Disallowing ssl2

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Nov 11 06:49:20 PST 2008

Hash: RIPEMD160

John Almberg wrote:
| My server got an audit for PCI compliance and was red-flagged for
| allowing SSL2 connections, which they have some problem with. They want
| the server to use SSL3 or TLS:
| "Synopsis : The remote service encrypts traffic using a protocol with
| known weaknesses. Description : The remote service accepts connections
| encrypted using SSL 2.0, which reportedly suffers from several
| cryptographic flaws and has been deprecated for several years. An
| attacker may be able to exploit these issues to conduct
| man-in-the-middle attacks or decrypt communications between the affected
| service and clients. See also : http://www.schneier.com/paper-ssl.pdf
| Solution: Consult the application's documentation to disable SSL 2.0 and
| use SSL 3.0 or TLS 1.0 instead. See
| http://support.microsoft.com/kb/216482 for instructions on IIS. See
| http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk
| Factor: Medium  / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) "
| They want me to do this for https, imaps, and pop3s protocols...
| Before I dig into this, I was wondering, is this even possible? Will
| anything break as a result?

It's certainly possible to insist on SSLv3 or TLSv1 for SSL connections,
and nothing[*] will break.  The client and server will negotiate to find a
mutually acceptable cipher and protocol level at the point of making the

For apache2 the magic wording is:

~    SSLProtocol all -SSLv2

Note that this is conceptually distinct from choosing the cipher to use --
many of the SSLv2 ciphers are also available under SSLv3, but there's a
structural  problem SSLv2 which means a cipher perfectly acceptable under
v3 can be broken under v2.

Even so, there are a bunch of pretty useless ciphers our there,  Anything
with a key length less than about 40bits is essentially trivially
crackable nowadays using a desktop PC.  56bit is crackable to someone with
the resources of the NSA.  To control the ciphers Apache allows, use
something like:


This can combine choosing the protocol level with choosing the allowable
ciphers into one handy string, if you include the appropriate terms, and
if done that way means you don't also need the 'SSLProtocol' item above.

Most applications that use openssl to provide crypto will let you enter
a string like that somewhere.  You can see what Ciphers a cipher-spec
equates to by eg.:

% openssl ciphers -ssl3  -v 'RSA:\!EXP:\!NULL:-SSLv2:+HIGH:+MEDIUM:-LOW'
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5

This setting is known to work well with recent versions of  Firefox and
IE.  The ciphers(1) man page will give you the gory details.

Exactly how and where you specify the Cipher string depends on the
software you're using.  So, for example, adding the fillowing to
imapd.conf will achieve the required effect with Cyrus IMAPd:

tls_cipher_list:  RSA:!EXP:!NULL:-SSLv2:+HIGH:+MEDIUM:-LOW



[*] Probably.

- --
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
~                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
~                                                      Kent, CT11 9PW, UK
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the freebsd-questions mailing list