Re: Disabling the SSLv2 protocol

From: David Wang <w3.4you@xxxxxxxxx>
Date: Thu, 20 Sep 2007 03:14:24 -0700

Those are all the necessary directions. There's nothing else.

Double check that you have followed instructions in KB245030.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

On Sep 19, 1:52 pm, Murr <M...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi.
I need to disable the SSLv2 protocol, and am having problems. I have
followed the instructions in Article ID : 187498 re: the registry
modifications, but when I re-scan my server, it still shows SSLv2 as a
vulnerability.

Does anyone know if there is something else I can try to disable that
protocol?

We are similar to "Gonzo's" post - I ran a security scan on this server and
it shows open...

THREAT:
The Secure Socket Layer (SSL) protocol allows for secure communication
between a client and a server.
There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker
can force the communication to a less secure level and then attempt to
break the weak encryption. The attacker can also truncate encrypted messages.
These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all
popular web-servers, mail-servers, etc.) and clients (including
Web-clients like IE, Netscape Navigator and Mozilla and mail clients)
support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for
backward compatibility.
The following links provide more information about this vulnerability:
SSL Server Security Survey
SSL 3.0 Specification
IMPACT:
An attacker can exploit this vulnerability to read secure communications or
maliciously modify messages.
SOLUTION:
Disable SSLv2.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the
following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
SSLNoV2
How to disable SSLv2 on IIS : Microsoft
Knowledge Base Article - 187498
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in
Schannel.dll :
Microsoft Knowledge Base Article - 245030
RESULT:
No

Prev by Date: Re: Windows Integrated and the domain name
Next by Date: Re: Windows Integrated and the domain name
Previous by thread: Certificate import via IIS or certificate mmc
Next by thread: Re: cannot access the website without providing user name password
Index(es):
- Date
- Thread

Relevant Pages

OWA 2003 and SSL Security Vulnerability
... Exchange 2003 Enterprise with an OWA server in the DMZ. ... This SSL service supports SSLv2 connections. ... note that either or both of the SSLv3 or TLSv1 protocols must be ... Microsoft Knowledge Base article to remove SSLv2 support from ...
(microsoft.public.outlook)
Re: Interpreting the results of an NMAP scan
... |_ sslv2: server still supports SSLv2 ... | html-title: Microsoft Outlook Web Access ... 993/tcp open ssl/imap Microsoft Exchange Server 2003 imapd 6.5.7638.1 ...
(Security-Basics)
OWA 2003 and SSLv2 Security Vulnerability
... Exchange 2003 Enterprise with an OWA server in the DMZ. ... This SSL service supports SSLv2 connections. ... note that either or both of the SSLv3 or TLSv1 protocols must be ... Microsoft Knowledge Base article to remove SSLv2 support from ...
(microsoft.public.exchange.admin)
FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
... For general information regarding FreeBSD Security Advisories, ... mechanism for negotiating the protocol version to be used. ... up using the older version of the protocol (SSLv2). ... dated after the correction date. ...
(FreeBSD-Security)
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
... For general information regarding FreeBSD Security Advisories, ... mechanism for negotiating the protocol version to be used. ... up using the older version of the protocol (SSLv2). ... dated after the correction date. ...
(freebsd-announce)