System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

SOLVED
Go to solution
d_allen111
Advisor

How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

Hello -

I can do a list of rpm files that are related to the apache running on my Linux server, but not sure which version we are running.

How do you:
1. What's the command to show which version of SSL we're currently running?

2. How do you about disable or run an update to the next SSL version (ssl 3.0)?

3. Any other suggestions?

We're not in the position to disabled the SSL completely since other applications currently using.

Here are the rpm files on this Redhat Linux server:

openssl-devel-0.9.7a-43.17.el4_6.1
xmlsec1-openssl-1.2.6-3
docbook-style-dsssl-1.78-4
mod_ssl-2.0.52-41.ent.2
openssl-0.9.7a-43.17.el4_6.1
openssl-devel-0.9.7a-43.17.el4_6.1
xmlsec1-openssl-1.2.6-3
openssl096b-0.9.6b-22.46
openssl-0.9.7a-43.17.el4_6.1

Please help.

Thank you in advance.

David
6 REPLIES
Gerardo Arceri
Trusted Contributor

Re: How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

David:
Can you be more specific ?
In any case check Apache's SSL FAQ:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
d_allen111
Advisor

Re: How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

How do I go about finding out if we're using the version ssl 2.0? If we're using ssl 2.0, I would like to know how you go about upgrading to ssl 3.0.

Thanks,

David
Matti_Kurkela
Honored Contributor
Solution

Re: How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

SSL 2.0/3.0 is not visible as a process or a specific RPM, because it's usually implemented through the OpenSSL library. The OpenSSL libraries have supported all SSL/TLS versions for quite a while now.

The SSL/TLS protocol level is negotiated separately for each network connection that uses SSL/TLS.

This negotiation is controlled by the application that receives the connection. The OpenSSL libraries have very extensiv controls for determining which SSL/TLS versions and/or encryption schemes should be accepted... but the library does not provide any configuration setting or file that could "disable SSL 2.0 everywhere": each application must pass the connection preferences to the OpenSSL library functions when the application starts using the library.

For example, in Apache (mod_ssl) the SSL 2.0 could be disabled by a configuration entry like this:

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

You can use the "openssl s_client" command to verify whether any SSL/TLS network service accepts SSL 2.0 connections or not.

This command tells the OpenSSL tool to connect to server "server.example" port 443 using SSL 2.0:

openssl s-client -ssl2 -connect server.example:443

If you get a response like this, the server has rejected your SSL 2.0 request:

CONNECTED(00000003)
30149:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

If the server accepts SSL 2.0, you will get a much longer response, containing information about the chosen encryption methods and the server certificate. You may have to press Ctrl-C to interrupt the command in this case.

Note: even if the name of the software package mentions "openssl", it may not always use the SSL/TLS part of OpenSSL. The OpenSSL library has become a sort of standard repository of encryption algorithms: some applications may use just the encryption algorithm parts of OpenSSL, so the SSL/TLS version is not applicable for them. (I guess your xmlsec1 package might belong in this category.)

MK
MK
Matti_Kurkela
Honored Contributor

Re: How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

Oops, typo: the openssl s_client command line should have been:

openssl s_client -ssl2 -connect server.example:443

No points for this reply, please!

MK
MK
d_allen111
Advisor

Re: How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

Hi Matti!

Thank you for great explanation!!! All started by my security officer ran some sort of scan and they found a number of servers Linux & Windows a like that were still using SSL 2.0, which security vulnerability according to him. So, long story short, we have to find a way to upgrade from SSL 2.0 to SSL 3.0 - Since I am new to Linux, I am trying to figure out which application are using SSL so that I can dig more into it. Most of these servers are our Oracle DBs (10g) and couple of are the internal application servers.

What do you suggest I would need to do from my end??

I am at a lost.

Thank you,
David


Matti_Kurkela
Honored Contributor

Re: How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

The first step would be identifying exactly the applications that are still accepting/using SSL 2.0. The actual output of the security scanner probably identifies the hostnames & port numbers where SSL 2.0 was detected.

The alternative would be to run "nslookup -anA inet" on all hosts, look for ports in LISTEN state, and use the previously-mentioned "openssl s_client" command to test for SSL 2.0 support.

Once you know the port number, "lsof -i tcp:" will tell you the Process ID of the process running the vulnerable application. Then, "ps -fp " and/or "ls -l /proc/" should reveal the name of the application process and the directory where it lives.

After that, it's a matter of reading the documentation of the application to find out how to tell it to reject SSL 2.0 connections.

MK
MK