Results 1 to 13 of 13
-
10-20-2008, 06:48 AM #1Disabled
- Join Date
- Jan 2007
- Posts
- 78
How to: disable SSL 2.0 and use SSL 3.0
Our security comlience test got failed due to following reason
Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.
We have Cpanel RHEL server. Please advise how to:
'disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.'
I would appreciate if you come up with steps or commands so that I can do this.
-
10-20-2008, 08:27 AM #2hzalex Guest
You need to use SSLProtocol directive:
Example
# enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
-
10-20-2008, 08:29 AM #3hzalex Guest
The last line needs to be added to httpd.conf to
<IfDefine SSL>
</IfDefine>
-
10-20-2008, 09:07 AM #4Web Hosting Guru
- Join Date
- Jan 2006
- Posts
- 268
and if you are using lighttpd, just add:
ssl.use-sslv2 = "disable"
to your configuration file (and reload/restart the service).
__________________http://www.fishycam.com
-
10-20-2008, 12:07 PM #5Disabled
- Join Date
- Jan 2007
- Posts
- 78
In which file I should add this? May I have the file path and name? I have cpanel server.
Where exactly I should add this line 'SSLProtocol all -SSLv2'
-
10-20-2008, 03:09 PM #6Disabled
- Join Date
- Jan 2007
- Posts
- 78
any help on this?
-
10-20-2008, 03:44 PM #7Newbie
- Join Date
- Sep 2008
- Posts
- 17
Quote:
Originally Posted by alisaqi
In which file I should add this? May I have the file path and name? I have cpanel server.
Where exactly I should add this line 'SSLProtocol all -SSLv2'
You need to add that line in apache configuration file which resides under /usr/local/apache/conf/httpd.conf Make sure you restart apache once you add the line...
-
10-21-2008, 02:26 AM #8Disabled
- Join Date
- Jan 2007
- Posts
- 78
I have added the lines below at the bottom of /usr/local/apache/conf/httpd.conf
nano -w /usr/local/apache/conf/httpd.conf
<IfDefine SSL>
# enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
</IfDefine>
Then restarted apache and run the test again but again its failed no effect. Please advise.
-
10-28-2008, 04:40 PM #9Web Hosting Guru
- Join Date
- Dec 2006
- Posts
- 292
Any have any thoughts on this. We have the same issue.
RHEL 5.2 box, with Apache 2.2.3
We tried added in the following to the httpd.conf file and restarted apache, but it failed SecurityMatrix test on ports 443, 993, and 995
Code:
<IfDefine SSL>
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
</IfDefine>
-
10-28-2008, 10:59 PM #10Junior Guru
- Join Date
- Aug 2008
- Posts
- 176
Is there an existing SSLProtocol line later on perhaps?
993 and 995 are mail, not web, offhand, so you've got another service to look at there.
-
10-28-2008, 11:11 PM #11ZoomS Guest
Quote:
Originally Posted by smrtalex
Any have any thoughts on this. We have the same issue.
RHEL 5.2 box, with Apache 2.2.3
We tried added in the following to the httpd.conf file and restarted apache, but it failed SecurityMatrix test on ports 443, 993, and 995
Code:
<IfDefine SSL>
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
</IfDefine>
What Apache error log shows when you restart Apache in the server ?
-
11-25-2008, 09:20 AM #12teamwork1 Guest
How to: disable SSL 2.0 and use SSL 3.0
To restrict connections to SSL 3.0 and to ensure strong encryption, we strongly recommend the following configuration for the Apache serverâs SSL cipher suite settings.
* Use only High and Medium security cipher suites, such as RC4 and RSA.
* Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.
* Use SSL 3.0, and disable SSL 2.0.
* Disable the Low, Export, and Null cipher suites.
To set these parameters, modify the aliases in the OpenSSL* ciphers command (the SSLCipherSuite directive) in the /etc/httpd/conf/httpd.conf file.
1.Stop the Apache server: At a terminal console, enter /etc/init.d/apache2 stop
2. Open the /etc/httpd/conf/httpd.conf file in a text editor, then locate the SSLCipherSuite directive in the Virtual Hosts section:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
3. Modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
4. Save your changes.
5. Start the Apache server: At a terminal console, enter /etc/init.d/apache2 start
-
11-25-2008, 02:04 PM #13Disabled
- Join Date
- Jan 2007
- Posts
- 78
I apperciate your help....i was still looking for it. I will try to make it in a day or two.