From owner-freebsd-questions@FreeBSD.ORG Tue Nov 11 14:15:08 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 376A01065670 for ; Tue, 11 Nov 2008 14:15:08 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: from mx1.identry.com (on.identry.com [66.111.0.194]) by mx1.freebsd.org (Postfix) with ESMTP id AB62D8FC20 for ; Tue, 11 Nov 2008 14:15:07 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: (qmail 71072 invoked by uid 89); 11 Nov 2008 14:15:04 -0000 Received: from unknown (HELO ?192.168.1.110?) (jalmberg@75.127.142.66) by mx1.identry.com with ESMTPA; 11 Nov 2008 14:14:56 -0000 Mime-Version: 1.0 (Apple Message framework v753.1) In-Reply-To: <7F59430C-9DD9-44F1-B250-EB7109FBDF8B@identry.com> References: <7F59430C-9DD9-44F1-B250-EB7109FBDF8B@identry.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: John Almberg Date: Tue, 11 Nov 2008 09:14:57 -0500 To: freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.753.1) Subject: Re: Disallowing ssl2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Nov 2008 14:15:08 -0000 On Nov 11, 2008, at 8:50 AM, John Almberg wrote: > My server got an audit for PCI compliance and was red-flagged for > allowing SSL2 connections, which they have some problem with. They > want the server to use SSL3 or TLS: > > "Synopsis : The remote service encrypts traffic using a protocol > with known weaknesses. Description : The remote service accepts > connections encrypted using SSL 2.0, which reportedly suffers from > several cryptographic flaws and has been deprecated for several > years. An attacker may be able to exploit these issues to conduct > man-in-the-middle attacks or decrypt communications between the > affected service and clients. See also : http://www.schneier.com/ > paper-ssl.pdf Solution: Consult the application's documentation to > disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http:// > support.microsoft.com/kb/216482 for instructions on IIS. See http:// > httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk > Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/ > B:N) " > > They want me to do this for https, imaps, and pop3s protocols... > > Before I dig into this, I was wondering, is this even possible? > Will anything break as a result? > Answering my own question (always the best way! :-) I've figured out how to do this on Apache... Replaced the default SSLCipherSuite directive with the following: SSLCipherSuite TLSv1:!ADH:!EXP:!NULL:!MD5:!LOW:+HIGH:+MEDIUM This seems to work, although I guess all those Netscape 4 users are going to have to shop else where... On to IMAPS and POP3S... -- John