Results 1 to 13 of 13
  1. #1
    How to: disable SSL 2.0 and use SSL 3.0

    Our security comlience test got failed due to following reason
    Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
    Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.
    We have Cpanel RHEL server. Please advise how to:
    'disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.'
    I would appreciate if you come up with steps or commands so that I can do this.

  2. #2
    hzalex Guest
    You need to use SSLProtocol directive:
    Example
    # enable SSLv3 and TLSv1, but not SSLv2
    SSLProtocol all -SSLv2

  3. #3
    hzalex Guest
    The last line needs to be added to httpd.conf to
    <IfDefine SSL>
    </IfDefine>

  4. #4
    and if you are using lighttpd, just add:
    ssl.use-sslv2 = "disable"
    to your configuration file (and reload/restart the service).





    __________________http://www.fishycam.com

  5. #5
    In which file I should add this? May I have the file path and name? I have cpanel server.
    Where exactly I should add this line 'SSLProtocol all -SSLv2'

  6. #6
    any help on this?

  7. #7
    Quote:



    Originally Posted by alisaqi


    In which file I should add this? May I have the file path and name? I have cpanel server.
    Where exactly I should add this line 'SSLProtocol all -SSLv2'


    You need to add that line in apache configuration file which resides under /usr/local/apache/conf/httpd.conf Make sure you restart apache once you add the line...

  8. #8
    I have added the lines below at the bottom of /usr/local/apache/conf/httpd.conf
    nano -w /usr/local/apache/conf/httpd.conf
    <IfDefine SSL>
    # enable SSLv3 and TLSv1, but not SSLv2
    SSLProtocol all -SSLv2
    </IfDefine>
    Then restarted apache and run the test again but again its failed no effect. Please advise.

  9. #9
    Join Date
    Dec 2006
    Posts
    292
    Any have any thoughts on this. We have the same issue.
    RHEL 5.2 box, with Apache 2.2.3
    We tried added in the following to the httpd.conf file and restarted apache, but it failed SecurityMatrix test on ports 443, 993, and 995
    Code:

    <IfDefine SSL>
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
    </IfDefine>

  10. #10
    Is there an existing SSLProtocol line later on perhaps?
    993 and 995 are mail, not web, offhand, so you've got another service to look at there.

  11. #11
    ZoomS Guest
    Quote:



    Originally Posted by smrtalex


    Any have any thoughts on this. We have the same issue.
    RHEL 5.2 box, with Apache 2.2.3
    We tried added in the following to the httpd.conf file and restarted apache, but it failed SecurityMatrix test on ports 443, 993, and 995
    Code:

    <IfDefine SSL>
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
    </IfDefine>




    What Apache error log shows when you restart Apache in the server ?

  12. #12
    teamwork1 Guest
    How to: disable SSL 2.0 and use SSL 3.0

    To restrict connections to SSL 3.0 and to ensure strong encryption, we strongly recommend the following configuration for the Apache server’s SSL cipher suite settings.
    * Use only High and Medium security cipher suites, such as RC4 and RSA.
    * Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.
    * Use SSL 3.0, and disable SSL 2.0.
    * Disable the Low, Export, and Null cipher suites.
    To set these parameters, modify the aliases in the OpenSSL* ciphers command (the SSLCipherSuite directive) in the /etc/httpd/conf/httpd.conf file.
    1.Stop the Apache server: At a terminal console, enter /etc/init.d/apache2 stop
    2. Open the /etc/httpd/conf/httpd.conf file in a text editor, then locate the SSLCipherSuite directive in the Virtual Hosts section:
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    3. Modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
    4. Save your changes.
    5. Start the Apache server: At a terminal console, enter /etc/init.d/apache2 start

  13. #13
    I apperciate your help....i was still looking for it. I will try to make it in a day or two.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •