Date: Tue, 11 Nov 2008 09:14:57 -0500 From: John Almberg <jalmberg@identry.com> To: freebsd-questions@freebsd.org Subject: Re: Disallowing ssl2 Message-ID: <D45E5088-C92B-4808-B44F-A56030A3521B@identry.com> In-Reply-To: <7F59430C-9DD9-44F1-B250-EB7109FBDF8B@identry.com> References: <7F59430C-9DD9-44F1-B250-EB7109FBDF8B@identry.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 11, 2008, at 8:50 AM, John Almberg wrote: > My server got an audit for PCI compliance and was red-flagged for > allowing SSL2 connections, which they have some problem with. They > want the server to use SSL3 or TLS: > > "Synopsis : The remote service encrypts traffic using a protocol > with known weaknesses. Description : The remote service accepts > connections encrypted using SSL 2.0, which reportedly suffers from > several cryptographic flaws and has been deprecated for several > years. An attacker may be able to exploit these issues to conduct > man-in-the-middle attacks or decrypt communications between the > affected service and clients. See also : http://www.schneier.com/ > paper-ssl.pdf Solution: Consult the application's documentation to > disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http:// > support.microsoft.com/kb/216482 for instructions on IIS. See http:// > httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk > Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/ > B:N) " > > They want me to do this for https, imaps, and pop3s protocols... > > Before I dig into this, I was wondering, is this even possible? > Will anything break as a result? > Answering my own question (always the best way! :-) I've figured out how to do this on Apache... Replaced the default SSLCipherSuite directive with the following: SSLCipherSuite TLSv1:!ADH:!EXP:!NULL:!MD5:!LOW:+HIGH:+MEDIUM This seems to work, although I guess all those Netscape 4 users are going to have to shop else where... On to IMAPS and POP3S... -- John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D45E5088-C92B-4808-B44F-A56030A3521B>