Archive

Posts Tagged ‘SSLv2’

How to disable the support for SSLv2 LOW encryption ciphers?

October 23rd, 2008 9 comments

Secure Sockets Layer (SSL) is the standard security technology for creating an encrypted link between a web server and a browser. This link ensures that all data passed between web server and browser remains private and secure. SSLv2, SSLv3, and TLS (1.0) all protocol provide for a secure channel between clients and servers .

There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.

These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular web-servers, mail-servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.

You can follow the following steps to disable the LOW encryption ciphers like SSLV2 on  Apache , IIS and Tomcat web server and allow the secure channel connection via SSLv3 only.

  • Apache
    Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

  • Tomcat
    sslProtocol=”SSLv3″
    ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA”

  • IIS
    • Click Start, click Run, type regedt32 or type regedit, and then click OK.
    • In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server .
    • On the Edit menu, click Add Value.
    • In the Data Type list, click DWORD. 5.In the Value Name box, type Enabled, and then click OK.
      Note If this value is present, double-click the value to edit its current value.
    • Type 00000000 in Binary Editor to set the value of the new key equal to “0″.
    • Click OK. Restart the computer.

More details please refer Microsoft article 187498 and 245030

How you can verify it ?

SSH to your server and type the following commands

1. root@ [~]# openssl s_client -ssl2 -connect localhost:443

If everything is fine you should receive something like this,

1. root@ [~]# openssl s_client -ssl2 -connect localhost:443
2. CONNECTED(00000003)
3. write:errno=104

Categories: Dedicated Server Tags: , , , , , , , , , , , ,