Re: How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

d_allen111 · ‎06-18-2010

Hello -

I can do a list of rpm files that are related to the apache running on my Linux server, but not sure which version we are running.

How do you:
1. What's the command to show which version of SSL we're currently running?

2. How do you about disable or run an update to the next SSL version (ssl 3.0)?

3. Any other suggestions?

We're not in the position to disabled the SSL completely since other applications currently using.

Here are the rpm files on this Redhat Linux server:

openssl-devel-0.9.7a-43.17.el4_6.1
xmlsec1-openssl-1.2.6-3
docbook-style-dsssl-1.78-4
mod_ssl-2.0.52-41.ent.2
openssl-0.9.7a-43.17.el4_6.1
openssl-devel-0.9.7a-43.17.el4_6.1
xmlsec1-openssl-1.2.6-3
openssl096b-0.9.6b-22.46
openssl-0.9.7a-43.17.el4_6.1

Please help.

Thank you in advance.

David

Gerardo Arceri · ‎06-18-2010

David:
Can you be more specific ?
In any case check Apache's SSL FAQ:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html

d_allen111 · ‎06-18-2010

How do I go about finding out if we're using the version ssl 2.0? If we're using ssl 2.0, I would like to know how you go about upgrading to ssl 3.0.

Thanks,

David

Matti_Kurkela · ‎06-19-2010

SSL 2.0/3.0 is not visible as a process or a specific RPM, because it's usually implemented through the OpenSSL library. The OpenSSL libraries have supported all SSL/TLS versions for quite a while now.

The SSL/TLS protocol level is negotiated separately for each network connection that uses SSL/TLS.

This negotiation is controlled by the application that receives the connection. The OpenSSL libraries have very extensiv controls for determining which SSL/TLS versions and/or encryption schemes should be accepted... but the library does not provide any configuration setting or file that could "disable SSL 2.0 everywhere": each application must pass the connection preferences to the OpenSSL library functions when the application starts using the library.

For example, in Apache (mod_ssl) the SSL 2.0 could be disabled by a configuration entry like this:

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

You can use the "openssl s_client" command to verify whether any SSL/TLS network service accepts SSL 2.0 connections or not.

This command tells the OpenSSL tool to connect to server "server.example" port 443 using SSL 2.0:

openssl s-client -ssl2 -connect server.example:443

If you get a response like this, the server has rejected your SSL 2.0 request:

CONNECTED(00000003)
30149:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

If the server accepts SSL 2.0, you will get a much longer response, containing information about the chosen encryption methods and the server certificate. You may have to press Ctrl-C to interrupt the command in this case.

Note: even if the name of the software package mentions "openssl", it may not always use the SSL/TLS part of OpenSSL. The OpenSSL library has become a sort of standard repository of encryption algorithms: some applications may use just the encryption algorithm parts of OpenSSL, so the SSL/TLS version is not applicable for them. (I guess your xmlsec1 package might belong in this category.)

MK

MK

Matti_Kurkela · ‎06-19-2010

Oops, typo: the openssl s_client command line should have been:

openssl s_client -ssl2 -connect server.example:443

No points for this reply, please!

MK

MK

d_allen111 · ‎06-20-2010

Hi Matti!

Thank you for great explanation!!! All started by my security officer ran some sort of scan and they found a number of servers Linux & Windows a like that were still using SSL 2.0, which security vulnerability according to him. So, long story short, we have to find a way to upgrade from SSL 2.0 to SSL 3.0 - Since I am new to Linux, I am trying to figure out which application are using SSL so that I can dig more into it. Most of these servers are our Oracle DBs (10g) and couple of are the internal application servers.

What do you suggest I would need to do from my end??

I am at a lost.

Thank you,
David

Matti_Kurkela · ‎06-20-2010

The first step would be identifying exactly the applications that are still accepting/using SSL 2.0. The actual output of the security scanner probably identifies the hostnames & port numbers where SSL 2.0 was detected.

The alternative would be to run "nslookup -anA inet" on all hosts, look for ports in LISTEN state, and use the previously-mentioned "openssl s_client" command to test for SSL 2.0 support.

Once you know the port number, "lsof -i tcp:" will tell you the Process ID of the process running the vulnerable application. Then, "ps -fp " and/or "ls -l /proc/" should reveal the name of the application process and the directory where it lives.

After that, it's a matter of reading the documentation of the application to find out how to tell it to reject SSL 2.0 connections.

MK

MK

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??

How do you disable SSL 2.0 and start using SSL 3.0 or TLS 1.0 in Linux RHAS??