DESCRIPTION

OpenSSL's s_client command can be used to analyze client-server communication, including whether a port is open and if that port is capable of accepting an SSL/TLS connection. It is a useful tool for investigating SSL/TLS certificate-based plugins, and for confirming that a line of secure communications is available.

NOTE: OpenSSL is not a Tenable product. It is a free-to-use communications library with an open source SSL/TLS toolkit made for Unix-like operating systems. It has since been ported over to Windows as well.

STEPS

Verify open ports using OpenSSL:

OpenSSL can be used to verify if a port is listening, accepting connections, and if an SSL certificate is present. OpenSSL can be used for validation in the event plugin 51192 'SSL Certificate cannot be trusted' unexpectedly finds unknown certificates on a port:

# openssl s_client -connect <URL or IP>:<port>

If the host must negotiate a proxy to reach the target server, add a proxy parameter to the command, like so:

# openssl s_client -proxy <proxyserver>:<port> -connect <URL or IP>:<port>

An example of this command in use:

# openssl s_client -connect targethost.corp.com:3269

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = Maryland, L = Columbia, O = Tenable Inc., CN = cloud.tenable.com
verify return:1
---
<Certificate chain here>
---
<Server certificate data begins here>
---

Determine if SSLv2 or SSLv3 certificates are in use using OpenSSL:

Nessus includes various plugins that detect and identify vulnerabilities based on the SSL and TLS protocols supported by the target. For example, plugin 20007 'SSL Version 2 and 3 Protocol Detection' enumerates the host's supported SSLv2 and SSLv3 protocols, and which ports it is discovered on. OpenSSL can be used to validate this information.

Verify the presence of SSLv2 certificates, run the following:

# openssl s_client -connect <URL or IP>:<port> -ssl2 

Verify the presence of SSLv3 certificates, run the following:

# openssl s_client -connect <URL or IP>:<port> -ssl3

In either instance, if the respective SSL versions are not found, the output will yield an error.

Verify an open path to the Tenable servers for registration and updates using OpenSSL:

Another common use of OpenSSL in regards to Tenable applications is the verification of an open path to the Tenable update servers. Standard installations of Tenable.sc (formerly known as SecurityCenter) and Nessus Professional scanners require a secure connection to the Tenable update servers for both the initial activation process and OTA core upgrades, as well as daily plugin feed updates. This communication occurs using HTTPS (over port 443). To check that the path is open and no firewall blockages exist between the endpoint and the update servers, run the following from the SC or Nessus host:

# openssl s_client -connect cloud.tenable.com:443

Similar to the output in the first example, expect to see 'CONNECTED(00000003)' followed by certificate information if the required path is open. 

ADDITIONAL RESOURCES

More information about this can be found by checking the OpenSSL man pages, or on the OpenSSL website.