Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to verify the complete removal of SSLv3 Support on SRX

0

0

Article ID: KB34328 KB Last Updated: 25 Feb 2020Version: 2.0
Summary:

This article explains how to verify SSLv3 support is completely removed from SRX.

Symptoms:

Although SSLv3 support is removed, SRX appears to be negotiating SSLv3 handshake:

root@srx3600> show version 
Hostname: srx3600
Model: srx3600
JUNOS Software Release [12.3X48-D70.3]
root@% grep Protocol /var/jail/etc/httpd.conf
  SSLProtocol ALL -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2
  SSLProtocol ALL -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2
root@% exit

Test from a Ubuntu machine, connecting to the J-WEb IP address of this SRX, SSLv3 is permitted.

user@healthbot:~$ openssl s_client -connect 10.219.19.112:443  -ssl3
CONNECTED(00000003)
depth=0 CN = AB4411AA0053, CN = system generated, CN = self-signed
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = AB4411AA0053, CN = system generated, CN = self-signed
verify return:1
---
Certificate chain
 0 s:/CN=AB4411AA0053/CN=system generated/CN=self-signed
   i:/CN=AB4411AA0053/CN=system generated/CN=self-signed
---

Server certificate

-----BEGIN CERTIFICATE-----
MIIDKDCCAhCgAwIBAgIRAPiIeKTWn8CWqFixFisoe6YwDQYJKoZIhvcNAQEFBQAw
SDEVMBMGA1UEAxMMQUI0NDExQUEwMDUzMRkwFwYDVQQDExBzeXN0ZW0gZ2VuZXJh
dGVkMRQwEgYDVQQDEwtzZWxmLXNpZ25lZDAeFw0xODEwMTIxMTA5MzVaFw0yMzEw
MTExMTA5MzVaMEgxFTATBgNVBAMTDEFCNDQxMUFBMDA1MzEZMBcGA1UEAxMQc3lz
dGVtIGdlbmVyYXRlZDEUMBIGA1UEAxMLc2VsZi1zaWduZWQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDjWEDkOsHzVpO3zk06B9ByOhSTmgkloXOc2FSe
+A5/o6MvbY//cSIzM855VGUfDArsqUhMCl992tmWGAgpUXUhAwdVY0secLno9Nlb
SHe0lhAEHIP77j4zuIaTDc4E7WnCF/YwdWf8Sw+GhDmAlzcF4VjRQvLaSp56xzp9
nv5Xu/Y6OjNDgrhl+xkgDn0RRzso+CB6ywYNpCyYe6P1/ie2t9F/qA9jfLH74Ib9
nc2ReeBbwmNZ+8rwzG0pFF38Z2dDMgFSut5s/dW6Pts95flqNc0hoxIioVc4hMlp
Z6Z5oBew4vg4ii2l+tZ2/dWLpEOincYAH6mILsj2IIMtjF+BAgMBAAGjDTALMAkG
A1UdEQQCMAAwDQYJKoZIhvcNAQEFBQADggEBAI49cceNvfy0VmnJrzrBzKkRwxue
O0Jh9EWmC9fJcJJwVH3UpMdrfNsN1nsMon8iOc1m4Z2ITyb30hDS8+fwHhKpKx33
rX6//8ldaRQAhscbqL0oVlgRp0sLphOXBLGAzgQ7kX4Pl5rZCOTWnnbGCUsXn3pJ
V61qvreydgvduYJvx+u07OSF9BaVpxBt6bwILyRWfOFO04eRwNle9VAiXJH8o9W0
DKxkq/MTK40AOYqS/ps1ZH2lJYwmfsV1LIt58qDytpH9lYdO9/DqVpWb79u2t+8L
6PDqavv0Ax2TdI+yZNm4fVpoq2YJ0dgepkU+HliaGSbnLc2xExf4mtAudQI=
-----END CERTIFICATE-----
subject=/CN=AB4411AA0053/CN=system generated/CN=self-signed
issuer=/CN=AB4411AA0053/CN=system generated/CN=self-signed
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1527 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3 
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: AA8A49A977498C6F121C4D7ED29EAD036B8063F121D87907D63F5C60877E3A15
    Session-ID-ctx: 
    Master-Key: 238D31B836A4987A3F2D9BAB223378CD9471229ED5DED364E412156C662E199F1216D309F7EDEAA8BFC3DE70AE90E16E
    Key-Arg    : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1554799394
    Timeout    : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
read:errno=0
 
Solution:

The fix to disable SSLv3 is committed in release D80 and higher for SRX platforms (running Junos version 12.3X48).

To disable SSLv3 completely, an upgrade to Junos version to 12.3X8-D80 or later is needed.

As seen below, SSLV3 handshake is not getting completed.

With 12.3X48-D80, SSL handshake has read 0 bytes and written 0 bytes:

root@srx3600> show version 
Hostname: srx3600
Model: srx3600
JUNOS Software Release [12.3X48-D80.4]
 
root@srx3600> show configuration | display set 
set version 12.3X48-D80.4
set system host-name srx3600
set system root-authentication encrypted-password "$ABC123"
set system services ssh
set system services web-management https system-generated-certificate
set system syslog file test any any
set interfaces fxp0 unit 0 family inet address 10.219.19.112/26
set routing-options static route 0.0.0.0/0 next-hop 10.219.19.65

Test from a Ubuntu Machine:

user@healthbot:~$ openssl s_client -connect 10.219.19.112:443  -ssl3
CONNECTED(00000003)
140035480163992:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1554876863
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

The following is also observed:

From 12.3X48-D80 (explicitly removes the SSLv3 support)

root@jtac-srx3600-r2021% grep Protocol /var/jail/etc/httpd.conf
  SSLProtocol ALL -SSLV3 -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2
  SSLProtocol ALL -SSLV3 -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2

Earlier versions (no mention of SSLv3)

root@jtac-srx320-r2009% grep Protocol /var/jail/etc/httpd.conf
  SSLProtocol ALL -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2
  SSLProtocol ALL -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search