• How to disable the support for SSLv2 LOW encryption ciphers?

    Secure Sockets Layer (SSL) is the standard security technology for creating an encrypted link between a web server and a browser. This link ensures that all data passed between web server and browser remains private and secure. SSLv2, SSLv3, and TLS (1.0) all protocol provide for a secure channel between clients and servers .There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular web-servers, mail-servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.

    You can follow the following steps to disable the LOW encryption ciphers like SSLV2 on  Apache , IIS ,tomcat and resin etc .

     

    How to Configure ?

    1) Apache ( httpd.conf )

    SSLProtocol ALL -SSLv2

    SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

    2) light httpd ( lighthttpd.conf )

    ssl.use-sslv2 = “disable”

    3) resin  ( resin.conf )

    <protocol>-ALL +SSLv3 +TLSv1</protocol>

    <ciphersuite>ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</cipher-suite>

    4) Tomcat

    sslProtocol=”SSLv3?

    ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_

    5) IIS

    http://support.microsoft.com/kb/216482

    http://support.microsoft.com/kb/187498

    6) Postfix ( main.cf )

    smtpd_tls_mandatory_protocols = SSLv3, TLSv1

    smtpd_tls_mandatory_ciphers = medium, high

    7) Proftpd ( proftpd.conf )

    TlsCipherList HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

    8 ) vsftpd ( vsftpd.conf )

    ssl_sslv2=NO

     

     

    How to verify ? 😉

    ( If everything is configured properly then you will get the following result while checking with sslv2 )

    a)  SSL verstion testing

    $ openssl s_client -ssl2 -connect localhost:443

    CONNECTED(00000003)
    8213:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

    $ openssl s_client -ssl3 -connect localhost:443

    $ openssl s_client -tls1 -connect localhost:443

    b)  Cipher Testing

    $ openssl s_client -ssl2 -connect localhost:443 -cipher LOW:EXP

    CONNECTED(00000003)
    8164:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428: