ssl:check_for_poodle_bug
This is an old revision of the document!
SSL - Check for Poodle bug
Use the following command to check an IP or hostname:
echo | timeout 3 openssl s_client -connect HOSTNAMEORIPADDRESS:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: HOSTNAMEORIPADDRESS timeout or connection error"; else echo | openssl s_client -connect HOSTNAMEORIPADDRESS:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: HOSTNAMEORIPADDRESS Not vulnerable" || echo "FAIL: HOSTNAMEORIPADDRESS vulnerable; sslv3 connection accepted"; fi
Replace HOSTNAMEORIPADDRESS by the actual hostname or IP address. If you use SNI, add the -servername actualhost.org option to the 2 OpenSSL commands, like so:
openssl s_client -servername snihostname.org -connect 172.16.30.5:443 -ssl
Examples
Non-vulnerable website:
echo | timeout 3 openssl s_client -connect raymii.org:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: raymii.org timeout or connection error"; else echo | openssl s_client -connect raymii.org:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: raymii.org Not vulnerable" || echo "FAIL: raymii.org vulnerable; sslv3 connection accepted"; fi
Result:
OK: raymii.org Not vulnerable
Vulnerable site:
echo | timeout 3 openssl s_client -connect sslv3-testhost.com:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: sslv3-testhost.com timeout or connection error"; else echo | openssl s_client -connect sslv3-testhost.com:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: sslv3-testhost.com Not vulnerable" || echo "FAIL: sslv3-testhost.com vulnerable; sslv3 connection accepted"; fi
Result:
FAIL: sslv3-testhost.com vulnerable; sslv3 connection accepted
Site without SSL:
echo | timeout 3 openssl s_client -connect pepermunt.net:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: pepermunt.net timeout or connection error"; else echo | openssl s_client -connect pepermunt.net:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: pepermunt.net Not vulnerable" || echo "FAIL: pepermunt.net vulnerable; sslv3 connection accepted"; fi
Result:
UNKNOWN: pepermunt.net timeout or connection error
You can check other ports by changing 443 to any other valid port.
ssl/check_for_poodle_bug.1467619401.txt.gz ยท Last modified: 2020/07/15 09:30 (external edit)