Disallowing ssl2
John Almberg
jalmberg at identry.com
Tue Nov 11 06:15:08 PST 2008
On Nov 11, 2008, at 8:50 AM, John Almberg wrote:
> My server got an audit for PCI compliance and was red-flagged for
> allowing SSL2 connections, which they have some problem with. They
> want the server to use SSL3 or TLS:
>
> "Synopsis : The remote service encrypts traffic using a protocol
> with known weaknesses. Description : The remote service accepts
> connections encrypted using SSL 2.0, which reportedly suffers from
> several cryptographic flaws and has been deprecated for several
> years. An attacker may be able to exploit these issues to conduct
> man-in-the-middle attacks or decrypt communications between the
> affected service and clients. See also : http://www.schneier.com/
> paper-ssl.pdf Solution: Consult the application's documentation to
> disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://
> support.microsoft.com/kb/216482 for instructions on IIS. See http://
> httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk
> Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/
> B:N) "
>
> They want me to do this for https, imaps, and pop3s protocols...
>
> Before I dig into this, I was wondering, is this even possible?
> Will anything break as a result?
>
Answering my own question (always the best way! :-)
I've figured out how to do this on Apache... Replaced the default
SSLCipherSuite directive with the following:
SSLCipherSuite TLSv1:!ADH:!EXP:!NULL:!MD5:!LOW:+HIGH:+MEDIUM
This seems to work, although I guess all those Netscape 4 users are
going to have to shop else where...
On to IMAPS and POP3S...
-- John
More information about the freebsd-questions
mailing list