EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSLv2 CipherSuites

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#34034
Posted: 07/15/2015 11:55:24
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

I am using TElSecureClient in a test application. I need to be able to test SSLv2 connection to a product we are testing.

When I configure the SSLClient for SSLv2 ONLY, it sends out a limited set of available ciphersuites in the client hello message (see attached JPG file). The server does not like any of those and the handshake fails.

I have all ciphersuites enabled, but the component seems to pick out a limited number of suites to send in the hello message. If I enable all versions through TLS1.2, the client sends out all 166 ciphersuites in the hello message.

I understand that SSLv2 may not support the latest ciphersuites, but it seems that the ones picked out are quite limited. I know that the server will accept the following ciphersuites:

RSA_RC4_SHA
RSA_3DES_SHA
RSA_AES128_SHA
RSA_AES256_SHA
RSA_CAMELLIA128_SHA
RSA_CAMELLIA256_SHA
RSA_AES128_SHA256
RSA_AES256_SHA256
RSA_AES128_GCM_SHA256
RSA_AES256_GCM_SHA384

Why is the SSL Client being so limited? Is there any way to change this?


#34035
Posted: 07/15/2015 12:36:06
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

Sorry, I should have indicated I am using SBB .Net version 12.0.260
#34036
Posted: 07/15/2015 13:48:18
by Ken Ivanov (EldoS Corp.)

Hi Charlie,

Pure SSL 2.0 (i.e. without support for upgrading to SSL 3.0 and TLS 1.x) supports a very limited set of cipher suites, all of which are extremely outdated. These are:

SB_SUITE_RSA_RC4_MD5
SB_SUITE_RSA_RC4_MD5_EXPORT
SB_SUITE_RSA_RC2_MD5
SB_SUITE_RSA_RC2_MD5_EXPORT
SB_SUITE_RSA_IDEA_MD5
SB_SUITE_RSA_DES_MD5
SB_SUITE_RSA_3DES_MD5

If you enable higher versions too (SSL 3, TLS 1.x), the client extends SSL2 client hello with SSL 3 and TLS 1.x cipher suites. These cipher suites however can only be agreed if a protocol version higher than SSL 2.0 is negotiated by the peers.

Ken
#34040
Posted: 07/15/2015 14:46:53
by Eugene Mayevski (EldoS Corp.)

I must add that SSL2 is not just outdated, but also insecure (has known security issues). Its use was strongly discouraged long time ago.


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 1552 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!