hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : How to: disable SSL 2.0 and use SSL 3.0
Reply

Forum Jump

How to: disable SSL 2.0 and use SSL 3.0

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 10-20-2008, 06:48 AM
alisaqi alisaqi is offline
Disabled
 
Join Date: Jan 2007
Posts: 78
How to: disable SSL 2.0 and use SSL 3.0

Our security comlience test got failed due to following reason
Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.
We have Cpanel RHEL server. Please advise how to:
'disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.'
I would appreciate if you come up with steps or commands so that I can do this.



Sponsored Links
  #2  
Old 10-20-2008, 08:27 AM
hzalex
Guest
 
Posts: n/a
You need to use SSLProtocol directive:
Example
# enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

  #3  
Old 10-20-2008, 08:29 AM
hzalex
Guest
 
Posts: n/a
The last line needs to be added to httpd.conf to
<IfDefine SSL>
</IfDefine>

Sponsored Links
  #4  
Old 10-20-2008, 09:07 AM
stephanhughson stephanhughson is offline
Web Hosting Guru
 
Join Date: Jan 2006
Posts: 268
and if you are using lighttpd, just add:
ssl.use-sslv2 = "disable"
to your configuration file (and reload/restart the service).





__________________http://www.fishycam.com

  #5  
Old 10-20-2008, 12:07 PM
alisaqi alisaqi is offline
Disabled
 
Join Date: Jan 2007
Posts: 78
In which file I should add this? May I have the file path and name? I have cpanel server.
Where exactly I should add this line 'SSLProtocol all -SSLv2'

  #6  
Old 10-20-2008, 03:09 PM
alisaqi alisaqi is offline
Disabled
 
Join Date: Jan 2007
Posts: 78
any help on this?

  #7  
Old 10-20-2008, 03:44 PM
Sh3khar Sh3khar is offline
Newbie
 
Join Date: Sep 2008
Posts: 17
Quote:



Originally Posted by alisaqi


In which file I should add this? May I have the file path and name? I have cpanel server.
Where exactly I should add this line 'SSLProtocol all -SSLv2'


You need to add that line in apache configuration file which resides under /usr/local/apache/conf/httpd.conf Make sure you restart apache once you add the line...

  #8  
Old 10-21-2008, 02:26 AM
alisaqi alisaqi is offline
Disabled
 
Join Date: Jan 2007
Posts: 78
I have added the lines below at the bottom of /usr/local/apache/conf/httpd.conf
nano -w /usr/local/apache/conf/httpd.conf
<IfDefine SSL>
# enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
</IfDefine>
Then restarted apache and run the test again but again its failed no effect. Please advise.

  #9  
Old 10-28-2008, 04:40 PM
smrtalex smrtalex is offline
Web Hosting Guru
 
Join Date: Dec 2006
Posts: 288
Any have any thoughts on this. We have the same issue.
RHEL 5.2 box, with Apache 2.2.3
We tried added in the following to the httpd.conf file and restarted apache, but it failed SecurityMatrix test on ports 443, 993, and 995
Code:

<IfDefine SSL>
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
</IfDefine>

  #10  
Old 10-28-2008, 10:59 PM
lamerfreak lamerfreak is offline
Junior Guru
 
Join Date: Aug 2008
Posts: 176
Is there an existing SSLProtocol line later on perhaps?
993 and 995 are mail, not web, offhand, so you've got another service to look at there.

  #11  
Old 10-28-2008, 11:11 PM
ZoomS
Guest
 
Posts: n/a
Quote:



Originally Posted by smrtalex


Any have any thoughts on this. We have the same issue.
RHEL 5.2 box, with Apache 2.2.3
We tried added in the following to the httpd.conf file and restarted apache, but it failed SecurityMatrix test on ports 443, 993, and 995
Code:

<IfDefine SSL>
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
</IfDefine>




What Apache error log shows when you restart Apache in the server ?

  #12  
Old 11-25-2008, 09:20 AM
teamwork1
Guest
 
Posts: n/a
How to: disable SSL 2.0 and use SSL 3.0

To restrict connections to SSL 3.0 and to ensure strong encryption, we strongly recommend the following configuration for the Apache server’s SSL cipher suite settings.
* Use only High and Medium security cipher suites, such as RC4 and RSA.
* Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.
* Use SSL 3.0, and disable SSL 2.0.
* Disable the Low, Export, and Null cipher suites.
To set these parameters, modify the aliases in the OpenSSL* ciphers command (the SSLCipherSuite directive) in the /etc/httpd/conf/httpd.conf file.
1.Stop the Apache server: At a terminal console, enter /etc/init.d/apache2 stop
2. Open the /etc/httpd/conf/httpd.conf file in a text editor, then locate the SSLCipherSuite directive in the Virtual Hosts section:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
3. Modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
4. Save your changes.
5. Start the Apache server: At a terminal console, enter /etc/init.d/apache2 start

  #13  
Old 11-25-2008, 02:04 PM
alisaqi alisaqi is offline
Disabled
 
Join Date: Jan 2007
Posts: 78
I apperciate your help....i was still looking for it. I will try to make it in a day or two.

Reply

Related posts from TheWhir.com
Title Type Date Posted
More than 300K Servers Remain Vulnerable to Heartbleed Web Hosting News 2014-06-23 10:36:27
Google-Backed Security Technology ShapeShifter Changes Website Code to Thwart Attackers Web Hosting News 2014-01-23 13:03:33
WHMCS Security Issue Allows for Information Disclosure Web Hosting News 2013-10-25 09:30:46
CloudLinux Releases New LVE Manager Control Panel Plugin Web Hosting News 2012-09-04 10:36:10
Web Host Newtek Launches ColdFusion 10 Cloud Hosting Plans Web Hosting News 2012-08-09 16:10:27


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?