

Outcomes