HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

How to upgrade to SSLv3 on hpux

 
SOLVED
Go to solution
HP-UX_Ali
Regular Advisor

How to upgrade to SSLv3 on hpux

Dear All,
Kindly advice for SSlv3 upgrade.
what are the lines to be update in ssl.conf.

Pls advice.
4 REPLIES
Matti_Kurkela
Honored Contributor
Solution

Re: How to upgrade to SSLv3 on hpux

ssl.conf? Does not sound like OpenSSL configuration file... I *guess* you mean in the HP Apache webserver. I have no idea which version you're using; I *assume* you're using some reasonably-modern version.

(When asking questions on any technical IT forums, please identify any relevant hardware models/software versions clearly, so that no time is wasted in guessing.)

There are three protocols in the SSL family: SSLv2 is the original (SSLv1 was never deployed outside the development labs), SSLv3 is its successor (published in 1996), and the newest is TLSv1 (specification originally published in January 1999, and since updated).

SSLv2 has known weaknesses, and should not be used. SSLv3 and TLSv1 are OK.

To make your web server accept only SSLv3 or TLSv1 connections, make sure that the SSLProtocol directive is set in ssl.conf like this:

SSLProtocol all -SSLv2

That is all. It means "allow all SSL protocols except SSLv2".

For more information, see Apache documentation in the web:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#SSLProtocol

MK
MK
HP-UX_Ali
Regular Advisor

Re: How to upgrade to SSLv3 on hpux

HI Matti ,

Thanks for the reply, the current version for web apache is
file : ssl.conf
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL

There is request to upgrade to SSLv3.
what all steps to carried out to enable SSLv3?

Is below will work ?

SSLProtocol all +SSLv3
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
---------------------------------------------
and disabling blow line
"SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL".

after the restart of apache services, any command to check successfull for SSLv3.

Thanks....Kindly confirm.





Matti_Kurkela
Honored Contributor

Re: How to upgrade to SSLv3 on hpux

>Is below will work ?

>SSLProtocol all +SSLv3

No, "all" means "+SSLv2 +SSLv3 +TLSv1". Your SSLProtocol line will activate all SSL versions. This is not secure. You should disable SSLv2.

Use either:

SSLProtocol -SSLv2 +SSLv3 +TLSv1

or

SSLProtocol all -SSLv2

Both give the same result: SSLv3 and TLSv1 enabled, but SSLv2 disabled.

>SSLCipherSuite SSLv3:+HIGH:+MEDIUM

This is not secure either. It means: "allow (everything accepted by SSLv3) + (everything that uses DES-CBC3) + (everything that uses 128-bit encryption)". Some of the ciphers allowed for SSLv3 are not good for production.

"SSLv3" includes ciphers NULL-MD5 and NULL-SHA, which mean "no encryption, only error-checking using MD5 or SHA1". This would be useful for debugging only, and it should never be used in production.
SSLv3 will also allow weak 40- and 56-bit export ciphers, and Anonymous Diffie-Hellman, which does not verify anyone's identity.

As suggested in
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#SSLCipherSuite
you can use the "openssl ciphers -v " command to verify the list of cipher suites accepted when using a particular SSLCipherSuite value.

For example, your SSLCipherSuite setting produces a listing like this:

$ openssl ciphers -v 'SSLv3:+HIGH:+MEDIUM'
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

"Au=None" means "no authentication", i.e. an attacker could easily set up a fake site to lure your clients, and the clients would have no way of detecting it as a fake.

There are also some ciphers with "Enc=None", which means "no encryption at all", and some ciphers with RC2(40), RC4(40), DES(40) and DES(56) encryptions - these are too easy to break today.

I would recommend something like:

SSLCipherSuite !NULL:!ADH:!EXP:!LOW:SSLv3:+HIGH:+MEDIUM

or if you want a very secure site, and your clients have relatively modern browsers, perhaps even this:

SSLCipherSuite !NULL:!ADH:!EXP:!LOW:!MEDIUM:SSLv3:+HIGH

> any command to check successfull for SSLv3.

To verify, configure a web browser to use SSLv2 only and then try to access your site. You should receive an error message about incompatible encryption types. Then configure the browser to allow SSLv3 and try again: now the connection should succeed. Once a connection is successful, use the "security info" feature of your browser to find the chosen cipher and key length.

MK
MK
HP-UX_Ali
Regular Advisor

Re: How to upgrade to SSLv3 on hpux

I have found the solution & hence closing the thread.

Dear Matti

Thanks for your detailed explanation & appreciate your patiens & also for such a clear explanation.