how to test for disable SSLv3 for vulnerability

Question

We have a vip running on port 443 (clientssl) in bigp IP version 10.2.3. we turn off SSlv3 due to vulnerability. we change ciphers to  DEFAULT:!SSLv3 in this SSLclient profile (not global clientssl profile). my question is how do we test SSLv3 is disable? after doing the research, I run this command in my F5 backend:
 openssl s_client -connect  -ssl3&nbsp;
and got the message:
  getaddrinfo: Temporary failure in name resolution
connect:errno=110&nbsp;
do you have otherway to test it or how to run this command correctly?
Thanks for your help&nbsp;

kash_49328 · Answer

Do the TCPdump and check it in the wireshark. I believe if you are not allowing sslv3 then Big ip should not allow the V3 hellos. Fyi 10.xx may be allowing SSLv2 also. I had 11.2.1 and it was allowing SSLv2 and v3. 
tcpdump -nni 0.0:nnn -s0 '(host xxxxxxx ) and port 443 or xxxx ' -w /var/tmp/xxxxxxx .pcap&nbsp;

amolari · Answer

this one is good   SSL Labs&nbsp;

truongh_36312 · Answer

it workss, thanks a lot for all yours info and instruction. &nbsp;

shaggy · Answer

curl is also an option. the -3 flag forces an SSLv3 handshake
curl -kvv3 https://www.xyj.gov.au

Forum Discussion

how to test for disable SSLv3 for vulnerability

4 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

OpenSSH vulnerability

Mitigating Log4j Vulnerability using F5 BIG-IP

BYOEDR, Undetectable backdoor, WhoFi, Cyberattack to airline, and Clickjacking vulnerability

CVE-2014-3566: Removing SSLv3 from BIG-IP

TLS_FALLBACK_SCSV and tmsh syntax for disabling SSLv3

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS