Check if a connection is TLSv1 vs SSLv3 (SSL_CIPHER_description/SSL_CIPHER_get_name)

Question

I have a server application that uses OpenSSL. I'm trying to understand what type of SSL connections are hitting my system (i.e. SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2). In particular, I'm working towards disabling SSLv3 (re: POODLE). Before I can do that, I want to see who/what is connecting on SSLv3

I'm currently using the SSL_CIPHER_description and SSL_CIPHER_get_name functions, which provide really good information on the ciphers negotiated for each connection

I'm having some challenges trying to differentiate SSLv3 vs TLSv1 connections. Per https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html:

"The TLSv1.0 ciphers are flagged with SSLv3. No new ciphers were added by TLSv1.1." 

I've confirmed that TLSv1 connections get noted as SSLv3 Ex: SSL_CIPHER_description returns the following on a connection that is definitely TLSv1.0: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

Does anyone have any ideas on how to detect if a connection is SSLv3 versus TLSv1 in OpenSSL?

Answer 1

You can use the method SSL_get_version(SSL *ssl) after the connection is successfully negotiated.