"Auxiliary failed: ArgumentError unknown SSL method `SSLv3'

[demolen]

running vmauthd_login and vmauthd_version modules results in :

"Auxiliary failed: ArgumentError unknown SSL method `SSLv3'." error.

with the following call stack:

[-] Call stack:
[-]   /usr/lib/ruby/2.3.0/openssl/ssl.rb:112:in `ssl_version='
[-]   /usr/lib/ruby/2.3.0/openssl/ssl.rb:112:in `initialize'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/login_scanner/vmauthd.rb:99:in `new'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/login_scanner/vmauthd.rb:99:in `generate_ssl_context'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/login_scanner/vmauthd.rb:88:in `swap_sock_plain_to_ssl'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/login_scanner/vmauthd.rb:47:in `attempt_login'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:222:in `block in scan!'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:179:in `block in each_credential'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/credential_collection.rb:127:in `each'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:141:in `each_credential'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:204:in `scan!'
[-]   /usr/share/metasploit-framework/modules/auxiliary/scanner/vmware/vmauthd_login.rb:89:in `run_host'
[-]   /usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:133:in `block (2 levels) in run'
[-]   /usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'

`

error has been produced with metasploit-framework 4.12.20-dev
(installed via apt in kali)

[busterb]

I think this is occurring because the version of OpenSSL that Kali Linux is built with appears to no longer support SSLv3, but metasploit assumes that SSLv3 support is always available.

[demolen]

so is there any work around?
and is this something to do with the ruby 2.3.0 support for sslv3?

[bcook-r7]

You hit the nail on the head. Ruby 2.3.0 supports it, but Kali has it disabled. You would need to ping them about changing it. This is the same root cause as #6783, so I'm going to close this in favor of that.

[demolen]

OK, I tried removing no-ssl3 no-ssl3-method off the OpenSSL source, compiling and reinstalling it again. but it still throws the same error.

[bcook-r7]

You would need to recompile ruby too, I believe.

[karllll]

I ran into this issue writing a https request to check for default passwords on EMC Axeda devices. A Net::HTTP object has a configurable 'ciphers' method - I was able to get beyond this issue by setting the ciphers option and excluding Diffie Hellman ciphers as described by Zack Hobson here ( https://zackhobson.com/2014/02/10/ssl_and_ruby_part_2/ ). Specifically, http.ciphers = ['AES128-SHA'].

[jamiehush]

Appreciate the suggestion to include locally compiled libraries (instead of the relying on the system variants) is the 'correct' longer term solution. However, on latest rolling Kali I bumped into this issue with the vmauthd_version module and a quick fix was to change, line 116, from ...SSLContext.new(:SSLv3) to use SSLv23 instead. (Worked on a variety of VMware boxes)