HPE Community
Operating System - HP-UX
1829582 Members
4116 Online
109992 Solutions
New Discussion

How do disable SSLv2?

 
SOLVED
Go to solution
dictum9
Super Advisor

‎03-26-2008 01:16 PM

‎03-26-2008 01:16 PM

How do disable SSLv2?


The OS is 11.23.

Is ssl.conf the only fileI have to edit?


0 Kudos
Reply
6 REPLIES 6
Paul Sperry
Honored Contributor

‎03-26-2008 01:29 PM

‎03-26-2008 01:29 PM

Solution

Re: How do disable SSLv2?

You should have an entry in /etc/services too.

You will also need to restart networking.
Reply
dictum9
Super Advisor

‎03-27-2008 06:26 AM

‎03-27-2008 06:26 AM

Re: How do disable SSLv2?

/etc/services - why? What do I put in there?

There is no mention of SSL.
0 Kudos
Reply
Heironimus
Honored Contributor

‎03-27-2008 06:57 AM

‎03-27-2008 06:57 AM

Re: How do disable SSLv2?

SSLv2 will need to be turned off for each application that uses SSL. Perhaps if you included what application(s) you're talking about people who have worked with them could offer some help.
Reply
dictum9
Super Advisor

‎03-27-2008 07:08 AM

‎03-27-2008 07:08 AM

Re: How do disable SSLv2?

This is all I have.

I think it pertains to the Apache web server that's on the system.

---------------------

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.

There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.

These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular web-servers, mail-servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.

Disable SSLv2.

Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
SSLNoV2

0 Kudos
Reply
Heironimus
Honored Contributor

‎03-27-2008 09:02 AM

‎03-27-2008 09:02 AM

Re: How do disable SSLv2?

Sounds like the generic report from a security scanning tool. Their description of how to disable it in Apache is correct, but the details are entirely dependent on your specific configuration.

If you're actually using Apache you should have somebody who is responsible for it and understands the configuration. Not having somebody like that is a vastly greater risk than allowing SSLv2.

And, of course, if you're not using Apache you should just turn it off.
Reply
dictum9
Super Advisor

‎03-27-2008 10:28 AM

‎03-27-2008 10:28 AM

Re: How do disable SSLv2?

The Apache web server does not even seem to be running, I will see if I can totally delete it.

If necessary, install and compile one that supports SSLv3.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.