Thursday, October 18, 2012

SSLv2 for Ubuntu 12.04

So Ubuntu figured it would be best if they disabled SSLv2 support from the OpenSSL library and it appears that this has been happening since 10.04. I didn't really notice because I had been using some other distros, but with some new changes in my professional life, I now need to be on Ubuntu. Now I understand doing this for the safety of users, but not having the ability to enable it again is quite the issue for say someone who is in the security profession and needs to be able to test for SSLv2 so that clients can be told to disable it. Now to go about building SSLv2 support back in and having a tools like sslscan work again when checking for SSLv2.

If you are currently running some recent version of Ubuntu, you can check for yourself by attempting to use openssl or you can run sslscan (assuming you have that installed) like here:

$ sslscan --ssl2 www.google.com

And in the results you will see it come up blank like here:
















What we need to do is rebuild the OpenSSL libraries and enable SSLv2 support. Don't do this if you have no need for this support. The below series of commands come from the main post and the comments here: http://security.sunera.com/2011_02_01_archive.html
I'm not taking credit for this, I'm just putting it all together for Ubuntu 12.04 and really just having this as record for myself since I will have to redo this work everytime OpenSSL gets updated -> meaning watch out for those Ubuntu updates that might undo your work with a new version of OpenSSL or re-install your tools that you rebuild to take advantage of your changes.

Commands to run:

$ sudo apt-get install build-essential devscripts m4 quilt debhelper # There might be more depending on your system - check for error messages
$ apt-get source openssl
$ cd openssl-*
$ quilt pop -a # This removes updates
$ vi debian/patches/series
Remove 'no-ssl2.patch' (or whatever it is called now since it has changed before)
$ vi debian/rules
Remove 'no-ssl2' in args
$ quilt push -a # This re-applies the updates, minus the no-ssl2 patch
$ dch -n 'Allow dangerous v2 protocol'
$ dpkg-source --commit
$ debuild -uc -us
$ ls ../*ssl*.deb
$ cd ../
$ sudo dpkg -i *ssl*.deb

Now you need to do similar activity to get your tools to work again. Here is getting sslscan to work:
$ apt-get source sslscan
$ cd sslscan*
$ debuild -uc -us
$ cd ../
$ sudo dpkg -i *sslscan*.deb

Lets run sslscan with the same arguments as before:




















And we have SSLv2 support back. Thank you to others who have posted this information before so that I could get it to work.

2 comments: