HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- How to upgrade to SSLv3 on hpux
Operating System - HP-UX
1829753
Members
1808
Online
109992
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2010 09:29 PM
04-25-2010 09:29 PM
Dear All,
Kindly advice for SSlv3 upgrade.
what are the lines to be update in ssl.conf.
Pls advice.
Kindly advice for SSlv3 upgrade.
what are the lines to be update in ssl.conf.
Pls advice.
Solved! Go to Solution.
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2010 10:39 PM
04-25-2010 10:39 PM
Solution
ssl.conf? Does not sound like OpenSSL configuration file... I *guess* you mean in the HP Apache webserver. I have no idea which version you're using; I *assume* you're using some reasonably-modern version.
(When asking questions on any technical IT forums, please identify any relevant hardware models/software versions clearly, so that no time is wasted in guessing.)
There are three protocols in the SSL family: SSLv2 is the original (SSLv1 was never deployed outside the development labs), SSLv3 is its successor (published in 1996), and the newest is TLSv1 (specification originally published in January 1999, and since updated).
SSLv2 has known weaknesses, and should not be used. SSLv3 and TLSv1 are OK.
To make your web server accept only SSLv3 or TLSv1 connections, make sure that the SSLProtocol directive is set in ssl.conf like this:
SSLProtocol all -SSLv2
That is all. It means "allow all SSL protocols except SSLv2".
For more information, see Apache documentation in the web:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#SSLProtocol
MK
(When asking questions on any technical IT forums, please identify any relevant hardware models/software versions clearly, so that no time is wasted in guessing.)
There are three protocols in the SSL family: SSLv2 is the original (SSLv1 was never deployed outside the development labs), SSLv3 is its successor (published in 1996), and the newest is TLSv1 (specification originally published in January 1999, and since updated).
SSLv2 has known weaknesses, and should not be used. SSLv3 and TLSv1 are OK.
To make your web server accept only SSLv3 or TLSv1 connections, make sure that the SSLProtocol directive is set in ssl.conf like this:
SSLProtocol all -SSLv2
That is all. It means "allow all SSL protocols except SSLv2".
For more information, see Apache documentation in the web:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#SSLProtocol
MK
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2010 02:06 AM
04-26-2010 02:06 AM
Re: How to upgrade to SSLv3 on hpux
HI Matti ,
Thanks for the reply, the current version for web apache is
file : ssl.conf
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL
There is request to upgrade to SSLv3.
what all steps to carried out to enable SSLv3?
Is below will work ?
SSLProtocol all +SSLv3
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
---------------------------------------------
and disabling blow line
"SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL".
after the restart of apache services, any command to check successfull for SSLv3.
Thanks....Kindly confirm.
Thanks for the reply, the current version for web apache is
file : ssl.conf
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL
There is request to upgrade to SSLv3.
what all steps to carried out to enable SSLv3?
Is below will work ?
SSLProtocol all +SSLv3
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
---------------------------------------------
and disabling blow line
"SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL".
after the restart of apache services, any command to check successfull for SSLv3.
Thanks....Kindly confirm.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2010 04:39 AM
04-26-2010 04:39 AM
Re: How to upgrade to SSLv3 on hpux
>Is below will work ?
>SSLProtocol all +SSLv3
No, "all" means "+SSLv2 +SSLv3 +TLSv1". Your SSLProtocol line will activate all SSL versions. This is not secure. You should disable SSLv2.
Use either:
SSLProtocol -SSLv2 +SSLv3 +TLSv1
or
SSLProtocol all -SSLv2
Both give the same result: SSLv3 and TLSv1 enabled, but SSLv2 disabled.
>SSLCipherSuite SSLv3:+HIGH:+MEDIUM
This is not secure either. It means: "allow (everything accepted by SSLv3) + (everything that uses DES-CBC3) + (everything that uses 128-bit encryption)". Some of the ciphers allowed for SSLv3 are not good for production.
"SSLv3" includes ciphers NULL-MD5 and NULL-SHA, which mean "no encryption, only error-checking using MD5 or SHA1". This would be useful for debugging only, and it should never be used in production.
SSLv3 will also allow weak 40- and 56-bit export ciphers, and Anonymous Diffie-Hellman, which does not verify anyone's identity.
As suggested in
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#SSLCipherSuite
you can use the "openssl ciphers -v" command to verify the list of cipher suites accepted when using a particular SSLCipherSuite value.
For example, your SSLCipherSuite setting produces a listing like this:
$ openssl ciphers -v 'SSLv3:+HIGH:+MEDIUM'
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
"Au=None" means "no authentication", i.e. an attacker could easily set up a fake site to lure your clients, and the clients would have no way of detecting it as a fake.
There are also some ciphers with "Enc=None", which means "no encryption at all", and some ciphers with RC2(40), RC4(40), DES(40) and DES(56) encryptions - these are too easy to break today.
I would recommend something like:
SSLCipherSuite !NULL:!ADH:!EXP:!LOW:SSLv3:+HIGH:+MEDIUM
or if you want a very secure site, and your clients have relatively modern browsers, perhaps even this:
SSLCipherSuite !NULL:!ADH:!EXP:!LOW:!MEDIUM:SSLv3:+HIGH
> any command to check successfull for SSLv3.
To verify, configure a web browser to use SSLv2 only and then try to access your site. You should receive an error message about incompatible encryption types. Then configure the browser to allow SSLv3 and try again: now the connection should succeed. Once a connection is successful, use the "security info" feature of your browser to find the chosen cipher and key length.
MK
>SSLProtocol all +SSLv3
No, "all" means "+SSLv2 +SSLv3 +TLSv1". Your SSLProtocol line will activate all SSL versions. This is not secure. You should disable SSLv2.
Use either:
SSLProtocol -SSLv2 +SSLv3 +TLSv1
or
SSLProtocol all -SSLv2
Both give the same result: SSLv3 and TLSv1 enabled, but SSLv2 disabled.
>SSLCipherSuite SSLv3:+HIGH:+MEDIUM
This is not secure either. It means: "allow (everything accepted by SSLv3) + (everything that uses DES-CBC3) + (everything that uses 128-bit encryption)". Some of the ciphers allowed for SSLv3 are not good for production.
"SSLv3" includes ciphers NULL-MD5 and NULL-SHA, which mean "no encryption, only error-checking using MD5 or SHA1". This would be useful for debugging only, and it should never be used in production.
SSLv3 will also allow weak 40- and 56-bit export ciphers, and Anonymous Diffie-Hellman, which does not verify anyone's identity.
As suggested in
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#SSLCipherSuite
you can use the "openssl ciphers -v
For example, your SSLCipherSuite setting produces a listing like this:
$ openssl ciphers -v 'SSLv3:+HIGH:+MEDIUM'
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
"Au=None" means "no authentication", i.e. an attacker could easily set up a fake site to lure your clients, and the clients would have no way of detecting it as a fake.
There are also some ciphers with "Enc=None", which means "no encryption at all", and some ciphers with RC2(40), RC4(40), DES(40) and DES(56) encryptions - these are too easy to break today.
I would recommend something like:
SSLCipherSuite !NULL:!ADH:!EXP:!LOW:SSLv3:+HIGH:+MEDIUM
or if you want a very secure site, and your clients have relatively modern browsers, perhaps even this:
SSLCipherSuite !NULL:!ADH:!EXP:!LOW:!MEDIUM:SSLv3:+HIGH
> any command to check successfull for SSLv3.
To verify, configure a web browser to use SSLv2 only and then try to access your site. You should receive an error message about incompatible encryption types. Then configure the browser to allow SSLv3 and try again: now the connection should succeed. Once a connection is successful, use the "security info" feature of your browser to find the chosen cipher and key length.
MK
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2010 11:19 PM
05-08-2010 11:19 PM
Re: How to upgrade to SSLv3 on hpux
I have found the solution & hence closing the thread.
Dear Matti
Thanks for your detailed explanation & appreciate your patiens & also for such a clear explanation.
Dear Matti
Thanks for your detailed explanation & appreciate your patiens & also for such a clear explanation.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP